Election systems have problems, sure, but voters are the larger, softer target
Every time there’s an election, the topic of hacking one comes to the surface. During a presidential election, that conversation gets louder. Yet, even the elections held every two years see some sort of vote hacking coverage. But can you really hack an election? Maybe, but that depends on your goals.
The topic of election hacking is different this year, and that’s because someone is actually hacking political targets. Adding fuel to the fire, on Aug. 12, 2016, during an event in Pennsylvania, Donald Trump warned the crowd that if he loses the battleground state, it’s because the vote was rigged.
“The only way we can lose, in my opinion — and I really mean this, Pennsylvania — is if cheating goes on,” Trump said. This was no random remark either, Pennsylvania voting has been called in to question before. Such was the case when Republican supporters claimed Mitt Romney lost the state in 2008 due to fraud.
When it comes to hacking elections, most people imagine voting machines compromised in such a way that a vote for candidate ‘A’ actually counts as a vote for candidate ‘B’ – or the votes just disappear.
However, security experts who have tackled the topic of election hacking often come to a single conclusion, while the machines that process votes are riddled with vulnerabilities – 278 disclosed historically, none with a CVE ID assignment – they’re not the problem. The real attack surface is the way voters are processed.
In a recent Privacy XChange Forum survey including 2,004 people, nearly 40 percent of those questioned said they were concerned about the amount of personal data in the possession of political parties and campaigns.
Earlier this year, CSO Online’s Salted Hash, working alongside researcher Chris Vickery, broke the news that 191 million voter records were exposed due to database configuration issues.
A week later Salted Hash broke the news that a second database, holding details on 56 million voters, was exposed by similar database configuration breakdowns. Compounding the problem further, this second database contained targeted, issues-based details on 18 million people.
Dave Lewis, security advocate for Akamai
All of the information in the two databases came from the political parties, local election boards, and the voters themselves – who submitted it as part of a focused Q&A, donation questionnaire, or the data was collected from data brokers and public records.
Records like the ones exposed earlier this year are collected, sorted, sold, and shared among political operatives and campaigns; yet, every single record started out as a basic voter registration form.
This is where the problem, and the reality of hacking an election, begins to unfold.
Target the systems running the vote:
“The biggest obstacle for hackers seeking to rig the vote count is the lack of standardization for electronic voting mechanisms across states, which may have very different systems,” said Rook Security’s Security Operations Leader, Mat Gangwer.
“The decentralization of a common voting standard contains the damage if attackers were to compromise a particular system. In order to be successful enough to influence a national election, hackers must carefully select where and what to attack. At a macro level, hackers only need to focus on the handful of battleground states that are likely to influence the winner.”
Another key element would be the need to focus on areas that lack an auditable trail of paper ballots and large population centers that could conceivably “experience” a swing in votes large enough to matter at the state level. An election with high-expected voter turnout would also serve as cover.
A sad fact, referenced by the FBI, is that the election process is secured by obscurity. It’s so “clunky and dispersed” that hacking the infrastructure directly makes the task of hacking an election nearly impossible.
Target the campaigns directly:
“It is no small feat to steal an election but, it is not beyond the realm of possibility,” said Dave Lewis, security advocate for Akamai, and CSO Online blogger.
No matter what, he added, the effort would require a prolonged campaign to collect information on their target.
“The attackers would probe the defenses of the other party looking for any low-hanging fruit such as poorly secured systems. Once the homework has been done, they will attempt to comprise systems listed from their research,” Lewis said.
“The goal here will be to collect as much information as they can gather from the other campaign such as campaign strategies, voter lists, emails. The point here is to be able to counter the moves of the opposite candidate on the political stage. Knowing the game plan in advance would not hurt for the attackers. As well, being able to leak internal communications can be used in an attempt to discredit the target candidate.”
In addition to all of that, the attackers would also need to run a focused social media campaign to help sway public opinion.
“We have seen that sort of activity in the current US election as well as in the elections of other countries,” Lewis added.
Polling data can also be a source of influence as a means to compromise an election.
“If I were a hacker, I wouldn’t hack the voting systems. I’d wait until the data were aggregated from the polls and then hack that data. Leading up to the elections a lot of attention is on polls – if the data on the polls can be manipulated or lost, it would create chaos in the campaigns and reduce trust in the final election outcome,” said Amol Kabe, vice president of product management at Netskope.
As mentioned, the topic of election hacking is usually only discussed during election season, but this year is different, because someone is actually hacking political targets, including Hilary Clinton and voter registration databases.
In August, someone leaked an Amber TLP memo from the FBI, this was unusual because advisories such as this rarely go public.
The leaked memo cites details released by MS-ISAC (Multi-State Information Sharing Analysis Center), stating that foreign actors are using common scanning tools to locate and compromise vulnerable election systems in Illinois and Arizona. Salted Hash covered the memo at length, including all of the technical details released by MS-ISAC and the FBI.
Recently, reports of two additional voter registration system compromises have started to circulate online. However, these rumors are only supported by anonymous sources cited by ABC News. One of the suspected states, Florida, denied that there were any problems.
On September 28 FBI Director James Comey told the House Judiciary Committee “there’s no doubt that some bad actors have been poking around” on voter registration systems.
“There have been a variety of scanning activities, which is a preamble for potential intrusion activities as well as some attempted intrusions at voter registration databases beyond those we knew about in July and August. We are urging the states just to make sure that their deadbolts are thrown and their locks are on, and to get the best information they can from DHS just to make sure their systems are secure,” Comey said in response to questions.
“And again, these are the voter registration systems. This is very different than the vote system in the United States, which is very, very hard for someone to hack into because it’s so clunky and dispersed – it’s Marry and Fred putting a machine under the basketball hoop at the gym. Those things are not connected to the internet, but the voter registration systems are.”
Twenty-four hours earlier, on Sept. 27, Jeh C. Johnson, Secretary of the U.S. Department of Homeland Security, told the Senate Committee on Homeland Security and Governmental Affairs, his agency has reached out with offers of assistance to state and election officials.
The DHS offer includes remotely conducted cyber hygiene scans on internet-facing systems; on-site risk and vulnerability assessments; access to the NCCIC 24×7 incident response center; sharing of relevant information on cyber incidents and best practices; and access to field-based cybersecurity and protective security advisers.
“…to date, 18 states have requested our assistance,” Johnson said.
It’s important to remember that the registration databases in Arizona and Illinois were targeted and compromised via common tools and methods. The attackers, whoever they were, didn’t need to be advanced or highly skilled, they just needed to know how to click a button and download results.
Moreover, the DHS protection is basic, focusing on best practices and a checklist mentality for security – something experts disagree with, because attack surfaces are unique and can change from network to network.
It’s about influence, not voting machines:
In an interview with CSO Online, Carson Sweet, CTO of CloudPassage, mirrored Lewis’ and Gangwer’s opinions – influencing the outcome of the voting process by compromising voting machines is improbable, but not impossible.
“We’re not on the brink of democracy’s digital implosion, but we have a lot of work left to do. In any case, it’s about much more than just the voting machines, so let’s not get myopic and lose track of the bigger picture,” Sweet said.
About 14 percent of electoral votes are in swing states where some percentage of voting machines are DRE without a paper backup – specifically Florida, Virginia, and Pennsylvania. But even in those cases, some districts use paper ballots and DRE with paper backups. Only one state, Louisiana, uses DRE with no paper backup at all.
“This means that irregularities in vote counts, either by compromising the voting machine or election management software (the “back-end” to voting machines) would be recognized in spot-checks or manual verification counts, which many states still perform,” Sweet said.
“Keep in mind that just compromising a few machines is not enough, unless you could see into the future to know exactly where those extra 500 votes would matter. You would have to compromise enough machines to guarantee a win; otherwise, what’s the point?”
Sweet says that if he were to construct a scenario in which he could impact a vote, the approach would be to disrupt voting in the swing states and other key voting areas.
So how would he do this?
“By compromising online voter databases well before the election,” he explains.
“Federal law requiring that voter records be unified online actually make this easier for an attacker since there’s only one place to go per state (e.g. California’s VoteCal system),” Sweet added.
Imagine what would happen if an attacker were able to dissociate physical signatures from voter records. Or perhaps the attacker could randomly scramble the last six digits of someone’s Social Security number; mark a significant number of voters as deceased – or some combination of all of the above.
If done too broadly, Sweet explained, it would cause pandemonium at a voting site. Yet, if done with just the right amount and with consistency, the blame might likely land on bad administration or voters who incorrectly registered.
“By invalidating the ability for my opponent’s voters to cast their ballots, I could significantly and broadly disrupt voting and their overall voting count,” Sweet said.
“I mean let’s face it, have you logged in to verify that all your voter registration data is correct?”