Spamming post offices with letters that feature a specific bar code to reset sorting machines. Creating fake reports that immigration and enforcement officers would hit certain polling places. Hacking into a COVID-19 test database and increasing the number of positive cases.
In a simulation of potential election security issues held this week, traditional hacking had a minor role. Instead, the red team — a group of faux attackers made up of security professionals, election experts, and law enforcement — focused on undermining confidence in the election and reducing turnout. From spreading misinformation about new outbreaks to finding ways to hamper the processing of mail-in ballots, the attackers found inexpensive ways to undermine faith in the most basic democratic institution: voting.
As the exercise progressed, the red team showed that, if the aim is undermining faith in the election and not necessarily swinging the election toward a single candidate, the goal is quite achievable, says Maggie MacAlpine, co-founder of cybersecurity consultancy Nordic Innovation Labs and one of the red team participants in the exercise, run by endpoint protection firm Cybereason.
"There is this creeping sense of uneasiness [because] none of what we did was very expensive," she says. "Most of the attacks we proposed don't cost anything. Putting out a tweet that shows a crowded hallway and claiming it is certain polling place, that's easy."
With 74 days until the US presidential election, election security has become a critical worry, especially as states attempt to adapt to the realities of holding an election during a pandemic. The concerns have been heightened by disinformation attacks linked to the Russian government and blanket statements of voter fraud and risks of mail-in voting fraud.
Last week, a bipartisan coalition of interest groups — from the conservative Americans for Tax Reform to the progressive Public Citizen — called for greater investments in cybersecurity, voter-verifiable paper ballots, and more safety measures for people who want to vote in-person during the pandemic. The group, dubbed the National Election Defense Coalition, called out 10 states as either having voting systems that are still connected to the Internet — specifically, Florida, Michigan, and Wisconsin — or that have had election issues in the primaries, including Arizona, Georgia, Maryland, North Carolina, Ohio, Pennsylvania, and Tennessee.
The group requested that all states ban voting technologies that connect to the Internet, have enough back-up ballots for all voters, print out copies of electronic poll books, ensure that machines print out human-verifiable paper ballots, and conduct post-election risk-limiting audits. In addition, the groups asked states to commit to the regular disinfecting of all touchscreens and to 24-hour surveillance of ballot tabulation and processing areas.
"Both Republican and Democrats want to vote safely, and they want to know that their votes are counted as cast," said Ben Ptashnik, president of the National Election Defense Coalition and a former Vermont state senator, in a statement announcing the security recommendations. "Lack of preparedness only serves to disenfranchise voters of both parties. They should not have to worry about infection from the COVID-19 virus, or from a hacker spreading a malicious computer virus that steals their votes."
Lack of Assurance
At the USENIX Security conference last week, a panel of voting experts highlighted the issue of election security, and two sessions covered voting systems and technology. In one session, for example, Michael Specter, a final-year PhD candidate focused on system security at the Massachusetts Institute of Technology, described his research team's analysis of the e-voting application called Voatz, which has tallied more than 80,000 votes in various elections, usually to allow military service member to vote.
The researchers, however, found that the application did not protect the essential requirements of voting: assuring the votes were cast as intended, guaranteeing voter privacy, preventing voters from revealing their vote, and protecting against coercion. The researchers reverse-engineered the Voatz Android application and performed static analysis on the back-end server software, finding five high-severity vulnerabilities and a serious privacy issue. Like many voting companies that faced unwelcome security assessments, Voatz criticized the researchers and their research methods, but the security issues — and many others — were born out by an official analysis by security consultancy Trail of Bits in March.
The secrecy surrounding e-voting systems needs to end if citizens are to have faith in electronic voting systems, MIT's Specter said in his presentation.
Proponents that advocate to solve election turnout issues through new technology, such as Internet voting, "are inherently adding risks from the technology itself that may be poorly understood — in this case, how to do remote-only electronic voting, which is still an open research problem," he said. "Compounding this issue are the information asymmetries between the vendors and election administrators purchasing the product as well as the voters themselves."
Much of the progress in election security and integrity is rolling back the rush to adopt unproved technologies that had no public security assessments. For example, the number of registered voters who will use voting technologies that do not allow independent auditing — so-called "Direct Recording Electronic" machines — has declined to 14% for the 2020 election, down from 24% during the 2016 election, according to Verified Voting, a group focused on making elections secure and auditable.
The progress overall seems positive, says Marian Schneider, president of Verified Voting.
"These are all risks, not certainties," she says. "There is a lot that has happened since 2016 to mitigate the risks to really protect against these cybersecurity threats. It's just not 100%."
Security researchers have also received inadvertent help from President Donald Trump. His criticism of elections has deflected the oft-used argument that testing voting systems undermines confidence in elections and so undermines democracy, says Nordic's MacAlpine.
"Election security is a leap-year baby — people are not paying attention to making this better except for every four years," MacAlpine says. "Before 2016, election security people were always criticized for raising concerns with the vote, as if raising how to fix election machines was worse than not doing anything. But now that the highest office in the land questioning the integrity of the election, it does somewhat free us to say, 'What is your excuse now?'"
In addition to making the election process more resilient to disruption and disinformation, officials also need to publicly highlight the auditability of the vote to give citizens confidence in the integrity of the election results, says Verified Voting's Schneider.
"Data is so important in elections and keeping track of things that happened so you can look afterward and verify that figure out if there was something systemic," she says.
While the threats exist and it remains uncertain how well the election systems will hold up during a pandemic, the election security experts all recommended voters to make sure they cast their ballots. None of this should dissuade voters because the multiple layers of checks and balances has worked well in the past, says MacAlpine.
"We are advocating that you vote," she says. "People should definitely take everything we say as encouragement and not discouragement."