Russia’s apparent attempt to interfere with the 2016 presidential election continues to make news. Some reports have suggested that voting systems were attacked -- by unknown parties and in various ways -- in at least 39 states. These attacks make it increasingly obvious just how vulnerable American voting systems are.
The Attacks on Voting Systems in 2000
This is not the first time our voting systems have been tested. After the 2000 presidential election, voting systems were updated to prevent simple counting errors. The margin of victory in Florida in the infamous 2000 presidential election was a mere 537 votes, less than the margin of error of the voting procedures then in use. We will never know who would have become president had the systems used at that time been more accurate.
Less well known is that earlier that same year Al Gore won the first (and only) significant U.S. election ever run over the internet -- the Arizona Democratic primary. My company at that time had been contracted to run that primary, and we assumed that every hacker in the world would be trying to sabotage that statewide election. We had the best minds from Cisco, VeriSign, Microsoft, KMPG and Computer Horizons come together to build our cyber defenses against inevitable attacks, at a collective cost of more than $10 million. That online election was a success, more than doubling the previous record for voter turnout.
After that Arizona primary, incumbents were rattled, recognizing that massive increases in turnout would end the substantial advantages now enjoyed by incumbents. Online voting was subsequently prohibited. Indeed, as voting machines were replaced throughout the U.S., they were largely replaced with paper ballots, under the assumption that since paper cannot be hacked by a computer, paper ballots ensure safe elections. As it turns out, the exact opposite is true, and the our voting system is now easy prey for state-sponsored adversaries.
An Adversary Only Needs to Hack a Few Counties
Popular wisdom is that to swing the election of an American president one would have to compromise the board of elections in all 3,000 United States counties; the highly decentralized nature of our voting systems makes us safe. In actuality, however, the Electoral College means that most of the time, votes in states like Texas, New York, California or Mississippi do not matter; only swing-state voters pick the president. To throw an election, an adversary would only have to alter the vote in three Florida counties and a handful of counties in a few other states, such as Ohio or Pennsylvania.
The nationwide popular vote is irrelevant; in 2016, the effective margin of victory for Donald Trump was caused by 70,000 votes in the states of Florida, Pennsylvania, and Michigan. With predictive analytics, one could select a small number of counties to violate, and select the winner.
The Russian government or some other adversary could have sleeper spies apply for jobs in several large counties in swing states several years in advance of the election it wants to influence.
Why Paper Ballots Can Be Hacked
There was a time when paper ballots were counted by people, who tallied the results with a pen. Nowadays, with more than 200 million registered voters, computers are needed to do the counting. Ballots are fed into a scanner, basically a personal computer running a pre-installed software package. This software must be updated from time to time to fix bugs or make operating changes required by local county boards of elections. When the polls close on election day, the results are sometimes uploaded (over the internet) to the county board of elections, where the results can be certified and the winners announced.
So how does one hack the vote? The answer is by careful advance planning. The state actor would have to have knowledge of the scanning machine and swap out the intended software that does the counting with an altered version that provides a different vote. This requires sophisticated engineering, but would be well within the capabilities of foreign intelligence agencies. Another alternative would be to swap out the chip set (or firmware) inside the computerized scanners themselves.
But there is a paper audit trail, you might retort. So the elections are safe, right? If the software that counts the paper audit trail is compromised then, assuming we know we need to to do a recount, to change the election results you would need human agents to swap out the paper ballots with fakes that match the existing count.
The United States Army Cyber Command requires rigorous security clearance and background checks for employment. But getting a county board of elections job does not. Nor does employment at any of the vendors that provide voting technology. For a state actor to embed sleeper spies in five or more counties is well within the capabilities of foreign intelligence. Influencing an election could also be as easy as attacking voter registration databases, so that people who are statistically likely to support the candidate you oppose are unregistered or not sent absentee ballots. Predictive analytics could be used to identify the minimum needed disruption for the maximum impact.
What Must the U.S. Do to Defend Itself?
Americans must face up to the new realities:
- Paper ballots can be hacked.
- The decentralized nature of our election infrastructure makes it vulnerable to state-sponsored malefactors.
- Foreign adversaries with extraordinary resources are actively trying to undermine our elections.
- Election results -- even the presidential election -- can be flipped by changing a small number of counties.
If we fail to respond to this serious threat, the swing state that decides our president in 2020 might be the Moscow Oblast.