A few weeks ago computer scientist J. Alex Halderman rolled an electronic voting machine onto a Massachusetts Institute of Technology stage and demonstrated how simple it is to hack an election.
In a mock contest between George Washington and Benedict Arnold three volunteers each voted for Washington. But Halderman, whose research involves testing the security of election systems, had tampered with the ballot programming, infecting the machine’s memory card with malicious software. When he printed out the results, the receipt showed Arnold had won, 2 to 1. Without a paper trail of each vote, neither the voters nor a human auditor could check for discrepancies. In real elections, too, about 20 percent of voters nationally still cast electronic ballots only.
As the U.S. midterm elections approach, Halderman, among others, has warned our “outmoded and under-tested” electronic voting systems are increasingly vulnerable to attacks. They can also lead to confusion. Some early voters in Texas have already reported votes they cast for Democratic U.S. Senate challenger Beto O’Rourke were switched on-screen to incumbent Republican Sen. Ted Cruz. There’s no evidence of hacking, and the particular machines in question are known to have software bugs, which could account for the errors.
Halderman does not think an attack is to blame. “If it was, the candidate switch wouldn’t be visible to either the voter nor election officials,” he says. “But what’s happening in Texas is another warning sign of aging machines not functioning well, which makes them fertile ground for vote-stealing attacks.”
Ultimately—whether scenarios like the one in Texas stem from glitchy software, defective machinery or an adversarial hack—one outcome is a loss of confidence in our election process. And as cybersecurity journalist Kim Zetter recently wrote in The New York Times Magazine, “It’s not too grand to say that if there’s a failure in the ballot box, then democracy fails.”
Halderman, who directs the University of Michigan Center for Computing and Society, recently spoke with Scientific American about the different types of technological threats to democracy—and how good old-fashioned paper can safeguard elections.
[An edited transcript of the interview follows:]
It seems like election interference is occurring all around us, in so many different ways. How is the hacking of voting-machine software related to the disinformation campaigns that show up in our Facebook feeds?
Technology is transforming democracy on a lot of different levels, and they’re not entirely connected. But they all create vulnerabilities in the way that society forms political opinions, expresses those opinions and translates them into election results.
One form of Russian meddling in the 2016 election, for example, was social media campaigns, which affect political discourse at the level of opinions formed by individuals. But the second prong—the hacking into campaigns, like John Podesta’s e-mail—was just so sinister in the way it was picking only on one side. That gets to the very roots of how open societies traditionally rely on information gathering and the media in order to make sound political decisions.
And then there’s the third form of hacking: going after the machinery of elections, the infrastructure, polling places, voter registration systems, etcetera. That’s where most of my work has been.
How did you end up investigating voting security?
It was literally dropped into my lap while I was in grad school at Princeton in 2006. No research group had ever had access to a U.S. voting machine in order to do a security analysis, and an anonymous group offered to give us one to study. Back then there was quite a dispute between researchers who hypothesized there would be vulnerabilities in polling place equipment and the manufacturers that insisted everything was fine.
Over the past decade, how has the field of election cybersecurity changed?
It has moved away from a position of hubris. Now that there have been major academic studies there is scientific consensus that here will be vulnerabilities in polling place equipment.
Sometimes the risks or probable failure modes of new technology are totally foreseeable. And that was certainly the case in voting. As paperless computer voting machines were being introduced, there were many computer scientists who—before anyone had even studied one of these machines directly—were saying, “This just isn’t a good idea to have elections be conducted by, essentially, black box technology.”
On the other hand, the ways in which these failures will be exploited—and the implications of that exploitation—are sometimes a bit harder to foresee. When we did the first voting machine study 10 years ago, we talked about a range of different possible attackers, dishonest election officials and corrupt candidates. But the notion that it would be a foreign government cyber attack, that that would be one of the biggest problems to worry about—well, that was pretty far down on the list. Over the past 10 years cyber warfare went from something that seemed like science fiction to something you read about every almost every day in the newspaper.
2016 really did change everything. It taught us that our threat models were wrong. I think it caught much of the intelligence community off guard, and it caught much of the cybersecurity community off guard. It was surreal to see Russia get so close to actually exploiting the vulnerabilities to harm us.
The Department of Homeland Security and intelligence community say there’s no evidence that Russian hackers altered votes in the 2016 presidential election. Can you put “no evidence” in context?
We know for sure that in 2016 the Russians didn’t do everything that they are capable of. Most of the evidence—both of Russian attack and of Russian restraint—is in the context of voter-registration systems, which are another back-end system operated by each state.
If you read carefully the statements of the intelligence communities, our evidence that no votes were changed is that we apparently didn’t hear particular Russian operatives who were responsible for other parts of the attack planning or attempting a vote-manipulation attack. But that’s not very reassuring, because we don’t know what other attackers might have been attempting, for which we might not have the same level of intelligence insight. It’s hard to know what you don’t know. There are other adversaries who certainly benefit from manipulating American elections, including other countries like China or North Korea.
The voting machines themselves have received much, much, much less scrutiny post-2016 from intelligence and defensive sides—as far as we know in the public sphere anyway. To my knowledge, no state has done any kind of rigorous forensics on their voting machines to see whether they had been compromised.
So potentially there’s more going on that’s not being looked at as closely?
That’s right. But what we do know from the Senate Intelligence Committee’s report, based on its investigation of the Russian election interference, was that Russia was in a position to do more damage than they did to the registration systems. They were in a position to modify or destroy data in at least some states’ registration systems, which if it had gone undetected, would have caused massive chaos on Election Day. But they decided not to pull the trigger.
When it comes to voting machines themselves, though, how might malicious code get introduced?
One possibility is that attackers could infiltrate what are called election-management systems. These are small networks of computers operated by the state or the county government or sometimes an outside vendor where the ballot design is prepared.
There’s a programming process by which the design of the ballot—the races and candidates, and the rules for counting the votes—gets produced, and then gets copied to every individual voting machine. Election officials usually copy it on memory cards or USB sticks for the election machines. That provides a route by which malicious code could spread from the centralized programming system to many voting machines in the field. Then the attack code runs on the individual voting machines, and it’s just another piece of software. It has access to all of the same data that the voting machine does, including all of the electronic records of people’s votes.
So how do you infiltrate the company or state agency that programs the ballot design? You can infiltrate their computers, which are connected to the internet. Then you can spread malicious code to voting machines over a very large area. It creates a tremendously concentrated target for attack.
Where does this leave us heading into the midterms?
Although there’s greatly increased security awareness (and increased protection for registration systems in particular) compared to 2016, there are so many gaps left in election security—particularly when it comes to polling place equipment. It would certainly be possible to sabotage election systems in ways that would cause massive chaos. If nothing happens this November, it’s going to be because our adversaries chose not to pull the trigger. Not because they had no way of doing us harm.
What if an adversary’s goal isn’t widespread chaos, but something subtler?
Unfortunately, it’s also possible to more subtly manipulate things, especially in close elections, in ways that would result in the wrong candidates winning—and with high probability of that not being detected.
I’m thinking about close races for the Senate and the House, such as in Texas and in Georgia.
The broader question is if we’re going to have a tight national contest for control of Congress, it’s going to hinge on a set of swing districts. Because our election system is so distributed, with localities and states making their own critical security decisions, it means some are going to be much weaker than others. And sophisticated adversaries like Russia could try to probe the election security across all of those likely swing districts, find the ones that are most weakly protected and subtly manipulate results in those districts. And if they can do it in enough swing districts, they can flip the outcome—and control of Congress. That’s what’s so scary.
The National Academies of Sciences, Engineering and Medicine released a report in September that urged all states to adopt paper ballots before 2020. Why is paper best for verifying election outcomes?
The idea of a post-election paper audit is a form of quality control. You want to have people inspect enough of the paper records to confirm with high statistical probability that the outcome on the paper and the outcome on the electronic results is the same. You’re basically doing a random sample. How large a sample you need depends on how close the election result was. If it was a landslide, a very small sample—maybe even just a few hundred random ballots selected from across the state—could be enough to confirm with high statistical confidence that it was indeed a landslide. But if the election result was a tie, well, you need to inspect every ballot to confirm that it was a tie.
The key insight behind auditing as a cyber defense is that if you have a paper record that the voter got to inspect, then that can’t later be changed by a cyber attack. The cost to do so is relatively low. My estimate is it would cost about $25 million a year to audit to high confidence every federal race nationally.
But this strategy is a problem for states like New Jersey and Georgia, where currently there’s no paper trail at all.
Today only about 79 percent of votes across the country are recorded on a piece of paper. If you have no paper trail, then it’s impossible to perform a rigorous audit. At best you’re just hitting the print button again on a computer program. You’re going to get the same result you got the first time, whether it is true or not.
There are about 14 specific states that have gaps where ballots aren’t being recorded on paper, and that’s known to everyone. Georgia, for example, is entirely paperless. And they are also using voting machines with software that hasn’t [had a security patch] since 2005.
What are you most concerned about in the 2018 midterm elections?
That it’s too late to do anything else. Except for maybe some states to tighten up their postelection procedures.
The focus needs to start being on 2020. Because it’s going to take that long for some states to replace their aging and vulnerable voting machines, and to make sure that every state has rigorous postelection audits in place. We have an opportunity to solve this problem. It’s one of the few grand cybersecurity challenges that doesn’t have to be difficult or expensive.
But it’s going to take national leadership and national standards to get there. Otherwise we’re not going to be able to move fast enough or in a coordinated manner, and the attackers that have us in their sights are going to win.