To protect our elections
US officials warn voting could be hacked. A Raytheon expert offers five ways to meet the threat
When they're teaching kids to hack into election websites, you have to figure the threat is real.
In August, an 11-year-old boy attending the annual hacker convention DEFCON 26 broke into a simulated Florida elections website and changed some of the faux election results.
It took him ten minutes.
Now, the site was merely a replica, and it was set up to be hackable, according to ProPublica, but still. The young hacker was one of 50 participants, aged 8 to 16, who tried breaking into various replica voting sites in an exercise called DEFCON Voting Machine Hacking Village. More than 30 successfully "tampered with vote tallies, party names, candidate names, etc.," according to DEFCON. Even though the websites weren't real, organizers must have felt they were making a point.
The exercise took place amid a whirlwind of news about election cybersecurity. Only days earlier, senior U.S. intelligence officials held an unprecedented, joint press conference to warn of Russian efforts to interfere in the upcoming 2018 national elections. That followed a National Security Council meeting, chaired by President Donald J. Trump, that focused on election security. In July, it was revealed that hackers have already targeted multiple congressional candidates, although none of those attacks were said to have been successful.
All of those events highlight the possibility of cyber meddling and the threats it poses. The danger is not that an attack is likely to alter voting results across the nation, but that hackers will be able to infect relatively few computers and still seed doubt about the legitimacy of the elections, said Michael Daly, Raytheon’s chief technology officer for cybersecurity and special missions.
“It may be to the advantage of the attacker to do a splashy infection (on a few computers, where) an alert goes off and a bell starts ringing and it says you’ve been infected," Daly said. "That would get people in the area talking about it. They would feel the election's been compromised and word would spread.”
Because every state has its own system for tallying votes, from paper ballots to electronic screens to some Internet voting, there’s not one common vulnerability that can be exploited in an attack, he explained. But should a few systems be infiltrated, people might lose trust in our electoral process.
"You don’t have to have widespread damage," Daly said. "You just need to have a few, well-publicized incidents. The public is already feeling divided, with help from prior influence operations."
While Russia is already spreading disinformation through social media and other channels, U.S intelligence officials said, it could also try to hack actual voting systems.
“There should be no doubt that Russia perceives that its past efforts have been successful and views the 2018 midterm US elections as a potential target for Russian influence operations,” said U.S. Director of National Intelligence Dan Coats. “Frankly, the United States is under attack…by entities that are using cyber to penetrate virtually every major action that takes place in the United States.”
The unified call to action from U.S. intelligence agencies highlights the danger to our democracy should an adversary be able to alter votes. Cybersecurity is critical to national security, according to Daly.
“Nothing is immune from the cyber threat. Not our airports, power plants, banks or hospitals. Not even our voting systems, the very basis of our democracy," he said.
U.S. elections are managed through a hodgepodge of systems that vary from state to state, including paper ballots, electronic screens and even some Internet voting. Daly offers these recommendations for securing voting systems ahead of the midterm elections:
1. Secretaries of state should convene, in an academic environment, a conference with their election officials and cybersecurity staff. The session should be used to review the importance of cybersecurity controls, the threat vectors that are known to have been exploited in systems, and the long history of election tampering that has been occurring since World War II. Improperly informed stakeholders are our greatest vulnerability.
2. Secretaries of state, their Boards of Elections and state cybersecurity leaders should document their end-to-end election process with all of its systems, dependencies and interfaces. Every state is different and has different threat vectors.
3. States should engage their vendors and IT organizations (across the end-to-end chain) to conduct technical testing to ensure systems are secured. This includes patching, segmentation, monitoring, wireless configurations, hardening to remove unnecessary applications and ensuring there are multiple redundancies and methods of validation.
4. State officials should contact the U.S. Department of Homeland Security and their National Cybersecurity and Communications Integration Center for help. That’s where they’ll find trained professionals ready to help with lessons learned from prior engagements.
5. In terms of dealing with the threat of a cyber bomb, officials need to ensure voters have confidence in the integrity of the elections. That means states should think ahead and promote the integrity features that are already built into voting systems, including redundant records and backups that guarantee every vote is counted in the end.
And we must look beyond the elections to fight off cyber threats, according to Daly.
"A secure electoral system is critical to protecting our democracy, but it isn’t the only critical infrastructure that is being attacked," he said. "Just as important, or perhaps even more so, is the protection of our power utilities, our aviation infrastructure, and our hospitals."
Noting the recent Department of Homeland Security report revealing that Russian hackers have penetrated deeply into the systems of our electrical utilities, he said, "We as a nation are at a tipping point where we just have to step up and make it more difficult for our adversaries to breach our critical infrastructure. These breaches not only erode our trust, but can they impact our safety and lives."