It’s hard to believe we are nine weeks away from the midterm elections here in the United States. Regardless of the winners and losers, all eyes will focus on election security.
And there are so many factors to consider. Just last month at Def Con and Black Hat, we found out just how easy it is to break into election machines. White Hat (ethical) hackers worked in under 15 minutes to disrupt the entire voting process from the moment someone attempted to register to vote to the point at which results were made publicly available. When it came to the actual models of voting machines, at least 70 percent of the ones hacked will be used in November.
There was a time when voter identification was the biggest worry. States enacted voter ID laws to combat voter impersonation, a very specific type of voter fraud that is no longer the biggest threat. And in states that thought their air-gapped voting machines (not connected to the internet or any other connected machine) were hack-proof, they’ve been proven wrong. Earlier this year, we saw reports that remote-access software had been installed on voting machines used in rural Pennsylvania. And while this incident had a happy ending – the software was being used by an authorized county contractor working from home – it was another wakeup call on how someone could effectively access and control a county’s election system.
Rather than trying to change individual votes, what if a cyber adversary erased or changed voter registration documents in a particular location on Election Day? Whether that specific district was locked in a tight race or not, the disruption could impact whether or not voters bothered going to the polls. We all know how easy it is to disrupt voter attendance; prohibitive lines and bad weather are a recipe for low turnout. Any of these scenarios could undermine the election and ultimately the confidence in those results.
But perhaps the most troubling development comes with the news that West Virginia wants to enable its citizens (many of them deployed) to conveniently vote this November using a smartphone app. While this makes West Virginia the first U.S. state to allow voting using a smartphone in a federal election, it raises numerous security concerns. The app assures that the voter data will be encrypted, but as we have seen in other situations, it’s hard to guarantee that the devices and networks voters use to access the app won’t have vulnerabilities.
Suffice it to say, there’s much more to election integrity than securing voting machines. Expanding our focus beyond voter registration and securing actual voting machines, it’s important to take a look at the entire digital voting system – how citizens register, how they find their polling places, how they check in, how they cast their ballots, and ultimately, how they find out who won – and identify all the areas of vulnerability.
Please feel free to leave me a comment below. You can also find me at @CindyProvin
Visit this page to subscribe to our newsletter to receive the latest data security research, insights from our blogs and other resources.