Stealing and leaking emails from the Democratic National Committee could be just the start. Hacking the presidential election itself could be next, a bipartisan group of former intelligence and security officials recently warned. Whoever was behind the DNC hack also could target voting machines and the systems for tabulating votes, which are dangerously insecure.
“Election officials at every level of government should take this lesson to heart: our electoral process could be a target for reckless foreign governments and terrorist groups,” wrote 31 members of the Aspen Institute Homeland Security Group, which includes a former director of the Central Intelligence Agency and a former secretary of Homeland Security.
That echoes warnings computer security experts have been sounding for more than a decade: that the system for casting and counting votes in this country is also ripe for mischief.
It also appears to mirror the concerns of one presidential candidate.
“I’m afraid the election’s going to be rigged. I have to be honest,” Donald Trump told voters in the key swing state of Ohio this week. Trump has complained before about bias and interference in the Republican nominating process, but this was the first time he claimed that the general election would be targeted.
A spokesman for Trump’s rival, Hillary Clinton, dismissed the Republican nominee as a “reflexive conspiracy theorist.”
But the election system in the United States can be manipulated, experts warn, through targeted attacks on its several weak points.
Whether Trump knows that is unclear. But he was priming the pump for Election Night mayhem—and perhaps playing right into hackers’ hands. Voters who have already been told to be on the lookout for shenanigans would be rightly incensed to learn that their votes had been manipulated. And a candidate who merely suggested that the system had been hijacked—without offering any proof—could inflame those passions and spread uncertainty. And God forbid the campaigns wind up suing one another over disputed ballots; the Supreme Court is down a justice, and is tied 4-4 between liberals and conservatives.
“It’s hanging chads weaponized,” former National Security Agency official Stewart Baker told NBC, referring to the 2000 election’s paper ballot controversy.
Surely, hackers know that. If someone really wanted to “rig” the election, here are five ways he might do it, from attacking the ballot box to exploiting the raw emotions stoked by a conspiracy-minded candidate.
Intercept the Ballots
Once ballots are cast at a polling place, they’re sent to another location to be counted. And while they’re in transit, they’re vulnerable to tampering—especially if they travel electronically.
Thirty-one states and the District of Columbia allow military personnel and overseas voters to return their ballots electronically, according to Verified Voting, a nonprofit group that advocates transparency and security in U.S. elections. “The election official on the receiving end has no way to know if the voted ballot she received matches the one the voter originally sent,” the group warns.
Some ballots are sent through online portals, which exposes the voting system to the internet. And that’s one of the most dangerous things elections officials can do, because it provides a remote point of access for hackers into the election system.
“Anything that doesn’t absolutely have to be connected to the internet, don’t connect it,” Pamela Smith, Verified Voting’s president, told The Daily Beast. U.S. officials have also given that same advice to the owners and operators of critical infrastructure, such as electrical power grids. Smith and her colleagues recently told U.S. officials crafting computer security guidelines that elections systems should also be treated as vital national assets, and protected as such (PDF).
Some ballots are returned via digital fax or email. And some—bafflingly—are sent via email.
“Without encryption, emailed ballots can be easily modified or manipulated en masse while in transit from the voter to the local election officials,” David Jefferson, a voting security expert and computer scientist at Lawrence Livermore National Laboratory, warned in a blog post in 2011.
The threat is still real. Jefferson called it “trivial” for someone with a modicum of technical skills to filter out ballots from a particular county or state and “to automate a process to either discard ballots that contain votes she does not like, or replace them with forged ballots that she likes better, all the while keeping the voter’s signed waiver and envelope attachments intact. Such malicious activity would only result in a transmission delay on the order of one second or so.”
Most states that allow voters to return ballots via the internet limit the practice to overseas voters. But in close elections, those votes could make a difference. Alaska is also unique in that it allows anyone in the state to send in their ballots online.
“Marking and sending votes over the internet is my biggest concern,” Smith said. “They could be infected or tampered with. Or something could just go wrong and you couldn’t do a good recount.”
That’s especially concerning in states that allow voters to electronically return their ballots but don’t have paper backups to record how that person actually voted.
Lie to the Voting Machines
This may be one of the trickier hacks to pull off, but potentially one of the most damaging.
Ballot definition files are an indispensible piece of the electronic voting system. They tell a voting booth what precinct it’s sitting in, which races appear on the ballot, the candidate’s relationship to those races, and other essential information that a voter needs to cast his ballot correctly. When a voter touches a candidate’s name on a machine’s screen, it’s the ballot definition file that tells the machine to record that touch as a vote. The file actually defines how the machine sees the ballot.
And how are ballot definition files delivered to the voting machine? In some cases, via the internet. A corrupted ballot definition file could, in theory, tell the machine to count votes for Clinton as votes for Trump, and vice versa.
Such a mix-up has actually happened, though not by design. In a 2006 county election in Iowa, officials were surprised to find a popular incumbent—who’d been in office more than 20 years—losing to a practically unknown 19-year-old college student. When they stopped electronic voting and counted ballots by hand, they saw that the voting machines were miscounting all the races on the ballots.
It turns out that the machines weren’t programmed to know that not every ballot in the county looked alike. Some put one candidate’s name at the top in one precinct, and others changed the order. This is a process known as “ballot rotation,” and it’s meant to avoid favoritism or bias by always having one candidate’s name at the top of the ballot. The machine didn’t know that.
In a hack, the ballot definition file could be corrupted not to recognize this rotation, throwing the whole election off kilter. How badly? In that Iowa race, the voting machines had the incumbent coming in 9th place out of 10 candidates. When officials recounted the ballots by hand, they saw he had actually won.
Target a State with No Paper Trail
Electronic voting machines pose risks. But jurisdictions can minimize them by creating tangible records called voter-verified paper audit trails. Think of it like a receipt that shows the voter how his selection was counted. Audit trails also let election officials conduct a hand-count if necessary. If a hacker changed the votes cast on a machine, the paper trail should tell counters for whom the votes were really meant.
But five states use electronic voting machines with no auditable paper trail—Louisiana, Georgia, South Carolina, Delaware, and New Jersey, according to data from Verified Voting. And seven states use a mix of paper ballots and electronic machines with no paper trail. Among them are the electoral battlegrounds of Florida, Virginia, and Pennsylvania.
Experts say states with no or incomplete audit trails pose a prime target for manipulation. If a hacker altered the vote totals in the machine, not only would there be no paper record to provide an authoritative count, but election officials might not even realize they’d been hacked, because the only record of the vote count would be the compromised machine.
“This is one of those things about paperless, electronic voting that makes it so unusual and problematic. How would you know?” says Smith of Verified Voting.
Voters in Washington state got a taste for this uncertainty in their 2004 gubernatorial election, Smith says. The election results were close—down to 100 votes in some counties—but in places that used voting machines without paper records, the candidates had to just trust that the machines had recorded the votes properly. They couldn’t be recounted by hand.
And in one election in North Carolina the same year, a machine with no paper trail that was used for early voting in a county government office inexplicably stopped counting votes. About 4,500 were irretrievably lost, in a statewide contest that was decided by fewer than 2,000 votes, Smith says.
“In a situation like that, what do you do? They didn’t even have punch cards to hold up,” she said, alluding to the infamous 2000 presidential recount in Florida, where election officials had to visually inspect cards to determine which candidate voters actually cast a ballot for.
Some counties in Florida are using electronic machines now, which were introduced to reduce the likelihood of another recount fiasco. But in Miami-Dade and Broward counties, the scene of so much confusion in 2000, there’s a mix of paper ballots and machines with no paper trails.
Go After Wireless Systems
Machines that can connect to each other or the internet wirelessly are the soft underbelly of election hacking.
In one of the most notorious cases of vulnerable election systems, researchers from the Virginia Information Technologies Agency found that WINVote, a touchscreen voting machine used in elections between 2002 and 2014, including three presidential races, contained wireless cards that would let an attacker “access the WINVote devices and modify the data without notice from a nearby location” (PDF).
The machines communicated with each other using an encrypted wireless system, but foiling it was easy: the password to gain access was “abcde,” which the Virginia researchers charitably described as “weak.”
“With that passphrase it was possible to join to the WINVote ad-hoc network with specialized security workstations and start attempting to compromise the WINVote device’s operating system,” the researchers wrote.
Virginia decertified the machines, and they’re no longer in use. In fact, no state uses WINVote, according to research from Verified Voting. But any election system that uses wireless components at other points in the tallying process is potentially at risk. That includes machines that may have wireless systems that election officials think they’ve disabled, but are actually still turned on. That was the case with WINVote.
Say You Hacked The Vote, Even If You Didn’t
Hackers don’t need to actually hijack a voting machine or ballot software to undermine confidence in election results. Merely the credible claim that an election had been tinkered with could compel a candidate’s supporters to cry foul, particularly if the vote counts are close or if the candidate performed worse than expected.
“If you have a system that’s been shown to have vulnerabilities, even if someone doesn’t attack them, but creates the impression that they might have, in a closely contested election you’ve got a problem,” Avi Rubin, a computer scientist at Johns Hopkins University, and one of the first technologists to warn about vote hacking, told The Daily Beast.
Given Trump’s claims that the system is rigged, and his pattern of inciting supporters, it’s not hard to imagine the nominee seizing on just the claim of foreign hacking as evidence of interference.
“Launching a disinformation campaign on social media, or via text messages, is not challenging. And you only need a small percentage of people [to react] to have results,” John Wethington, a vice president at computer security company Ground Labs, told The Daily Beast. Disinformation can also be used to depress turnout. “Tell them that a particular polling location is closed. Or notify them that the voting machines in a particular area have been compromised,” Wethington said. People might stay away if they think the election is already stacked against them.
Particularly if their candidate tells them so.