In my last column I talked about propaganda and election influencing in the USA by foreign governments, as well as the US doing it to others. My basic take was, so what; if others want to meddle, they always will. Just be sure to lock the barn door before the horse (data) escapes. We need to stop complaining and be prepared for when they try.
99% of votes in the USA are either cast or counted by computers.
We have invested in computerized elections because they reduce miscounts, help voters with disabilities, improve access to voting for rural voters, and speed up delivery of results. That’s goodness.
Unfortunately, we have NOT invested in strong security for our computerized elections. The average state election cybersecurity grade in a recent report was only a C-. The average grade for states with toss-up Senate races in 2018 is an F!
Without question, our computerized election system is vulnerable to cyber threats!
Let’s take a look at four areas of our computerized elections:
- Campaigns, overall risk: severe
Cyber-attacks on campaigns have been used for selective release of private documents in which adversaries release potentially compromising data on candidates and campaigns. These attacks have undermined the credibility of candidates, exacerbated social, economic, and political divisions among the US Electorate, and fueled fears of corruption and abuse by government officials.
So far in 2018, cyber-attacks by Russians have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill of Missouri, as reported in TheDailyBeast.com.
Cybersecurity practices for political campaigns remain inconsistent, although efforts by Homeland Security and the FBI to provide cybersecurity training have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the issue of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections.
- Voter registration and election management systems, overall risk: serious
Attacks on voter registration systems and e-poll books could be used to steal data on American voters, or affect Americans’ ability to exercise their right to vote if their voter registration is manipulated. Blocking certain voters from the polls could even alter the results of an election.
Voter registration systems in at least 21 states were targeted by Russian hackers in the 2016 election, although there is no evidence that voter rolls were actually changed.
Voter registration systems remain vulnerable to cyber-attacks, but progress is being made on basic cybersecurity standards and training, and Homeland Security is coordinating information sharing and incident response exercises with state election officials.
- VOTING SYSTEMS, overall risk: serious
Cyber-attacks on voting systems could be used to disrupt the voting process, or even to directly manipulate votes, perhaps the most widely-feared form of election manipulation.
There has been no evidence of foreign tampering with US voting systems in 2018, but known vulnerabilities have been demonstrated in many of the most widely used voting systems in the USA.
Vulnerabilities in voting machines and vote counting systems have received a lot of attention since 2016, but most voting systems are not connected to the Internet, and getting physical access to such a large number of machines would be challenging, particularly for a foreign adversary. Furthermore, most states have plans to replace aging voting systems and implement a paper audit trail for all votes.
- ELECTION NIGHT REPORTING, overall risk: serious
While attacks on election night reporting systems cannot affect the actual outcome of the election, if reported vote tallies are manipulated it could call the real results into question even if they are ultimately verified.
No evidence has emerged of foreign tampering with election night reporting systems, but exploitable vulnerabilities in official election websites, traditional and social media platforms could be exploited by foreign actors.
Secure election night reporting has received comparatively little attention and resources relative to voter registration and voting systems, and known vulnerabilities in official election night reporting websites, traditional and social media platforms remain unaddressed.
Without question, our computerized election system is vulnerable to cyber threats, and foreign adversaries want to exploit our vulnerabilities.
Areas with the greatest risks are 1) Influence operations, 2) cyber espionage against campaigns/ candidates, and 3) attacks on voting systems. Influence and espionage are much bigger threats than sabotage.
What countries pose the greatest overall cyber threats to US Elections? Russia (81%), China (10%) Iran (2%).
The good news:
Progress is being made. Today, Basic Best Practices for cybersecurity are currently in place for information sharing (50 states), access control (46 states), and regular vulnerability analysis and intrusion detection (43 states). 9 states are using voting machines more than 10 years old; 33 states perform post-election audits, and (to me at least) most important – 36 states have a paper-trail audit for all voters.
By 2020, 46 states will either have or be in the process of implementing a Voter Verified Paper Audit Trail. (Look up VVPAT with an Internet Search Engine.)
More is needed.
A paper audit trail is a key first step in establishing resilience if computerized election systems are compromised.
Current funds are helping to implement basic security practices, but the full cost of robust security systems is much higher. Many states and counties have developed plans to upgrade or replace vulnerable systems but lack funding to implement them.
Attacks on campaigns and election night reporting systems cannot directly disrupt of change the outcome of an election, but they can undermine the credibility of American democracy, and comparatively little money or effort is being put into securing these systems.
Campaigns and election officials should leverage every available opportunity to partner with the government and with cyber security professional s and pro bono initiatives to continuously improve security on our election systems.
Hopefully we made it through the 2018 elections without any major glitches turning up. Let’s hope we’ll be much more ready two years from now.
[Most of the information contained here was distilled from papers published by the Technology Program of the Center for Strategic & International Studies in Washington DC.]