The U.S. is in no way ready to move any of its election processes online, white hat hackers told Digital Trends. But while a lot of attention has been focused on the vulnerability of new voting machines, the more imminent danger is the electronic infrastructure around elections, experts said.
The new voting machines that have attracted a lot of attention during the primaries aren’t even the biggest concern, said Jack Cable, a famed hacker and software expert now focused on the U.S. elections.
Voter registration system and election night reporting systems are far more vulnerable — and easy — to attack, he said.
While trying to register to vote, Cable found massive vulnerabilities in the Illinois voter registration system that could have allowed hackers to see and potentially alter voter data. If a database of voters is easily accessed and corrupted, election results could be unverifiable. Hackers could, theoretically, wipe or change voter registration, which could cause widespread voter disenfranchisement.
A bad actor could even change the results or wipe people’s votes completely through an unsecured back-end.
“There is so much more work that needs to be done” before elections can be really secure, Cable told Digital Trends.
And it will take a lot longer than the five months left until the 2020 U.S. presidential election to get those theoretical elections systems properly in place.
“With the integrity of these systems as they are, it’s more important now more than ever that we have a remote mail-in system,” Cable said.
Cable suggests the U.S. stick with paper voting, which is still the most reliable voting method and surprisingly resilient to fraud, he said.
The issue comes down to auditing, the experts said. You can audit a piece of paper. A phone or electronic machine is more easily manipulated, and therefore less auditable. Cable said there is no way to send election results electronically in a secure manner.
“Nothing guarantees [verified results] with electronic online voting,” Cable said. “If a voter’s device has malware on it, then it’s effectively impossible to prove their vote did or did not count. No security expert would recommend this.”
Now is the worst time to be debuting new technology “unless it’s intended to help secure the election,” said Jonathan Reiber, former Pentagon chief strategy officer for cyber policy and a current senior director at the cybersecurity firm AttackIQ.
“You have to test new tech vigorously, many, many times at scale to make sure it works,” Reiber told Digital Trends. “If I’m an election administrator, I need to worry that people can vote. But just as important is making sure the process is secure and trustworthy.”
Even some of the newest voting machines haven’t passed the test.
At Def Con 27 in August 2019, an annual hacker’s conference wherein security researchers from around the U.S. gather to try to see exactly how the latest voting tech can be broken, hackers found ways to compromise every single voting machine at the conference.
They found ways to do so “in ways that could alter stored vote tallies, change ballots displayed to voters, or alter internal software that controls the machine,” the final report from the conference said. Even teenagers who had never hacked before were able to gain access to the machines in a short amount of time, the report stated.
The report also noted that this was “unsurprising” and that it was “notable — and especially disappointing — that many of the specific vulnerabilities reported over a decade earlier … are still present in these systems today.”
But Reiber and Cable said it was unlikely that hackers would be able to hack numerous machines on Election Day. Trying to hack machines would take long enough to raise suspicions quickly, and since the vast majority of these machines aren’t connected to the internet, hackers would need to break into each machine one by one.
In fact, a hacker doesn’t actually need to hack the election, per se, Cable said. They just need to look like they have in order to have the intended effect; the suggestion of a compromised election could be enough to plant distrust in the results.
“The possibility that the election gets hacked is less than something normal going wrong that wasn’t planned for, and then that spins out of control,” Cable said.
Fake pictures on social media of voting machines could make it look like the machines have been hacked, even if they haven’t, which could spark fears of disputed or corrupted results.
Georgia’s June primary was notoriously plagued with allegations of machine and human error.
“The primaries are a good case study of what could happen in November,” Cable said. “There’s no indication that anyone was hacked, or that there were any errors more than standard procedural error. But it could get spun out as something different. Allegations that something was hacked or rigged are going to be more prominent in November.”
“History has shown us that it doesn’t take very much to sow distrust in the democratic process,” Reiber added.
