The cybersecurity of the U.S. election was compromised once again as Russian-based hackers breached the voter registration databases of both Illinois and Arizona last month. Combined with the DNC hack that occurred earlier this year, there has already been a significant compromise of the U.S. election, shaking voters’ trust and drawing comparisons to Watergate.
With cyberattacks around the U.S. election escalating, many Americans are left questioning how secure the elections really are. The short answer: not as safe as we’d like.
According to officials, hackers gained access to the information of an estimated 200,000 registered voters from Illinois and Arizona this summer, including their names, addresses, party affiliation, and, in some cases, drivers license numbers and last digits of social security numbers. As it turns out, voting systems are not considered “critical infrastructure” by the department of Homeland Security, meaning they are not under federal government protections. Therefore, when cyberthieves stole the login and password of an election official in Gila County, Arizona, the registration database was vulnerable.
“I’m less concerned about the attackers getting access to and downloading the information. I’m more concerned about the information being altered, modified or deleted. That’s where the real potential is for any sort of meddling in the election,” said Brian Calkin, vice president of operations for the Center for Internet Security, which operates the MS-ISAC, a multistate information-sharing center that helps government agencies combat cyberthreats and works closely with federal law enforcement.”
Fortunately, the voter registration and election ballot systems are separate, meaning the results of the election have not been tampered with — this time. But the lack of federal protection of voting systems begs an alarming question: is a 2016 election hack possible?
The answer is a complicated one that comes down to the security of our electronic voting process. 75% of voters still use paper ballot cards on Election Day, which are difficult to tamper with due to their tangible nature. But the remaining quarter of American voters use electronic voting systems, from military voters enlisted overseas to states such as Georgia, Louisiana, Delaware, and more that use electronic voting booths without a paper trail.
Electronic voting booths are typically offline and not accessible by Internet, according to Tom Hicks, chairman of the federal Election Assistance Commission. This bars classic hacking techniques such as spear phishing, but it does not guarantee our votes are safe.
Most polling booths have outdated technology that is easy to hack. At this year’s Blackhat conference, Brian Varner of Symantec demonstrated how someone could hack an electronic voting booth to multiply a candidate’s votes from one to 400 in just a few minutes, right under the nose of a poll worker. What’s more, many of the electronic poll booths in use today do not produce a paper trail to verify votes.
As of now, officials have not uncovered any plans to manipulate ballots on Election Day this year. Fortunately, the hackers did not alter or delete registration information, making the Arizona and Illinois breaches relatively innocuous — at least on a surface level. Experts believe the breach was “exploratory:” harmless for now, but possibly foreshadowing a larger cyberattack. Others have theorized that hackers may be attempting to shake voters’ trust in the election system, and if that’s what they’re up to, it’s certainly working.
It’s possible that reverting to paper ballots would be the best protection against voting fraud this election season. However, with the slow pace of government action, a total reversion to paper ballots could take months or even years, and isn’t likely in 2016. In the meantime, U.S. Secretary of Homeland Security Jeh Johnson has extended help to states to fight possible Election Day cyberattacks, and state officials are taking precautions.
While we talk a lot about retail data breaches and the need for technologies like our PCI-validated P2PE solutions to encrypt card data – the hacking of our political parties and our election process just goes to show that hackers can strike whoever, whenever and in whatever industry they choose.