With less than 50 days until Americans cast their votes for a new President on Election Day, once-distant concerns of hackers disrupting the voting process are increasingly becoming a heightened concern.
While security experts say they don't expect a massive breach or large-scale disruption on Election Day, they say the possibility exists that hackers could attack voting systems this year given the recent high-profile activity of Russian government-supported hacker groups, as well as the volatile political climate in this contentious Presidential race. But the underlying problem that could leave Election Day at risk is really nothing new: the well-known security flaws in various electronic voting systems used nationwide.
The US Department of Homeland Security has reached out to state and local election officials and offered assistance in helping them better security voting systems amid the very public breaches of the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC), and voter registration systems in Arizona and Illinois.
DHS administrator Jeh Johnson attempted to balance calm with vigilance in a statement he issued on Friday: "We have confidence in the overall integrity of our electoral systems. It is diverse, subject to local control, and has many checks and balance built in," Johnson said. "Nevertheless, we must face the reality that cyber intrusions and attacks in this country are increasingly sophisticated, from a range of increasingly capable actors that include nation-states, cyber hacktivists, and criminals. In this environment, we must be vigilant."
Johnson said DHS is offering localities vulnerability and risk assessments of their voting systems, including those of Internet-facing ones, as well as a best practices guide for securing voter registration databases as well as protecting election systems from threats such as ransomware. He also urged states and election officials to use the Multi-State Information Sharing and Analysis Center (MS-ISAC) to share and receive threat intel.
Dmitri Alperovitch, co-founder and CTO at CrowdStrike, which identified Russian nation-state groups as the culprits behind the DNC and DCCC breaches, says the nation-state attackers could well target voting systems this election year as well.
"We absolutely see that as a potential threat. This is something we are very concerned about, a disruption to the election," Alperovitch says. The recent breaches of state voter registration systems could just be the beginning, he notes.
"There is certainly significant potential for more damage," he says.
Arizona's registration system reportedly was infected with malware, and Illinois' has some 200,000 voters' data stolen this summer. While no source of the attacks has been named publicly, security experts say it's possible that the Russian state actors were looking to alter voter registration data in an attempt to disrupt voting by preventing citizens from voting or sabotaging their voter identity information. Or they were merely testing the security of those systems for further attacks.
Researchers at ThreatConnect recently found a new clue pointing to Russia as the possible source of the attacks that circumstantially indicates possible nation-state actors.
E-voting system security has been in the spotlight for some time now. Security expert Bruce Schneier says some states and precincts are more vulnerable than others. The distributed and diverse nature of the nation's voting systems indeed provide some general security cover since there's not just one brand of machine to target, but at the same time are vulnerable, according to Schneier. "A localized hack can have huge implications," he says.
The key is a paper trail for votes, he says. Optical-scanning of paper votes is the "gold standard of voting, but most [precincts] don't have it," Schneier says.
According to a new Institute for Critical Infrastructure Technology (ICIT) report, just 60% of states require paper trails of their voting systems, and 70% of all 9,000 US voting precincts use e-voting.
"We don't have a [national] bureaucracy for voting," Schneier notes. Voting systems and machines are administered by volunteers or non-technical people, he says, every couple of years. "That makes it harder to make usability and security correct."
Not Just Russia
It's not just Russian state hackers who could wreak some havoc on the election, either. "I don't think we should limit the conversation to Russia," says James Scott, senior fellow with ICIT. China also has a stake in the outcome of the US election, he says, as do hacktivists unhappy that Bernie Sanders isn't the Democratic nominee or even radicalized extremists, for example.
Scott argues it's also easy for one nation-state group to mimic another's behavior as cover. "Most of APT 28 and APT 29's exploit kits and malware are readily available on the deep Web. Reproducing" their MO is easy, he says, of the infamous nation-state Russian attack teams.
The bottom line, he says, is there are plenty of attack groups who would want to mess with the US election. "I think we have to" expect it, he says.
Scott co-authored ICIT's new report published today called "Hacking Elections is Easy! Part 2: Psst! Wanna Buy a National Voter Database? Hacking E-Voting Systems Was Just the Beginning," which outlines the weak spots in various electronic voting systems and processes and also includes screenshots of voter registration found for sale in the Deep Web.
He contends that even paper-based trails are no protection from hacks. "At the end of the day, paper is being scanned onto a machine" that has some network connectivity, he says. Many systems also rely on insertable media, which also could be compromised, he says.
Voting system manufacturers could be targeted in an attack, or a malicious insider there could poison a software update, for example, he says. "All of these machines operate off black-box technology, with proprietary programs nobody gets access to so you can't audit or pen-test it," he says.
A compromised update could be malicious code that calculates vote values higher for one candidate over another, for instance, he says.
Other security experts echo Scott's warnings of supply chain compromise.
"A lot of components go in these DREs [direct recording electronic systems], without a remote connection," says Levi Gundert, vice president of intelligence & strategy at Recorded Future. That would mean possible tampering or compromise of voting systems at the hardware level, for example, he notes.
Meantime, experts warn we don't really know if voting systems have previously been hacked. "We were just as exploitable before" as we are now, ICIT's Scott says. "Someone hacked this key region in this state [for example] … are we going to know?"
It takes an average of six months for most companies to detect a data breach, and 90 days for organizations who are closely watching their network infrastructure. "The voting window is shorter than that, so we wouldn't pick it up until the President is already elected," says James Carder, CISO of LogRhythm."That's unnerving to me."
And even if it turns out there is no hack of voting systems, the threat of one could hang over this year's election, Schneier says.
"It's not just hacking; it's the appearance of hacking," Schneier says. "If the loser is not convinced [he or she] lost fairly, you're going to have a problem with the election."