On Tuesday, people around the United States will flood to local polling places to cast their vote for the future leadership of the United States. Voting—the very foundation of representative democracy—is predicated on privacy, anonymity, and freedom from outside influence or coercion. At the core of this system is transparency, confidence in the ability to verify that each person gets one—and only one—vote and that election outcomes echo voters’ intent.
Additionally, there is a requirement to ensure a voting system that is not overly inconvenient to avoid disenfranchising those groups with limited access – people living in rural areas, the disabled, minority groups or those in the military or overseas. To do so has, in some cases, meant an adoption of digital technology.
Rachel DeLevie-Orey, the Associate Director of the Adrienne Arsht Latin America Center at the Atlantic Council, suggests that electronic election systems—if properly implemented—have numerous benefits including increased security, speed and accuracy of results as well as lowering the costs of elections in the long-term. She writes: “speed is crucial to the trust of the electorate. The longer it takes to report results, the more people think the results are being tampered with.” She also notes that humans are prone to fatigue and error, and that technology has the potential to increase accuracy. She goes on to suggest “ease of voting—which is facilitated by election technology—can increase voter turnout.”
But having electronic election systems raises the specter of potential hacks, a fear compounded by nation-state actors’ interest and willingness to interfere in U.S. elections – demonstrated by the Russian breach and release of data belonging to the Democratic National Committee and Hillary Clinton Campaign Chair John Podesta. The release of these stolen internal communications was an effort to sow distrust in U.S. election procedures.
Cipher Brief Expert Mark Weatherford, former Deputy Undersecretary for Cybersecurity at the Department of Homeland Security, argues that while “there are vulnerabilities in the system, the bigger problem today is the perception that the systems themselves can be compromised. It only takes a little bit to get enough people to start believing that the system in fact could be manipulated in favor of one candidate or another.”
But where are these cyber vulnerabilities to the election and what would the intended goals be if exploited? Should these fears hinder the further implementation of election technology in the future?
The voting machines themselves are not networked to each other or connected to the internet; this makes it difficult to breach them remotely on a mass scale, and consequently near impossible to change the overarching vote tally in favor of one candidate or another. DeLevie-Orey argues that interfering with these electronically “is the same as hacking a ballot box that is stuffed with paper, which you could stuff with more ballots, or even set on fire.” But these machines are also old and prone to malfunction that could cause delays on voting day and, in turn, a loss of votes.
Elections by nature are emotionally charged and have far-reaching stakes, and small problems could be perceived as tampering. Benjamin Buchanan, a Postdoctoral Fellow at the Belfer Center Cybersecurity Project, suggests similar delays at polling places could occur if malicious actors “modify the registration databases themselves or the sometimes-electronic poll books that workers use to check voters in,” where they could “delete voters from the rolls, either at random or based on political affiliation,” potentially fuelling “a perception of a rigged election, even if in fact all votes ultimately get counted.”
So while Russia—or any foreign actor—is unlikely to be able to alter the actual results of Tuesday’s election, malicious actors can continue to sow doubt in the legitimacy of the results. One possible way of doing so could be could be a targeted distributed denial of service (DDoS) attack like those that recently hit the East Coast and Liberia, slowing the dissemination of results and in turn fueling distrust.
Another method could be the leak of further documents—falsified or real—shortly before voters head to the polls, subtly influencing their rationale without allowing adequate time for verification or context. For example, a recent breach at the conservative Bradley Foundation led to a dump of internal documents with a not-so-subtle—yet apparently falsified—email suggesting the organization illegally donated $156 million to the Clinton campaign in July. Because previous documents leaked regarding the election have been treated as genuine—and have largely been authentic despite a few instances of metadata tampering—audiences are more likely to assume the validity of future leaks as well.
The 2014 elections in Ukraine offer a unique blueprint for how a foreign actor might target the dissemination of results following an election. A Russian-sponsored group calling itself CyberBerkut—now known to be the group Fancy Bear that targeted the DNC—attempted to sabotage the Ukrainian election by breaching Kiev’s Central Election Commission computers. The group planned to display results that a fringe party had won the election. While the malware was found 40 minutes prior to the scheduled reporting of the results, Russian-affiliated news networks still broadcast the false winner. Meanwhile, the Ukrainian tally system was bombarded with fake internet traffic in a DDoS attack—delaying the dissemination of the election results by a few hours.
Ultimately, Buchanan argues, “hackers might gain minor access, claim credit for an ordinary machine accident, or seek media attention; if these claims go viral, they might do damage to perception regardless of whether they are in fact true.”
A future U.S. administration that is perceived to have gained office through illegitimate or even fraudulent means would be weakened both domestically and internationally—all to the benefit of adversaries’ foreign policy objectives. So while these technical vulnerabilities in electronic election systems are not necessarily new to the 2016 U.S. elections, the recent, high-profile behavior of Russia in cyberspace has magnified them.
But while election technology has made the U.S. election increasingly within reach of foreign meddling, this does not mean the technology should not be improved or become more sophisticated. As DeLevie-Orey states, ”the U.S. elections are going to have to advance technologically,” otherwise the “government is shirking its responsibility to remain accessible and relevant to all of its citizens.”
Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.