Threats to the 2016 Election

Prepared Remarks for a press (tele)conference convened by, at 11:00 AM CDT, Nov. 1, 2016

Part of the Voting and Elections web pages,
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

The last year has brought us a machine-gun blast of news stories about Internet hacking. It seems that no data base or e-mail server is secure. Recent stories have pointed to the strong possibility that Russia is behind many of these attacks, but there have been stories of attacks originating from China, North Korea and Iran, and other attacks have clearly come from old-fashioned criminals.

The history of what appears to be Russian government abuse of the Internet traces back to a cyberattack on Estonia in April 2007 and an attack during the Russio-Georgian war in August 2008. There was a degree of plausible deniability in the Estonian case, but the close coordination of the Russian cyberattack against Georgia with military action makes Russian denials ring hollow.

Even if Russia was not involved, we would still be well advised to take the threat of attacks on the integrity of our election seriously. If we let down our guard, someone is likely to abuse the system.

In the face of these kinds of threats, how vulnerable are our elections? For over 15 years, I have been a critic of election technology, focusing primarily on the risks of paperless direct-recording electronic voting systems.

Compared to a decade ago, the fraction of votes counted on these paperless machines had declined, but they are still in use statewide in Georgia, South Carolina and Louisiana, and in widespread use in Pennsylvania, Texas and a handful of other states. Laboratory experiments show that many of these machines can be hacked, it is not rocket science.

Make no mistake about it, I want these paperless machines phased out, but I don't think they are the most immediate threat. Here are my reasons:

Suppose a crook wanted to hack the election by actually hacking DRE machines. First, they would have to find jurisdictions in a swing state that had vulnerable systems, then develop an attack on the election office computers in that jurisdiction, and finally use that attack to install the attack software, all without being detected. That's a lot of work.

There's no point in attacking anywhere but a swing state, because if you attack states with a wide margin and change enough votes to change the outcome, someone will notice.

Why not just attack the county election office and change the results? Let people vote, let the voting machines report the totals to the county computers, and then have the county computers compute dishonest sums. This sounds much simpler.

Fortunately, most jurisdictions around the country have procedures that are either entirely immune to an attack on the central election management computer or that allow vigilant citizens to catch and detect the problem.

Then vigilant observers at the polling place can check the county's arithmetic. Unfortunately, some jurisdictions don't print the results at the polls, and some don't publish a full account the next day. On the flip side, other counties take extra care, publish everything, and do all the checking as well.

A hacker intent on rigging the election in a vigilant jurisdiction would have a difficult time, and a hacker trying to find a jurisdiction that is not vigilant by doing the research over the Internet from Peking or Moscow would not find this to be an easy project because the procedures actually used are not always easy to find on line.

If someone wanted to rig a US election remotely, it would be easier to seek some central vulnerability instead of searching through 5000 county offices for weaknesses. I believe that the most vulnerable point in US elections today was created by our move to statewide voter registration databases. In many cases, that move was the result of the Help America Vote Act of 2002.

Reports are that someone, probably from Russia, has successfully broken into the Illinois voter registration database, and the databases of several other states have been probed. These databases contain a treasure-trove of information that could be of value to common criminals who exploit today's Internet, but this information could also be useful in an attack on the election:

For example, some states allow absentee ballot requests to be submitted by Internet. The information you need to "prove" your identity in such a request is all in the statewide voter registration database. How could an attacker use this?

Simply request absentee ballots on behalf of randomly selected voters who are registered for the wrong party. Have those ballots mailed to random overseas mailing addresses. Come election day, when those voters show up at the polls, they'll be told that they can't cast a regular ballot because they already requested an absentee ballot.

This is not science fiction. In 2012, a shotgun blast of 2,522 absentee ballot requests came over the Internet to the Miami-Dade County election office. Fortunately, the attack was clumsy, all the requests came from the same Internet address, and the county election office noticed and began an investigation. A better engineered attack could have been successful.

If someone manages to infiltrate a voter registration database and make actual changes, the consequences could be even more severe. If someone selectively moves voters to different precincts, when they show up at the polls, they'll be told that they're no longer registered there.

Do we have a defense against these attacks? Sort of. Voters who didn't get their absentee ballot or who find that their address in the voter records is wrong can vote a provisional ballot that has a decent chance of being counted, at least in some jurisdictions. In states with same-day registration, any error in the voter registration database can be corrected on election day, so long as the voter has an acceptable ID document.

Note that these defensive measures require extra work for each victim of the attack, and they require extra work by pollworkers. Any attack that creates extra work at the polling place can create long lines, and that too disenfranchises people who don't have the time to wait.

Thinking about the US election from the point of view of a foreign attacker, it is worth noting that they may not really care who wins if the victor is sufficiently weakened that their victory is hollow. Looking back at 2000, it is worth noting that George Bush was not a very powerful president until the attacks of 9/11 gave him a mandate. For the first 9 months of his first term, the controversy over election 2000 was still dominant.

So, is there a low-cost path for an outside attacker to create chaos in a US election?

One obvious attack is to simply shut down on-line access to the voter registration database on election day. More and more counties no-longer use paper pollbooks, relying instead on electronic pollbooks, some of which connect directly to the central voter registraiton database. The distributed denial of service attack a week and a half ago may not have been related to the election, but if I were, say, Russia, and I wanted to test a weapon that could be used to disrupt the election, that is what my weapons test might look like. Shut down the electronic pollbooks on election day, and you would force election workers to fall back on paper pollbooks, if they have them.

Unfortunately an attacker might be able to create chaos without actually conducting any attack on the real voting system. All the attacker really needs to do is relase carefully crafted fiction through some portal such as Wikileaks to suggest that an attack was being planned and might have been carried out.

There have been enough e-mail leaks recently to make such an attack work. It would work best if the attacker is careful to insert fictional sentences into authentic documents. If this is well done, the release of the actual document by the authentic author will be seen as part of a cover up when in fact, nothing really happened.

We used to have a stronger defense against this when the press had more resources to carefully research leaks to determine their authenticity. In today's media landscape, the blogosphere and the world of infotainment may be more important than the professional journalists, so we have to be very careful.

In summary, what can we do to defend ourselves?