Search

EnglishEnglish

Comments: Go to comments

Hacking the Vote: Cyber Security of Tech-Dependent Elections

Are the procedures for operating and protecting elections technology good enough and properly adhered to?

massimo tommasoli

From left: Kim Zetter, a freelance cyber security journalist, moderated a discussion with Jeremy Epstein, a senior computer scientist at SRI International; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; and Massimo Tommasoli, permanent observer to the United Nations for the International Institute for Democracy and Electoral Assistance (IDEA). (Atlantic Council)

Ultimately the question is not if an Information and Communication Technology (ICT) system can be hacked; it is rather how much effort is needed for the hack and whether the target is valuable enough to justify the resources required for an attack. Elections and politics are high value targets and therefore election-related technology is becoming an objective for hackers
This paper was presented on October 19th at the Atlantic Council, Washington DC. 

Cyber threats may undermine voters’ trust in the integrity of an electoral system based on widespread use of e-voting machines. In some cases, they may compromise the legitimacy of the result of an election. Different e-voting technologies are more or less vulnerable to hacking. Paperless voting may make audits and recounts difficult, if not impossibleElections should be audited independent of the computers, so that their results can be trusted even if the computers are hacked. Five states – South Carolina, New Jersey, Delaware, Georgia, and Louisiana – and a significant number of counties in other states, including Pennsylvania, Tennessee, Texas, and Kentucky, rely on e-voting machines that do not include any paper trailthus posing audit challenges. In general, enhanced cyber security should strike a balance between the competing needs of ensuring protection of critical voting infrastructures and respecting the rights of the citizens whose security should be ensured.

In a growingly digital world, the younger the generation, the more its members will be relying on technology. In 2011 the CEO of the Russian security firm Kaspersky Labs, Mr. Eugene Kaspersky, said that “it will be the end of democracy without Internet voting”. In 2012 he said that one of the biggest cyber threats is the way the Internet generation will engage with politics. More specifically, he claimed that “the lack of well-established online voting systems is a real threat to democratic nations of the Western world”. Last month Kaspersky reiterated that e-voting is, and will be, the biggest threat to democracy. Unless the system changes, he stated, e-voting will be unsafe, i.e. vulnerable to attacks, and its results will be manipulated.

It should be noted that election integrity is not only about technology; it is about the integrity of electoral systems and processes. Within them, technology is becoming an increasingly important factor; however, it is neither their only component, nor the most important one (IDEA 2011). In the case of the 2016 US electionsHarvard Professor Pippa Norris identified five electoral integrity challenges. The risk of hacking breaches is just one of them. The other four are: partisan polarization over electoral procedures; lack of public confidence in the electoral process; deregulating campaign finance; and lack of professional standards of electoral management (Norris 2016).

Ahead of the 2016 US presidential election, allegations of hacking electoral technology made headline news several times. This leaves both voters and election officials alike wondering how realistic the danger of electronically rigged elections really is, and what can be done about itDifferent actors – political, election and security analysts, the media,and the wider public – have all reacted to the alleged hacking of sensitive election-related information, with feelings that what happened is a sort of “game changer” (The Aspen Institute 2016). It is too late for adopting structural measures so as to ensure that the current US electoral process is fully protected by vote hacking cyber threats. The situation may change in future. Two bills were recently sent to Committee on electoral matters, on increased security of e-voting, and the designation of voting systems as critical infrastructures, respectively. In case of approval of the latter, in the worst case scenario any attack on the voting systems in the US – defined as critical infrastructures, just like nuclear power plants – could trigger a proportional response, including through military means.

However, how serious is such threat? In 2016, the number of devices connected to the Internet is estimated at 23 billion, almost exactly three devices for every person alive. Over the next 3-4 years this number is expected to double. Every device connected to the Internet is threatened by security breaches and a potential target for hackers and cybercrime. If a system is a valuable enough target, it is not secure even if it is offline. The 2012 ‘Stuxnet’ attack against Iran’s nuclear program impressively demonstrated that even the ‘air gap’ between the Internet and offline computers can be bridged by malicious software. The Stuxnet computer worm was transferred by unwitting staff and infected USB sticks from their computers to centrifuges for nuclear material.

Ultimately the question is not if an Information and Communication Technology (ICT) system can be hacked; it is rather how much effort is needed for the hack and whether the target is valuable enough to justify the resources required for an attack. Elections and politics are high value targets and therefore it is no surprise to see election-related technology becoming an objective for hackers.

In July 2016, ahead of the Democratic Convention, hackers broke into the server of the Democratic National Committee and released emails to the media. The perpetrators were allegedly Russian-based hackers. In September 2016 two state registration databases have been targeted by hackers who stole information in Illinois from roughly 200,000 voting records and attempted at breaching voting records in Arizona (Norris 2016: 7).

The current reports of hacks into US voter registration systems and party computer networks are neither new nor unique. Only in 2016 several similar incidents occurred world wide:

• In April 2016 the ‘political hacker’ Andrés Sepúlveda revealed how he had interfered for years in elections across Latin America, amongst others by breaking into parties’ and candidates’ computer systems and utilizing the information found there;
• Also in April 2016 personal information including biometric data of over 15 million Filipinos has been leaked after hackers obtained access to the country’s voter registration database;
• In May 2016 it was disclosed that German Chancellor Angela Merkel’s personal computer got compromised, reportedly by Russian hackers. This follows the 2013 discovery that her mobile phone had been hacked with the National Security Agency (NSA) being blamed at the time;
• In July 2016 the network of the Turkish Adalet ve Kalkınma Partisi (AKP – Justice and Development Party) was breached and party internal emails were leaked – reportedly by pro-Kurdish activists.

Such cyber attacks are very difficult to trace with certainty to their source. Sophisticated attacks may be conducted not only by nation-states, but also by non-state actors, including private companies, “hacktivists, political parties, extremists and terrorists. Often the boundaries between such groups are blurred. In the face of the above, what needs to be done to preserve the trust and integrity of our elections and democracy?

First of all we have to define the systems we need to protect, and what we need to protect them against. In heated debates prior to an election, sometimes little attention is paid to the great range of activities that are referred to as ‘hacking’ and the actual implications of such activities. For effective counter measures and even an informed discussion it is important to be more specific than that.

Sometimes ‘port scans’, a very common way of testing online systems against vulnerabilities, may be deemed serious attacks. In other cases, lab demonstrations of security vulnerabilities are mixed up with real life exploitations of those weaknesses.

Some attacks get a lot of visibility, while others may remain undetected for a long time. Some aim at election infrastructure and election administrations, while others target many different electoral stakeholders, including political parties and media outlets. In a country relying on an online-voting system, distributed denial-of-service (dDoS) attacks and similar attacks that have recently affected the US East Coast could potentially interrupt the work of the Internet voting server or make the system inaccessible to voters.

Marco Ramilli and Marco Prandini, researchers at the University of Bologna, list four main security threats, affecting secrecy, integrity, availability and authentication. If the system does not assure secrecy, it is “vulnerable to covert channels attacks, where an attacker may buy or sell votes”. If it does not assure integrity, elections can be compromised by replacing or modifying the integrity of the ballots, or directly the final counts. If availability is not assured, universal suffrage is jeopardized, and the system becomes “vulnerable at least to external quorum attacks, in which the attacker can modify the total number of voters, denying the minimum voter requirements”. System weaknesses on authentication controls make the system “vulnerable to multiple vote attacks, where an attacker could vote multiple times for the preferred candidate” (Ramilli & Prandini 2010).

Cyber attacks against election technology, that we should focus on preventing, can come in many forms, each with different motivation and different impact. Technology may be exploited in many ways: to obtain information and secretly misuse it for malicious purposes; to obtain information with an intent to publish it and, by that, to discredit institutions or persons; to publicly deface systems such as websites in an attempt to discredit the organizations operating them or to disseminate misleading information; to destroy systems or make them unavailable, for example to disenfranchise voters or to cause election day disruptions; to manipulate the breached system to change data or functionality.

Each potential attack requires different counter measures. Obviously the measures for protecting voting machines against results rigging are different from those needed to protect the secrecy of the vote.

Hacking an e-voting machine has different implications than compromising online voting, which is in absolute terms the most difficult system to secureThe risk related to Internet connections goes beyond the act of voting onlineAccording to Princeton Professor Andrew Appel (2016a), we must remember not to connect the voting machines directly to the Internet. The reason is that almost all computer software has security vulnerabilities”. He also advised against connecting the election-administration computers to the Internet, eitherthe voting machines should not be connected “even indirectly to the Internet.”

Electronic voting, designed to expand voter participation, significantly increased with the Help America Vote Act of 2002. Different e-voting technologies are more or less vulnerable to hacking and pose different audit challenges.While optical-scanners keep track of the paper ballots in a sealed box, a Direct Recording Electronic (DRE) (or touch-screen) voting machine without Voter-Verified Paper Audit Trail (VVPAT) does not allow any subsequent audit (Appel 2016a; Appel 2016c). Five states – South Carolina, New Jersey, Delaware, Georgia, and Louisiana – rely on DRE voting machines that do not include any paper trail, according to the election watchdog Verified Voting. Without that physical record it is essentially impossible to audit the results, as officials did in the 2000 presidential election. significant number of counties in other states, including Pennsylvania, Tennessee, Texas, and Kentucky, will also resort to DRE voting machines with no paper trail. If the focus is on the integrity of the system as a whole, the importance of the paper trail for audit or recount purposes cannot be underestimated, in terms of auditing both electoral results and processes. Elections should be audited independent of the computers, so that their results can be trusted even if the computers are hacked.

There are three main targets of voting machine hacking: the Hardware, i.e. hackers insert, remove, substitute or damage physical devices; the Firmware, i.e. they alter drivers, hardware BIOS or embedded code; and the Software, i.e. they insert new code, modify the existing code, delete existing code or force an unexpected behavior (Ramilli & Prandini 2010)“Vintage” hardware or software are more prone to attacks than newer ones, and attacks may be relatively simple, especially if the machines are not safely guarded and sealed before, during and after electionsIn 2009 Andrew Appel demonstrated in the Superior Court of New Jersey that he could install a vote-stealing program in a voting machine in about 7 minutes per machine with a screwdriver (Wofford 2016). And by the way, in a rapidly evolving IT ecosystem, the quick aging of e-voting technology is an issue in itself. After all, how many of us are using the same computers or software of 10 years ago?

The requirements for protecting personal data in a voter registration database are different from those for protecting voter registers against manipulation. And the resort to e-poll books may render the system more vulnerable both to hacking and accidental breakdowns.

A question beyond technology as such is whether we should consider other elements as part of the hacking discussion. Should we include in the analysis the impact of Internet trolls and the numerous emerging disinformation campaigns on social media, sometimes referred to as ‘social hacking’? Should we also consider attempts at hacking mainstream media so as to influence public attitudes towards election results, especially when the results are not yet final?

We need to understand the weaknesses of the systems currently in use:

• Is the technology state of the art, or outdated and no longer meeting security standards and best practice?
• Are the procedures for operating and protecting elections technology good enough and properly adhered to?
• Are the institutions and people operating the technology both willing and able to keep the systems secure?
• Are the people using the technology aware of the inherent risks and do they know how to mitigate and protect themselves against them?

We have to agree on the resources an adversary may be able to invest in an attack. From the above it becomes clear that properly protected technology never comes cheap. It requires continuous reassessment, updating, but also training and risk awareness of those who use and operate it. The more resourceful the adversary, the higher the effort and cost for protecting a system. The challenge is to find right balance between security, accessibility and affordability of election technology.

Finally, we may learn from the experience on electronic voting observation carried out in the field, not least in the Global South. When thinking of e-voting, one would associate the technology with Western democracies. Indeed, alongside the US, e-voting technology has been tested or introduced in Australia, Belgium, Canada, France, and Switzerland in recent yearsEstonia is probably the most advanced country in the field of e-voting experimentation, including Internet voting. However, e-voting is a consolidated reality in other regions of the world, including in democracies like Brazil, India and the PhilippinesSuch countries have been carrying out e-voting pilots since the late 1990s. In some cases they have internalized e-voting to an extent that a large number of their voting age population resorts to this technology. For example, in India an estimated 400 million voters, amounting to about 60% of eligible Indian voters, used e-voting at the 2009 national elections, using an estimated 1.1 million e-voting machines. In the 2014 elections, the e-voting machines deployed by the Election Commission of India rose to 1.4 million units.

Parallel to the diffusion of e-voting, international election observation has adjusted to the introduction and use of new technologies. The Carter Center mission to observe the 2006 presidential election in Venezuela has pioneered the development of a methodology for observing electronic voting (The Carter Center 2007). The Carter Center and the Organization for Security and Co-operation in Europe (OSCE) have recently published handbooks that highlight the main issues for consideration, grounded on the key principles of international election observationExamples of analytical questions proposed by The Carter Center on the specific issue of “Security Measures and Contingency Planning” include:

• Who has access to the e-voting technology, and how is access regulated and recorded?
• What measures are in place to ensure that materials and data are secure throughout the process?
• How is data trasnmitted?
• What inspection and audit procedures are in place to ensure that the system complies with specifications?
• What contingency plans have been made, and have they been appropriately disseminated?
• What measures are in place to ensure that the system is independently verifiable? (The Carter Center 2012: 56-60).

In addition to contingency planning, it is important to assess also the levels and mix of skills and capacities among the electoral staff concerned, in order to successfully cope with unexpected threats or major system breakdowns.

The Office for Democratic Institutions and Human Rights (ODIHR) of the OSCE stressed the importance of ensuring that the necessary skills and expertise are present in the Election Observation Mission (EOM). The skill-mix required for proper election observation highlights the complexity of the issues raised by e-voting. Of course, missions should include a New Voting Technologies (NVT) analyst. However, the other components of the missionshould also be familiar with e-voting challenges. The legal analyst should focus on the legal provisions related to the use of NVT. The election analyst should be able to assess the work of election administration bodies as related to the use of NVT in the election process, i.e. the whole process, not just simply the use of e-voting machines. The political analyst should focus on the attitudes of various political actors towards NVT and their confidence in the technology. The media analyst should assess public attitudesregarding the use of e-voting in an election, as well as media monitoring on this issue. The long-term observer (LTO) coordinator may gather and analyze regional information collected by LTOs (ODIHR 2013: 15-17).

In conclusion, we should not understimate the broader implications of cybersecurity in relation to e-voting. We should also be aware that cybersecurity is as much about cyberoffense as it is about cyberdefense (Appel 2016b). Since the same hardware, firmware or software vulnerabilities used by hackers have a value for national security agencies for monitoring and targeting those hackers, or influencing the behavior of third parties, a coherent approach to enhanced cybersecurity should strike a balance between the competing needs of ensuring protection of critical voting infrastructures and respecting the rights of the citizens whose security should be ensured.

A well informed discourse about ‘hacking the vote’ is therefore important to understand and build consensusamong both policy makers and practitioners on the extent of the problem we are facing and what can be done about it. Whether the result of such a discussion will be a need to switch back to paper and typewriter – as the Kremlin reportedly did after Edward Snowden’s revelations in 2013 – is still to be seen. In this perspective, however, we would also need to reassess the security of manual and paper processes with a similar rigor as the electronic ones.

References

Appel, Andrew (2016a), “Security against Election Hacking – Part 1: Software Independence”August 17, 2016. 

Appel, Andrew (2016b), “Security against Election Hacking – Part 2: Cyberoffense is not the best cyberdefense!”,August 18, 2016, 

Appel, Andrew (2016c), “Written Testimony of Andrew W. Appel: House Subcommittee on Information Technology hearing on Cybersecurity: Ensuring the Integrity of the Ballot Box”, September 28, 2016,

IDEA (2011), Introducing Electronic Voting: Essential Considerations, International IDEA, Stockholm

Norris, Pippa (2016), “Why American elections are flawed (and how to fix them)”, September 30, 2016, The Electoral Integrity Project, Harvard University & The University of Sidney; Harvard J.F. Kennedy School of Government, Faculty Research Working Paper Series, RWP16-038 , September 2016.

ODIHR (2013), Handbook for the Observation of New Voting Technologies, OSCE, Warsaw

Ramilli, Marco & Prandini, Marco (2010). “An Integrated Application of Security Testing Methodologies to e-voting Systems”, in Efthimios Tambouris; Ann Macintosh; Olivier Glassey (eds.), Electronic Participation, 6229, Springer, pp. 225-236, Lecture Notes in Computer Science.

The Aspen Institute (2016), “Aspen Security Forum 2016: Intelligence-Led Cyber Security: Operating Globally while Balancing Risk and Speed”, Saturday, July 30, 2016, Doerr-Hosier Center, Meadows Road, Aspen, Co.

The Carter Center (2007), Developing a Methodology for Observing Electronic Voting, October 2007, The Carter Center, Atlanta, GA

The Carter Center (2012), Handbook on Observing Electronic Voting, Second Edition, January 2012, The Carter Center, Atlanta, GA.

Wofford, Ben (2016), “How to Hack an Election in 7 Minutes”, Politico Magazine, August 5, 2016, 


Massimo Tommasoli is Permanent Observer for International IDEA to the United Nations in New York. Hholds a PhD (doctorat) in anthropology at the Ecole des Hautes Etudes en Sciences Sociales in ParisHe workedin the field of international cooperation and development at the OECD in Parisat the Italian Ministry of Foreign Affairsand at UNESCO in Addis Ababa. Visiting scholar at the LUISS University in Rome, he has been lecturing atthe UN System Staff College in Turin, and various Italian Universities. He has fieldwork experience in Colombia, Ethiopia, Somalia, Tanzaniaand the Russian Federation.His latest books are: Nel nome dello sviluppo, Rome 2013; Politiche di cooperazione internazionale, Rome 2013; Democracy and the Pillars of UN Work, Stockholm 2014 (translated into the UN official languages). m.tommasoli@idea.int

Iscriviti alla nostra newsletter / Subscribe to our newsletter