Now Donald Trump has been elected the president of the United States of America with only around half the population of America voting, the elections are all anyone can talk about. The question of how someone so controversial could be the president of the “free world” is on many people’s minds. But regarding the actual process of voting, the elections are said to have run smoothly. There were no hacking attempts and no mix ups about numbers of votes- to our knowledge! However, how easily would it have been for someone to alter the results in their favour? Has the movement to electronic voting machines made the whole election process vulnerable to political manipulation and hacking abilities?
After the initial announcement that Donald Trump has officially been elected the president of the USA there was speculation on how many people really, voted for him and if there was any chance there could have been a mistake. 48 hours after and people are still trying to find a clause that could prevent him taking the White House in January and asking if there was any possibility the whole thing was rigged. Regarding the cyber security of the elections and the counting of the votes, the whole process seemed to be rather uneventful. As of now, there have been no reports of cyber attacks and the results are not in doubt. But how easy would it have been to hack the election process?
Well, I decided to look into this process, with the aim of finding out whether America was just lucky or if they had taken all the precautions possible to prevent any interference in perhaps the most important American event of the past eight years.
The Trump Card
The safety of the election system from hacking is of crucial importance, it is the indicator of a successful democracy. The second that system gets jeopardised it places doubt in the hands of the American people questioning the purpose of voting “if the system is rigged anyway”. Well, Donald Trumps claimed throughout his campaign that the election process was a “rigged system”. This did a great job of adding to the rumours of how corrupt American politics already was whilst also creating a viable excuse if he did not win the election. He questioned the whole process and many people began to agree with him, believing that this democratic system was corrupt and could not be trusted. The fact that his own party members were partly in charge of overseeing voting matters only added to the idea that party officials were conspiring against him.
Trump’s claims were not verified and would seem ludicrous if there hadn’t been a history of hacking and digital attacks previously, ones that targeted America in particular. This year Illinois and Arizona both experienced data breaches which compromised the personal information of over 3 million voters. This data involved the voter’s contact details which could be sold on the dark web or used to change citizens voting locations, altering the majority strongholds. Previous to this, their track record of high profile data breaches also extends to include Edward Snowdon in 2013 and more recently the ongoing WikiLeaks disclosure of Clinton advisers and the Democratic National Committee. This instance was linked directly back to Russia with talks of the Russian threat being the main worry in the lead-up to the election. There has been no evidence that the voter registration databases or voting machines were compromised by hostile third parties. But concerns were and are still strong regarding Russia, with reports claiming that the Kremlin wanted Donald Trump to be the next president. This led to questions about whether they were going to try and externally rig the voting in their favour but no claims have been supported by hard evidence. These hacking scandals have just led to an increasing distrust towards political safety and cyber security in general.
Cause for Concern
This year has shown that cybersecurity is a problem and it is becoming publicly recognised how difficult it is to ensure that digital information is protected. Regarding the elections, it is crucial that the voter’s data remains available to authorised users and confidential to unauthorised tampering and modification. The whole process needs to be seamless from the setting up of the electoral machines to the publishing of results on election night. The problem with many of the electoral machines, for example in New Jersey, Delaware, Georgia, is that they are electronic and without a paper trail. This means that if there are discrepancies between people that came to vote and the number of votes then it would be unclear what the results should be. This would make the hack untraceable and in some instances, authorities would only become aware if the hacker publicly spoke out about it. Another concern is that because there is no allocated budget per state, many of the voting machines are more than 10 years old and running on outdated software like Microsoft XP or older with insufficient security updates. The fact that most of our computers are running on more protected software than the machines that we rely on to elect the next president seems nonsensical. There are a plethora of different ways that hackers can go about getting into the system for their own political motivations;
- Some machines host posts where hackers can plug in their technology and add fake votes
- Some electoral machines are the AccuVote TS and TSX brand. These machines calculate results immediately but lack the correct encryption and security to stop the data being tampered with
- Removing and tampering with the machines memory card allows hackers to add or subtract hundreds of votes- this can be done in person or over a remote internet connection.
- The Sequoia AVC edge has an activate button that can allow users to enter multiple ballots at a time (this, however, involves unsupervised access for an extended period with the electoral machine.)
From State to State
It is hard to discuss the security of the electoral process when it differs so much dependent on the state. President of Verified Voting Pamela Smith explained this by stating ‘America doesn’t have one monolithic national voting, we have thousands of them, operating under state and local supervision.’ This is seen in the fact that some states only use electronic voting whilst other stick to the traditional paper ballot with absolutely no electronic element. This means that although paper votes are safe from cyber security there is a lot more space for human error. Also, the polls open and close at different times depending on the time zone meaning that if hackers try to get into the system at certain times the polling station will not be in operation. This is especially evident in the case of early voting. Some states chose to have restricted voting periods whereas other stations were open way in advance. This decentralised system means that it is nearly impossible for a hacker to bring the whole system down as there are so many differences. But all these differences also mean that is challenging to create one unified and safe system because one state is not willing to invest enough money to just improve their voting system if all the others are vulnerable to hackers.
So, what precautions did America take before these elections to ensure they would be secure from tampering? Well since the 2000 discrepancies in Florida the Help America Vote Act was created in 2002. This required every state to publish its own guidelines on what constitutes a vote, making the boundaries clearer. The system is also not connected to the internet helping prevent external foreign attacks. As discussed above, state independence for voting equipment makes it more challenging to hack and serves as a buffer against DDoS attacks (Distributed Denial of Service). However, directly before the elections began the Department of Homeland Security offered to help states review their election system, assessing its security. Several cyber security units were also set up in many states with military hackers stood by ready to retaliate against any cyber attacks. States such as Indiana set up these “war rooms” full of online security experts as a safeguarding procedure.
Big threat? Small threat?
The size of the threat is incredibly hard to judge, especially with the developments in technology and constant changes in ways around security portals. The difference between state procedures makes it near impossible to perform a widespread attack unless the hackers attack in wide numbers, tailoring their attack to each state. The risk of people voting multiple times or those who are not allowed to vote voting is also very small. F-Secure Security Advisor Sullivan summarises this by saying that “the physical proximity to the machines creates an opportunity in theory but there are anti-tampering devices and seals to stop this happening.” He later goes on to say that it is impossible to hack the entire US presidential election.
Back to the Future
Despite many claims that the risk of hackers bringing down the whole election is very minor changes still need to be made for the 2020 election. All the electoral equipment needs to be updated, tested and secured to a more substantial state. To do this the voting system needs to be declared a critical national infrastructure making funding and other resources available to all states to increase the electoral systems security. There needs to be a trusted pre-and post-audit trail with paper receipts to fall back on if there are any discrepancies. F Secure Security Advisor Sean Sullivan also recommends that Smartcard technologies would be revolutionary within the electoral system, making it harder to hack. Finally, there needs to be a clear plan on what to do in the instance of hacking. Due to the importance of the elections, without a plan the decision on who would become president would be rushed and rash decisions may be made.
To claim that the current electoral system is a shambles would be entirely incorrect. However, the larger the chance of the system being hacked the larger risk there is to democracy. The citizens of America need to regain faith in the security of their vote and this can only be achieved in more stringent cyber security within the electoral process.
For more information on cyber security, please contact us