Somewhere out on the dark web, many expect to find a thinly disguised how-to page, complete with FAQs. On the public internet, it would be called "How to Hack an Election."
The goal might be to replace every election-results announcement with this headline:
"BREAKING NEWS, Anytown, USA, November 201X. Election declared invalid due to a hack. No group has claimed responsibility."
Breaking News: The Election Is Broken
So far, this is a fictionalized headline but, as a recent CNN report demonstrated, not far from the realm of fact. Its August 2016 headline read:
"Officials: Hackers breach election systems in Illinois, Arizona."
What cyberthreats loom over elections in the world's democracies? Recently, FBI Director James Comey told a government audience that the agency takes "very seriously any effort by any actor to influence the conduct of affairs in our country, whether that's an election or something else."
How We Got Here
The US electoral system risks big effects from even minor hacks. How did it come to this? The answers are partly social, partly technological.
In the author's own New York 3rd Congressional District, the winner in the Democratic primary won by only 2,667 votes. There were 563,542 adults of voting age in the district according to the US Census, of which only 20,343 cast votes. That represents 3.6% of the district's total voting population (ignoring party affiliation). The difference between the winner and the runner-up represented 0.47% of voting age inhabitants in the district.
Looking at the national voting counts, FairVote.org notes that voter turnout during non-presidential midterm elections is as low as 40%.
Meaning: in a close election, a surgically administered minor hack could easily determine the outcome.
Ballot Box Bombs
Threats to the election process can attack the vote-counting apparatus, such as the voter rolls, but there are other pages in the "How to Hack an Election" script:
- Mailing lists can be stolen. It happened to the US Democratic party this year.
- Social media can target vulnerable populations with email messages that threaten prospective voters, or claim that official-sounding fraudulent documentation is needed to vote.
- Unlike the "clunky" mechanical machines that preceded them, some US electronic voting machines are "scarily easy targets", according to a recent Wired report.
- As a plot thread on season four of "House of Cards" showed, skewed results from search engines, or a combination of AdWords and content stuffing could influence results in highly contested districts. Some of that, while clearly legal, could be used in combination with other techniques.
- Through social media engineering, individual candidates can be attacked by exposing private information.
E-voting to the Rescue?
Online and mail voting have been suggested as ways to make it easier for citizens to vote. If citizens can bank online, why not vote online, too?
The community of computer professionals is a large one. It's not difficult to find e-voting advocates, such as this group advocating e-voting for the recent UK Brexit vote.
Most experts feel otherwise.
E-voting = Endangered Voting
Eric Geller, Layer 8 columnist doesn't mince words: "Online voting is a cybersecurity nightmare," he wrote on the Daily Dot in June.
The 100,000-member Association for Computing Machinery's US Public Policy Council is hardly waving a checkered flag:
"There are steps that can be taken to reduce, but not eliminate, the risks associated with Internet voting. Using a dedicated Internet voting systems, like a kiosk system, where the computers are set up only for voting, can reduce security and reliability concerns. However, such systems need some means of preserving the ability to audit and/or recount the votes. At the present, paper-based systems provide the best available technology to do this."
Don't expect an e-voting system hiring spree — and follow-on cybersecurity spending to shore it up — anytime soon.