In a growingly digital world, the younger the generation, the more its members will be relying on technology. In 2011 the CEO of the Russian security firm Kaspersky Labs, Mr. Eugene Kaspersky, said that “it will be the end of democracy without Internet voting”. In 2012 he said that one of the biggest cyber threats is the way the Internet generation will engage with politics. More specifically, he claimed that “the lack of well-established online voting systems is a real threat to democratic nations of the Western world”. Last month Kaspersky
It should be noted that election integrity is not only about technology; it is about the integrity of electoral systems and processes. Within them, technology is becoming an increasingly important factor; however, it is neither their only component, nor the most important one (IDEA 2011). In the case of the 2016 US elections, Harvard Professor Pippa Norris identified five electoral integrity challenges. The risk of hacking breaches is just one of them. The other four are: partisan polarization over electoral procedures; lack of public confidence in the electoral process; deregulating campaign finance; and lack of professional standards of electoral management (Norris 2016).
Ahead of the 2016 US presidential election, allegations of hacking electoral technology made headline news several times. This leaves both voters and election officials alike wondering how realistic the danger of electronically rigged elections really is, and what can be done about it. Different actors – politica
However, how serious is such a threat? In 2016, the number of devices connected to the Internet is estimated at 23 billion, almost exactly three devices for every person alive. Over the next 3-4 years this number is expected to double. Every device connected to the Internet is threatened by security breaches and a potential target for hackers and cybercrime. If a system is a valuable enough target, it is not secure even if it is offline. The 2012 ‘Stuxnet’ attack against Iran’s nuclear program impressively demonstrated that even the ‘air gap’ between the Internet and offline computers can be bridged by malicious software. The Stuxnet computer worm was transferred by unwitting staff and infected USB sticks from their computers to centrifuges for nuclear material.
Ultimately the question is not if an Information and Communication Technology (ICT) system can be hacked; it is rather how much effort is needed for the hack and whether the target is valuable enough to justify the resources required for an attack. Elections and politics are high value targets and therefore it is no surprise to see election-related technology becoming an objective for hackers.
In July 2016, ahead of the Democratic Convention, hackers broke into the server of the Democratic National Committee and released emails to the media. The perpetrators were allegedly Russian-based hackers. In September 2016 two state registration databases have been targeted by hackers who stole information in Illinois from roughly 200,000 voting records and attempted at breaching voting records in Arizona (Norris 2016: 7).
The current reports of hacks into US voter registration systems and party computer networks are neither new nor unique. Only in 2016 several similar incidents occurred world wide:
Such cyber attacks are very difficult to trace with certainty to their source. Sophisticated attacks may be conducted not only by nation-states, but also by non-state actors, including private companies, “hacktivists”, political parties, extremists and terrorists. Often the boundaries between such groups are blurred. In the face of the above, what needs to be done to preserve the trust and integrity of our elections and democracy?
First of all we have to define the systems we need to protect, and what we need to protect them against. In heated debates prior to an election, sometimes little attention is paid to the great range of activities that are referred to as ‘hacking’ and the actual implications of such activities. For effective counter measures and even an informed discussion it is important to be more specific than that.
Sometimes ‘port scans’, a very common way of testing online systems against vulnerabilities, may be deemed serious attacks. In other cases, lab demonstrations of security vulnerabilities are mixed up with real life exploitations of those weaknesses.
Some attacks get a lot of visibility, while others may remain undetected for a long time. Some aim at election infrastructure and election administrations, while others target many different electoral stakeholders, including political parties and media outlets. In a country relying on an online-voting system, distributed denial-of-service (dDoS) attacks and similar attacks that have recently affected the US East Coast could potentially interrupt the work of the Internet voting server or make the system inaccessible to voters.
Marco Ramilli and Marco Prandini, researchers at the University of Bologna, list four main security threats, affecting secrecy, integrity, availability and authentication. If the system does not assure secrecy, it is “vulnerable to covert channels attacks, where an attacker may buy or sell votes”. If it does not assure integrity, elections can be compromised “by replacing or modifying the integrity of the ballots, or directly the final counts”. If availability is not assured, universal suffrage is jeopardized, and the system becomes “vulnerable at least to external quorum attacks, in which the attacker can modify the total number of voters, denying the minimum voter requirements”. System weaknesses on authentication controls make the system “vulnerable to multiple vote attacks, where an attacker could vote multiple times for the preferred candidate” (Ramilli & Prandini 2010).
Cyber attacks against election technology, that we should focus on preventing, can come in many forms, each with different motivation and different impact. Technology may be exploited in many ways: to obtain information and secretly misuse it for malicious purposes; to obtain information with an intent to publish it and, by that, to discredit institutions or persons; to publicly deface systems such as websites in an attempt to discredit the organizations operating them or to disseminate misleading information; to destroy systems or make them unavailable, for example to disenfranchise voters or to cause election day disruptions; to manipulate the breached system to change data or functionality.
Each potential attack requires different counter measures. Obviously the measures for protecting voting machines against results rigging are different from those needed to protect the secrecy of the vote.
Hacking an e-voting machine has different implications than compromising online voting, which is in absolute terms the most difficult system to secure. The risk related to Internet connections goes beyond the act of voting online. According to Princeton Professor Andrew Appel (2016a), “we must remember not to connect the voting machines directly to the Internet. The reason is that almost all computer software has security vulnerabilities”. He also advised against connecting the election-administration computers to the Internet, either; the voting machines should not be connected “even indirectly to the Internet.”
Electronic voting, designed to expand voter participation, significantly increased with the “Help America Vote Act” of 2002. Different e-voting technologies are more or less vulnerable to hacking and pose different audit challenges.While optical-scanners keep track of the paper ballots in a sealed box, a Direct Recording Electronic (DRE) (or touch-screen) voting machine without Voter-Verified Paper Audit Trail (VVPAT) does not allow any subsequent audit (Appel 2016a; Appel 2016c). Five states – South Carolina, New Jersey, Delaware, Georgia, and Louisiana – rely on DRE voting machines that do not include any paper trail, according to the election watchdog Verified Voting. Without that physical record it is essentially impossible to audit the results, as officials did in the 2000 presidential election. A significant number of counties in other states, including Pennsylvania, Tennessee, Texas, and Kentucky, will also resort to DRE voting machines with no paper trail. If the focus is on the integrity of the system as a whole, the importance of the paper trail for audit or recount purposes cannot be underestimated, in terms of auditing both electoral results and processes. Elections should be audited independent of the computers, so that their results can be trusted even if the computers are hacked.
There are three main targets of voting machine hacking: the Hardware, i.e. hackers insert, remove, substitute or damage physical devices; the Firmware, i.e. they alter drivers, hardware BIOS or embedded code; and the Software, i.e. they insert new code, modify the existing code, delete existing code or force an unexpected behavior (Ramilli & Prandini 2010). “Vintage” hardware or software are more prone to attacks than newer ones, and attacks may be relatively simple, especially if the machines are not safely guarded and sealed before, during and after elections. In 2009 Andrew Appel demonstrated in the Superior Court of New Jersey that he could install a vote-stealing program in a voting machine in about 7 minutes per machine with a screwdriver (Wofford 2016). And by the way, in a rapidly evolving IT ecosystem, the quick aging of e-voting technology is an issue in itself. After all, how many of us are using the same computers or software of 10 years ago?
The requirements for protecting personal data in a voter registration database are different from those for protecting voter registers against manipulation. And the resort to e-poll books may render the system more vulnerable both to hacking and accidental breakdowns.
A question beyond technology as such is whether we should consider other elements as part of the hacking discussion. Should we include in the analysis the impact of Internet trolls and the numerous emerging disinformation campaigns on social media, sometimes referred to as ‘social hacking’? Should we also consider attempts at hacking mainstream media so as to influence public attitudes towards election results, especially when the results are not yet final?
We need to understand the weaknesses of the systems currently in use:
We have to agree on the resources an adversary may be able to invest in an attack. From the above it becomes clear that properly protected technology never comes cheap. It requires continuous reassessment, updating, but also training and risk awareness of those who use and operate it. The more resourceful the adversary, the higher the effort and cost for protecting a system. The challenge is to find right balance between security, accessibility and affordability of election technology.
Finally, we may learn from the experience on electronic voting observation carried out in the field, not least in the Global South. When thinking of e-voting, one would associate the technology with Western democracies. Indeed, alongside the US, e-voting technology has
Parallel to the diffusion of e-voting, international election observation has adjusted to the introduction and use of new technologies. The Carter Center mission to observe the 2006 presidential election in Venezuela has pioneered the development of a methodology for observing electronic voting (The Carter Center 2007). The Carter Center and the Organization for Security and Co-operation in Europe (OSCE) have recently published handbooks that highlight the main issues for consideration, grounded on the key principles of international election observation. Examples of analytical questions proposed by The Carter Center on the specific issue of “Security Measures and Contingency Planning” include:
In addition to contingency planning, it is important to assess also the levels and mix of skills and capacities among the electoral staff concerned, in order to successfully cope with unexpected threats or major system breakdowns.
The Office for Democratic Institutions and Human Rights (ODIHR) of the OSCE stressed the importance of ensuring that the necessary skills and expertise are present in the Election Observation Mission (EOM). The skill-mix required for proper election observation highlights the complexity of the issues raised by e-voting. Of course, missions should include a New Voting Technologies (NVT) analyst. However, the other components of the missionshould also be familiar with e-voting challenges. The legal analyst should focus on the legal provisions related to the use of NVT. The election analyst should be able to assess the work of election administration bodies as related to the use of NVT in the election process, i.e. the whole process, not just simply the use of e-voting machines. The political analyst should focus on the attitudes of various political actors towards NVT and their confidence in the technology. The media analyst should assess public attitudesregarding the use of e-voting in an election, as well as media monitoring on this issue. The long-term observer (LTO) coordinator may gather and analyze regional information collected by LTOs (ODIHR 2013: 15-17).
In conclusion, we should not understimate the broader implications of cybersecurity in relation to e-voting. We should also be aware that cybersecurity is as much about cyberoffense as it is about cyberdefense (Appel 2016b). Since the same hardware, firmware or software vulnerabilities used by hackers have a value for national security agencies for monitoring and targeting those hackers, or influencing the behavior of third parties, a coherent approach to enhanced cybersecurity should strike a balance between the competing needs of ensuring protection of critical voting infrastructure
A well informed discourse about ‘hacking the vote’ is therefore important to understand and build consensusamong both policy makers and practitioners on the extent of the problem we are facing and what can be done about it. Whether the result of such a discussion will be a need to switch back to paper and typewriter – as the Kremlin reportedly did after Edward Snowden’s revelations in 2013 – is still to be seen. In this perspective, however, we would also need to reassess the security of manual and paper processes with a similar rigor as the electronic ones.
IDEA (2011), Introducing Electronic Voting: Essential Considerations, International IDEA, Stockholm
Norris, Pippa (2016), “Why American elections are flawed (and how to fix them)”, September 30, 2016, The Electoral Integrity Project, Harvard University & The University of Sidney; Harvard J.F. Kennedy School of Government, Faculty Research Working Paper Series, RWP16-038 , September 2016.
Ramilli, Marco & Prandini, Marco (2010). “An Integrated Application of Security Testing Methodologies to e-voting Systems”, in Efthimios Tambouris; Ann Macintosh; Olivier Glassey (eds.), Electronic Participation, 6229, Springer, pp. 225-236, Lecture Notes in Computer Science.
The Aspen Institute (2016), “Aspen Security Forum 2016: Intelligence-Led Cyber Security: Operating Globally while Balancing Risk and Speed”, Saturday, July 30, 2016, Doerr-Hosier Center, Meadows Road, Aspen, Co.
Massimo Tommasoli is Permanent Observer for International IDEA to the United Nations in New York. He holds a PhD (doctorat) in anthropology at the Ecole des Hautes Etudes en Sciences Sociales in Paris. He workedin the field of international cooperation and development at the OECD in Par