One of the most pressing and controversial issues of our times has been the security and integrity of America’s elections. Fair and free elections are unquestionably a central pillar of the United States, enabling the people to choose their own destiny.
Unfortunately, US elections also have a history of being exposed to security threats, including from those who seek to shift the balance of power to their own unique advantage. This has become exacerbated as a result of the shift in recent years to electronic voting.
Recent examples include the nearly 20,000 emails that were stolen from the Democratic National Committee right in the middle of the 2016 Presidential election campaign season and the American intelligence community’s assertion that the Russian government had interfered in the election for its own benefit.
Furthermore, several weeks after the chaotic Democratic 2020 caucus in Iowa, the city of Los Angeles also found numerous faults and glitches in its new voting system as well. These kinds of incidences raise serious questions leading into the upcoming 2020 election scheduled for November 3rd.
The simple fact of the matter is that American voting machines are a significant security risk. This is because they utilize outdated computer systems, hardware, and software, much of which is no longer even serviced. From this alone, it shouldn’t be difficult to see how America’s election integrity is vulnerable to attack.
In this piece, we’ll dive into exactly how America’s electoral integrity is at risk due to cyber attacks, and then talk about the best methods that can be used to improve both access and security in the country’s elections.
How Are America’s Elections at Risk?
You might have seen headlines touting America’s “voting security crisis.” The integrity of election data has always been at risk. For example, election results can be incorrectly reported, creating inaccuracies by honest human error. Malicious actors can attempt to deliberately introduce inaccuracies into the vote totals and then destroy the evidence necessary to audit the election results. Registration data can be altered.
Voters can also be intimidated or deterred from accessing their polling site, therefore preventing their ability to cast a ballot in the first place. Illegal or fraudulent voting can and does happen (it’s just really a question of how often).
The list goes on.
That all being said, with most voting in the US currently being done electronically, there are a number of major cybersecurity vulnerabilities that America’s election processes are exposed to as well.
The main threats to current electronic voting in the United States can be summed up in the following ways:
Breaches of Servers
One of the most significant major threats against US elections is when hackers will physically breach electoral servers in an effort to gain credentials to provide them with access to the rest of the system.
The recent tampering of servers in Georgia is an example of this. In this case, it was discovered that election-related files had been deleted from the main server, although it was fortunately also found that no election-related data had been compromised.
DoS and DDoS Attacks
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) are designed to slow down access to computer systems, thereby allowing them to disrupt both the actual casting of votes and auditing once the election is complete. They are also among the cheapest and yet most effective methods to hack elections and political campaigns.
The main difference between the two is that DoS attacks utilize a single computer and internet connection in order to target a system. In contrast, DDoS attacks utilize several computers and connections to target their systems. Both are massive threats to American election security.
Specifically, hackers can attempt to attack US elections through DDoS attacks by distributing botnets, which are essentially collections of malware-infected computer systems, to crash web servers by overloading their resources with massive traffic.
Speaking of malware...
Malware
Malware is an umbrella term referring to most kinds of malicious software, consisting of Trojan horses, ransomware, worms, viruses, and spyware. It arguably is the greatest threat to voting online, because it can be introduced literally anywhere to help prevent a vote from being cast as intended.
The most common way for malware to be used to disrupt voting, besides being used in DDoS botnet attacks as described above, is to disable or otherwise compromise vote-casting systems. It can also be used to alter voting records or to attack election auditing software as well.
What’s worse, is that malware is usually not easy to detect, being disguised as legitimate-looking software updates or ballot definition files.
Indeed, the threat of malware to online voting is so great that many have suggested that turning to vote by paper ballots is the only surefire defense against it (more on this subject later).
How Can Elections Be Made More Secure?
The question, of course, is how can America’s elections be made more secure without sacrificing the access to voting that Americans enjoy?
Currently, only 53% of Americans believe that the United States government would be capable of resisting a major cyber attack on an election. Even though that may be a narrow majority, it still doesn’t express that Americans have a great degree of confidence in America’s cyber defenses as a whole.
The good news is that there are several defenses we have available to combat the threat of election hackers and cybercriminals. These include, but are not limited to:
Do We Need A Department of Cybersecurity?
All elections in the United States are conducted at the local level (including the Presidential election) in literally hundreds of thousands of voting precincts. In other words, US elections are highly decentralized.
There are many pros and cons to such a system. On one hand, it would be thought that such a decentralized system would make it much more difficult for hackers and criminals to influence. But on the other hand, the localized nature of America’s election means that there are literally hundreds of thousands of unique targets for cybercriminals. Each precinct or voting system can be targeted to influence an election outcome, whether it be on a local, state-wide, or Federal scale.
This is exactly why there has never been a greater need for proper cybersecurity training to ensure that each individual voting precinct is properly protected. While the Department of Homeland Security has branches that handle election cybersecurity audits, it could be that we are now at the point that an entirely new Department of Cybersecurity (with a special focus on securing the integrity of America’s elections) could possibly be needed.
A Turn Back To Paper Ballots?
Electronic voting machines are often thought of as being the way of the future. That being said, cybersecurity experts are still warning that paperless voting is a very bad idea.
University of Michigan Professor J. Alex Halderman, for instance, has expressed dire concerns that online voting systems are simply too vulnerable to hackers as it currently stands. It took him and his students just 48 hours to gain control over an online voting system meant for Washington D.C. elections, for instance.
Professor Halderman suggests moving over entirely to a system that only uses paper ballots. As archaic as the idea may sound, he argues that a paper ballot system complete with a risk-limiting audit afterward is by far the best way to ensure electoral integrity while also ensuring easy access to America’s voting population.
Securing Voting Machines and Online Security
Of course, if America doesn’t move over to an entirely paper-based voting system, better actions will need to be taken to secure our voting machines. In fact, this step is absolutely necessary to ensure that American elections can be secured.
As mentioned previously, one of the most common forms of attack against online voting is DoS or DDoS attacks, which are designed to overwhelm web servers via internet traffic. The problem with American voting machines today is their age, as most are very likely to break down. Some election officials have been forced to turn to online outlets such as Amazon or eBay to just find replacement parts.
In a survey conducted by the Brennan Center, 31 states have directly stated that their voting machines are in need of replacement before the 2020 election, but two-thirds of those states also stated that they do not have the necessary funding to do so.
One solution: bolster the defenses of the voting machines themselves. Common security applications, such as firewalls and virtual private networks, are designed to protect and encrypt designed to encrypt internet traffic to external servers, thereby preventing them from becoming the target of a DDoS attack. Many consumer VPNs now use the same encryption protocols as their enterprise counterparts, like Cisco and Norton, making them a plausible solution to protect against attacks like packet sniffing.
Certificate-backed digital signatures are an example of a method that would both authenticate and validate the person voting online as well as provide an added layer of security as compared to traditional forms of electronic voting.
Another idea is for each individual to vote via both paper ballot and electronically at the same time, and for the ballot to be verified against one another. And while this method may not be 100% foolproof either, there is simply no independent way to truly assess whether the vote is legitimate.
Conclusion
There are positive changes that we can make to America’s election processes before the 2020 election hits.
Replacing or updating old machines with modern security measures and investing more funding at the Federal level for election cybersecurity are just two examples of measures that could help ensure America’s elections remain both secure and accessible.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.
