“Owning an election is gold; being able to influence it is silver; knowing the outcome in advance is bronze,” F-Secure cyber security advisor Erka Koivunen told us.
It already appears that there has been some attempt to influence the 2016 election by releasing embarrassing email messages from the Democratic National Committee. So will whoever was behind that attack now go for the gold? And if they do, could they actually steal a presidential election?
America’s elections are managed on the local level, which means there are thousands of different electoral different systems involved with a single presidential election. That sounds daunting but in two out of the last four elections, the winner was decided by a victory in a single state, which limits the scope significantly.
So if a nation-state wanted to intervene in the U.S.’s election and knew which candidate it wanted to win, it would either have to hack several different state’s systems or focus on the three swing states that Republican candidate Donald Trump believes will decide the next election — Florida, Pennsylvania and Ohio.
All three key swing states use DRE voting machines for at least some of their voting — only Ohio requires that the machines provide a paper trail that verifies the votes.
Ryan Maness, a visiting fellow at Northeastern University, told Wired that the machines in these three states are in “relatively good shape.”
It’s probably easier to hack a busy office network like the DNC, especially one that hasn’t been told it’s likely a target of a nation-state attack, than a voting machine because you can rely on the greatest vulnerability possible — people.
But if an attacker can get inside the network of a nuclear facility that’s not connected to the internet, it’s quite possible that voting machines that dozens if not hundreds of people have access to can be compromised. But the real issue with a cyber attack is that proximity isn’t required.
This year, Dave Levin, a security analyst was arrested for hacking the elections website of Lee County, Florida. “Yeah, you could be in Siberia and still perform the attack that I performed on the local supervisor of election website,” he said in a video explaining why launched the attack. “So this is very important.”
But hacking a website or online database is one thing. Owning the actual machines is another.
“Just based on the fact that many of these voting machines have been around for years, just based on that I could tell you old vulnerabilities that exist in the system,” Tim Monroe, an independent cybersecurity consultant, told BuzzFeed News.
If there were some suspicion of a hack, there are some failsafes.
Florida audits all its election votes, as does Ohio, which automatically recount provision if the election is close enough “Pennsylvania is of the most concern,” Maness said, “based on the fact they have so many paperless DREs in use.”
Trump has suggested that the November election would be “rigged” but his implications have thus far mostly been connected to an attempt to sway the voting with things like debates purposely scheduled to minimize the audience.
But even before Trump made the “rigged” suggestion, the U.S. Department of Homeland Security had proposed taking new steps to secure electronic voting.
“We should carefully consider whether our election system, our election process is critical infrastructure, like the financial sector, like the power grid,” Jeh Johnson, Secretary of Homeland Security, told reporters. “There’s a vital national interest in our electoral process.”
White House Press Secretary Josh Earnest, real name, recently responded to a question from reporters about the security of voting machines by relying on the security by variety argument.
“That varied infrastructure and those different systems also pose a difficult challenge to potential hackers,” Earnest said. “It’s difficult to identify a common vulnerability.”
So it’s clear is that vulnerabilities exist. The question is whether or not a nation-state is willing to invest the resources necessary to go for the gold.
In less than two months, the world has seen the two biggest ransomware outbreaks ever…
July 7, 2017
UPDATE: For the latest on Petya, check this F-Secure Labs post. Are we still calling…
June 28, 2017