Election Vulnerabilities: No Exploit Too Small; No Impact Too Large

The American public is currently in the midst of a rude awakening as increasing numbers of reports diagnose the state of American cybersecurity, especially as it pertains to elections.  The most recent of these reports comes from opinion poll analysis web site FiveThirtyEight. Clare Malone published an article explaining how numerous state websites are vulnerable to manipulation, although states have responded that nothing too vital could be compromised.

State websites may seem less important as they do not control the vote tallies themselves, and indeed they are to that extent.  However, the OSET Institute has long argued that the use of cyber attacks to manipulate elections extends far beyond simple subversion of election results. Disinformation attacks or methods that making voting more difficult for certain voters can have significant impacts on the results of elections. While these vulnerabilities are less important than other facets of election integrity, such as manipulation of voter registration databases or vote tallies themselves, they are also the easiest for which to improve the security.

Official communications from states, such as their websites, are critical to how individuals access information, and when they are altered, it quickly leads to disinformation. One can easily imagine ways in which a state website could be altered to have a tangible effect on an election. The location and timing of polling booths could be falsified or the reporting of results could be skewed. Either of these, along with many different ways that a creative hacker could alter a state website, could affect people’s decision about whether they vote, thus impacting the end result.  If people cannot find their polling booths or think that one side has already won or is winning by a large margin, they may decide not to vote.  Foreign sponsored bots and media accounts can spread this misinformation to reach large audiences in seconds.

Even if state officials uncover and resolve the manipulation of their websites they will not have necessarily averted any harm. It would be equally simple for a disinformation campaign to blow the manipulation of a state website out of proportion. They could report that the entire state election had been compromised. When people believe that their election is vulnerable they are less likely to vote, and it increases the chance of the losing side crying foul. It is important to remember that the job of election integrity and security is to convince the defeated candidate (and their supporters) that they lost, fair and square. Any indication of manipulation hurts the public’s perception of the validity of the election, which threatens the legitimacy of the power of those elected.

A loss of legitimacy is not merely a philosophical harm. When government lacks legitimacy it decreases the public’s feeling of representation and ownership of the country or state. It increases individual’s feelings of marginalization, and in extreme cases such can lead to civil unrest.  

These informational website attacks on our elections intended to decrease voter turnout are not entirely novel.  Another avenue for suppressing turnout is through voter registration databases. The voter rolls in many states are still highly insecure and malicious actors can alter information in them to make it more difficult for US citizens to vote. It can increase poll wait times and discourage individuals from voting; when targeted effectively it has the potential to change the outcome of an election and engender fears of voter suppression.

The OSET Institute recently published a paper detailing the vulnerabilities and best practices regarding online voter registration services and related databases, and offered a path to improving at least this facet of election security. There are clear parallels between voter registration attacks and manipulation of state websites; both fall under the broader umbrella of what we at the Institute call “disruption attacks,” which are intended to reduce voter turnout. However, despite their similarities in effect, they require distinct sets of solutions.

It remains unclear how difficult it will be for states to remedy their websites’ vulnerabilities in time for the midterms in less than 150 days. Yet, when compared to the inherent security flaws in the rest of America’s election technology infrastructure, state websites should be relatively simple to better protect.  Consider that election related websites generally:

• Do not involve long-term service and support contracts with tight controls or complicated processes for review, modification, and improvement;
• Are far less expensive to modify and improve compared to other aspects of election administration and voting technology, particularly combinations of hardware and software for ballot casting and counting; and
• Are not subject to as much regulation (i.e., specific voting technology subject to federal and/or states’ certification).

However, the midterm elections are quickly approaching and there are likely a number of vulnerabilities that states may not even be aware of yet, not to mention budget constraints and (as our CTO John Sebes and Board Advisor William P. Crowell point out in an Axios Op-Ed last week) a lack of clarity whether states’ allocations of the recent $380 million of federal funding to improve cybersecurity or replace paperless voting machines will have desired impact in time.  Regardless, clearly states will need to act quickly if they are to limit if not eliminate this form of election interference.  And there are several firms of all sizes offering assistance: Anomali, Centrify, Raytheon, and Synack just to quickly mention four.

The manipulation of state websites could be considered the low hanging fruit of election integrity. Indeed, it’s relatively easy to improve the security of these websites as we point out above, yet although there are real dangers to their manipulation, the scope of their affect is rather limited.

On the other hand, the most significant vulnerabilities of America’s election system are those that affect vote tallies and voter registration databases, as another article by FiveThirtyEight’s Clare Malone explains.  In her article, “The Moscow Midterms” Clare details a scenario in which both of these components are compromised, and while this may seem far-fetched to some, it's a reality far more likely than many would like to believe.

Malone explains that we know malicious actors probed the election infrastructure (voter registration systems at least) of at least 21 America states in the 2016 national election cycle.  Of course, there is no hard  evidence that vote tallies or other information was altered, however, the last election may have been merely a test run.  Russian sponsored hackers did collect information, poked for vulnerabilities, and analyzed America’s election infrastructure as much as they could.  And rumors swirl about what exactly they may be able to access, or what future havoc they’ve laid the groundwork to wreak. With this knowledge in hand, the OSET Institute anticipates they are likely to effort to engage in even more nefarious conduct.

One way they could manipulate American elections is through the aforementioned voter registration databases. As we explained, hackers could change voter registration information in order to prevent targeted areas from voting and depressing turnout.

Another way hackers could manipulate American elections is through a subversion attack; the worst possible type of attack where they could directly alter vote tallies. Here’s the less than comforting news: this is an attack type that is shockingly easy to perform.  Consider that many counties across the United States do not follow proper security or stewardship procedures regarding voting machines, either due to lack of funds or in some cases a lack of knowledge.  And quite candidly we know that in some jurisdictions the attitude is that theirs is an unlikely target of interest, and so this is much overblown.  Such is unfortunate, but true—and worthy of an entirely separate article to discuss that challenge.  But what is easy to explain and understand is that election administration at the county level across the vast majority of the nation is underfunded and many election officials are not particularly tech-savvy. And its not about money alone: even counties that follow correct procedures can be compromised by inserting a malicious USB data stick or CD-disk into a PC responsible for election administration tasks.  Other situations amount to someone simply clicking on a well disguised phishing link (which appears to have been the case for a number of states in 2016.) These attack vectors could allow hackers to actually manipulate vote tallies.

This could be done in two main ways: obviously or subtly. Hackers could make egregious changes to vote tallies so as to intentionally be detected immediately. While this might seem unwise the affect it would have on voter turnout and trust in elections would be immense. People would feel that the integrity of their election had been compromised and would not trust the results of the election. The issues with this have been explained above.

The attacker’s other option would be to subtly change one in every hundred or so votes in a select county.  If highly targeted correctly, this could easily change the result of an election and would be much more difficult to detect.  Some may argue that a paper trail can solve for this problem, however, as this second FiveThirtyEight article explains, these paper audits are rare, and if no malicious activity is detected, under current state regulations in most counties there would not be a valid reason to carry such an audit out.

Both these kinds of attacks would be devastating to American election security, and there is little reason to believe that anything significant can be done to improve election security in time for the 2018 midterms.  So, to an extent, we brace for impact of the 2018 midterms in less than 150 days and hope for the best in terms of preparedness.  With so much at stake in terms of control of Congress, one can assume every jurisdiction “in play” should be on “high alert.”

Finally, at the risk of ending on an even gloomier note, everything discussed above is really about tactical issues.  None of this addresses persistent systemic vulnerabilities that to date, remain out of the conversation.  The OSET Institute persistently argues that there are architectural vulnerabilities in today’s election infrastructure—worldwide, and the repair requires nothing short of a ground-up redesign using security-centric engineering with user-centered design.  Such will need both time and money, and neither of which are in sufficient quantity.  Look into the work of the OSET Institute’s TrustTheVote Project to learn what we’re trying to do about it.  Then get involved.