From bank transfers to social media posts, information travels the globe in seconds. But technology doesn’t solve every problem. And in the case of voting, it can create new ones.
Hackers at this year’s DEF CON computer security conference showed just how vulnerable our election system really is. One hacker exploited a 14-year-old Windows XP bug that allowed him to change vote tallies from anywhere in the world. And an 11-year-old hacked a replica of Florida’s election system in less than 10 minutes.
Given Russia’s role in the 2016 election, DEF CON’s hacking victories were a terrifying wake up call. With the midterms less than 30 days away, many experts fear that Russia will expand its efforts in 2018, or other governments or rogue actors will pick up where the Kremlin left off. As one security expert warns, the U.S. “risks allowing its elections to become the World Cup of information warfare.”
A Surprise Attack
While there is no concrete evidence that Russia compromised vote totals, 2016’s unprecedented, full-scale attack involved a mix of hacking and disinformation.
In addition to infiltrating Democratic National Committee servers and obtaining copies of Hillary Clinton’s emails, the Kremlin created thousands of fake social media accounts to sow dissent and attack Clinton and Trump’s Republican rivals.
Russia even penetrated voter registration rolls in key battleground states like Florida and Illinois. The Kremlin targeted 21 states — scanning and downloading information — and managed to access a few of them. Though there is no evidence that Russia altered voter rolls, some fear that the Kremlin was laying the groundwork for an even more ambitious attack in 2018 or 2020.
While it is impossible to know whether Russia’s meddling had a real impact on the election’s outcome, the Kremlin was able to wreak havoc with a relatively small budget and an even smaller staff.
The Looming Threat
In August, Microsoft announced that it had shuttered six domains that Russian intelligence was using for espionage — bringing the total number of Russian sites the company has shut down to 84. In the same month, Facebook removed more than 600 accounts used by Russian and Iranian groups to distort perceptions and spread disinformation.
While these indirect attacks can take a toll on the voting public, many experts say that paperless voting machines are the biggest threat to American election security. Providing no paper trail, there is no way to verify results in the event of a hacked or contested election.
As of April, 14 states employed these highly vulnerable machines in at least some of their precincts. And alarmingly, five states — Louisiana, Georgia, South Carolina, New Jersey and Delaware — rely solely on these direct recording electronic machines (DREs).
In 2006, the National Institute of Standards and Technology reported that they could find no way to audit or verify the accuracy of votes cast on paperless touch-screens. Echoing this sentiment, the Department of Homeland Security recently declared that the inability to audit election results is a “national security concern.”
While states like Texas and Virginia are switching out these paperless machines with more accurate, lower-cost machines featuring paper backups, many states and counties don’t have the funds or the time to replace all of them before the midterms.
Ghosts in the Machine
While many states are more conscious of election security than they were in 2016, ambitious hackers could target machines before they ever reach states or counties.
In 2006, hackers proved that they could plant vote-altering malware in electronic voting machines — giving credence to the possibility that bad actors could launch cyberattacks from the factories where voting machines are made.
This vicious malware could elude detection by deleting itself after tampering with vote totals. Add in geotargeting so the malware hits certain swing states, and you have a perfect storm for democracy.
Shoring Up the System
Given these nightmare scenarios, Congress recently allocated $380 million in election security grants to replace outdated voting equipment and increase cybersecurity efforts across the country.
However, critics contend that $380 million is just enough to train election workers and fix vulnerable voter registration databases — not nearly enough to replace every outdated voting machine.
Despite increased security spending and anti-trolling efforts by social media sites like Facebook, some experts believe it’s too late to secure the midterm elections — we should focus on 2020 instead.
These security advocates believe in stiffer penalties for meddling countries, enhanced election protection in every state, new legal standards for social media sharing, and the creation of an independent, defense-only cybersecurity agency.
While many of these initiatives could take years to adopt, the U.S. government is currently working with states to make voting machines safer — updating software, replacing outdated equipment and implementing paper backups. Many state election officials now receive security briefings, and some states have even switched over to paper ballots.
The New Role of Blockchain in Elections
While many security experts contend that it’s still too dangerous to conduct elections over the internet, West Virginia will become the first state to allow voting via smartphone.
Open to members of the military serving overseas, the pilot program uses a mobile app known as Voatz, which runs off the same blockchain technology pioneered by Bitcoin and other cryptocurrencies. Blockchain ledgers are known for creating records that are extremely hard to meddle or manipulate. And before votes are recorded on a private blockchain, they are validated by eight different nodes (computers).
Proponents praise the forward-thinking option, saying it will decrease voter fraud and boost turnout, while maintaining transparency and minimizing election costs.
Still, critics contend that blockchain will simply introduce new security vulnerabilities. Blockchain can’t protect information as it travels over the internet, and it won’t guarantee that a user’s choices will be recorded accurately.
While the U.S. government is making election security a top priority this year, hackers could still try to purge voter databases, tamper with election equipment or launch social media bots.
Before 2016, local and state election officials never worried about foreign interference. Now there is always a possibility that Russia, China, North Korea, Iran or a rogue actor could expand on the size and scope of the Kremlin’s initial attack.
For the first time, the U.S. has designated the nation’s election system as “critical infrastructure,” a term traditionally reserved for nuclear reactors, banks and defense bases. Similarly, many states are employing internal security teams and launching routine “hygiene scans” to detect invaders lurking in their systems.
While the Mueller investigation has indicted 13 Russians and three groups for interfering in the 2016 elections, the Russian playbook is out in the open, available for nations, organizations or individuals to copy or modify. It is up to the American government — and its people — to remain vigilant and safeguard against future attacks.
Bluefin offers P2PE and tokenization services that ensure sensitive data is encrypted the moment it enters your system. To learn more about how you can protect your customers’ data, contact a Bluefin representative today.