J. Alex Halderman, professor of computer science & engineering at the University of Michigan, explains how Michigan's voting equipment could be suseptible to manipulation and hacking without an internet connection. Chad Livengood, The Detroit News
How might a foreign government hack America’s voting machines?
Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate.
This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.
Could anyone be brazen enough to try such an attack?
A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election. This summer, attackers broke into the email system of the Democratic National Committee and, separately, into the email account of John Podesta, Hillary Clinton’s campaign chairman, and leaked private messages. Attackers infiltrated the voter registration systems of two states, Illinois and Arizona, and stole voter data. Federal agencies publicly asserted that senior officials in the Russian government commissioned these attacks. And there’s evidence that hackers attempted to breach election offices in several other states.
In 2014, during the presidential election in Ukraine, attackers linked to Russia sabotaged the country’s vote-counting infrastructure and, according to published reports, Ukrainian officials succeeded only at the last minute in defusing vote-stealing malware that was primed to cause the wrong winner to be announced.
Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities.
Were this year’s deviations from pre-election polls the results of a cyberattack? Probably not. I believe the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked. But I don’t believe that either one of these seemingly unlikely explanations is overwhelmingly more likely than the other.
The only way to know whether a cyberattack changed the result is to examine the available physical evidence — paper ballots and voting equipment in states like Wisconsin, Michigan and Pennsylvania. Unfortunately, nobody is ever going to examine that evidence unless candidates petition for recounts.
What’s to stop an attack?
America’s voting machines have serious cybersecurity problems. That isn’t news. It’s been documented over the last decade in numerous peer-reviewed papers and state-sponsored studies by me and other computer security experts. We’ve been pointing out for years that voting machines are computers, and they have reprogrammable software, so if attackers can modify that software by infecting the machines with malware, they can cause the machines to give any answer whatsoever. I’ve demonstrated this in the laboratory with real voting machines — in just a few seconds, anyone can install vote-stealing malware on those machines that alters the electronic records of every vote.
It doesn’t matter whether the voting machines are connected to the internet. Shortly before each election, poll workers copy the ballot design from a regular desktop computer in a government office, and use removable media (like the memory card from a digital camera) to load the ballot onto each machine. That initial computer is almost certainly not well secured, and if an attacker infects it, vote-stealing malware can hitch a ride to every voting machine in the area.
Why hasn’t more been done? In the United States, each state selects its election technology, and some states have taken steps to guard against these problems. But many states use machines that are known to be insecure — sometimes with software that is a decade or more out of date — because they simply don’t have the money to replace those machines.
The safeguard: paper
I may sound like a Luddite, but most election security experts are with me on this: paper ballots are the best available technology for casting votes. We use two main kinds of paper systems in this country. Either voters fill out a ballot paper that gets scanned into a computer (optical scan voting), or they vote on a computer that counts the vote and prints a record on a piece of paper (a voter-verifiable paper audit trail). Either way, the paper creates a record of the vote that can’t be later modified by any bugs, misconfiguration or malicious software.
After the election, humans can examine the paper to make sure the results accurately determined who won. Just as you want the brakes in your car to keep working even if the car’s computer goes haywire, accurate vote counts must remain available even if the machines are malfunctioning or attacked. In both cases, common sense tells us we need a physical backup system. I and other voting security experts have been advocating for paper ballots for years, and today, about 70 percent of American voters live in jurisdictions that keep paper records.
There’s one problem, and it might come as a surprise even to security experts: No state is planning to check the paper in a way that would reliably detect that the computer-based outcome was wrong. About half the states have no laws that require a manual examination of paper ballots, and the other states perform only superficial spot checks. If nobody looks at the paper, it might as well not be there. A clever attacker would exploit this.
There’s still one way that some of this year’s paper ballots could be examined. In many states, candidates can petition for a recount. The candidate needs to pay the cost, which can run to millions of dollars. Such action is being initiated in Michigan, Wisconsin and some parts of Pennsylvania by Green Party candidate Jill Stein.
Even then, the recount procedures in most states call for scanning the paper ballots through the same computerized voting machines that were used for the original count, which might be hacked or misconfigured. The candidates might have to go to court in order to get a manual inspection of the paper ballots, a check that doesn’t assume that the voting equipment functioned correctly. And in some places there’s no paper trail to inspect at all, so investigating a potential cyberattack would require a detailed digital forensic analysis of the machines.
Examining the physical evidence in those three states — even if it finds nothing amiss — will help allay doubt and give voters confidence that the results are accurate. It also will set a precedent for routinely examining paper ballots, which will provide an important deterrent against cyberattacks on future elections. Recounting the ballots can only lead to strengthened electoral integrity.
There’s a lot that needs to be done to secure America’s elections. States still using paperless voting machines should replace them with optical scan systems, and all states should update their audit and recount procedures. There are fast and inexpensive ways to verify (or correct) computer voting results using a risk-limiting audit, a statistical method that involves manually inspecting randomly selected paper ballots. Officials need to begin preparing soon to make sure all of these improvements are ready before the next big election.
J. Alex Halderman is professor of computer science & engineering at the University of Michigan and director of Michigan’s Center for Computer Security & Society.