New hacking risks threaten US election as online voting considered

The latest headlines from our reporters across the US sent straight to your inbox each weekday

Your briefing on the latest headlines from across the US

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

With the US election less than 150 days away, there are rising concerns that the push for remote voting prompted by the pandemic could open new opportunities to hack the vote — for Vladimir Putin, but also others hoping to disrupt, influence or profit from the election.

Donald Trump has repeatedly said that mail-in ballots invite voter fraud and would benefit Democrats. It is a baseless claim: mail-in voting has resulted in little fraud in the five states that have used it for years, and a recent study at Stanford University found that voting by mail did not advantage either party and might increase voter turnout for both parties.

But there are different worries. The rush to accommodate remote voting is leading a small number of states to experiment with or expand online voting, an approach the Department of Homeland Security (DHS) deemed “high risk” in a report last month. It has also put renewed focus on the assortment of online state voter registration systems, which were among the chief targets of Russian hackers in 2016. Their security is central to ensuring that, come November, voters actually receive their mail-in ballots or can gain access to online voting.

While Russian hackers stopped short of manipulating voter data in 2016, US officials determined the effort was likely a dry run for future interference. To head off that threat, last summer the DHS hired the Rand Corp to reevaluate the nation’s election vulnerabilities, from poll booths to the voter registration systems. Rand’s findings only heightened the long-standing fears of government officials: State and local registration databases could be locked by hackers demanding ransomware or manipulated by outside actors.

Homeland Security officials have been focusing “intensely on hardening registration systems”, said Christopher Krebs, who leads the department’s Cybersecurity and Infrastructure Security Agency. He said his teams had been working to make sure that towns, counties and states patch software vulnerabilities, back up their systems and also have paper printouts of poll books — the registration lists used on Election Day — should criminals or adversary nations render the digital versions inaccessible.

Now the problem has grown more complex as states around the country race to accommodate mail-in voting even for those who are not away from home. And courts are intervening with contradictory rulings, many of which are being appealed, adding to the sense of chaos and uncertainty about what procedures will be used on 3 November.

Mr Krebs’s agency is also concerned about vulnerabilities surrounding Internet voting that Delaware, West Virginia and other states are using. In May, it issued a confidential report to voting vendors and election officials in all 50 states opposing online voting, warning that ballots “could be manipulated at scale”, meaning hackers could change large volumes of votes without being detected.

Separately, researchers at the University of Michigan and the Massachusetts Institute of Technology (MIT) released a study on Sunday concluding that one platform already facilitating Internet and remote voting could, in certain cases, be manipulated to alter votes — without being detected by the voter, election officials or the company that owns it.

The platform, called OmniBallot, was used for Internet voting in Delaware’s primary last week, and will be used to a smaller extent in West Virginia’s this week. Both states also plan to use it in some form come November, as does Colorado. (New Jersey quietly used it experimentally last month in local elections).

Various jurisdictions in Colorado, Florida, Oregon, Ohio and Washington also use the platform as a way for voters to mark ballots remotely and submit them by email, fax or mail.

The researchers discovered that both uses of the system presented opportunities for hackers or nation states to compromise an election.

“Online voting raises such severe risks that, even in a time of unrest and pandemic, these jurisdictions are taking a major risk of undermining the legitimacy of their election results,” said one of the researchers, J Alex Halderman, a computer science professor at Michigan.

Bryan Finney, chief executive of Democracy Live, which offers OmniBallot, defended the platform, saying that before the pandemic it primarily served voters with disabilities and US service members overseas. “No technology is bulletproof,” he said. “But we need to be able to enfranchise the disenfranchised.”

The threat of foreign interference remains real. US officials have repeatedly warned that Russia is once again meddling in the presidential election. Last month, the National Security Agency warned that Russian state hackers had targeted an email program used by dozens of congressional candidates to steal emails, as Russian hackers also did four years ago.

On Thursday, Google said Chinese hackers were targeting the personal email accounts of campaign staff members working for Joe Biden. It also confirmed reports that Iran had targeted Mr Trump’s campaign.

But the White House, where Mr Trump continues to dismiss the hacking accusations against Russia in the last election, has directed little attention to the problems beyond the president’s unfounded claims that mail-in ballots favour Democrats and “will lead to massive fraud and abuse” (in fact, mail-in ballots create a paper trail that helps prevent abuse.)

Even the perception of vulnerabilities could have a profound effect on the actual vote, security specialists warn. It could raise doubts about the election’s integrity, at a moment when Mr Trump’s critics allege he is already preparing the ground to challenge the result if he loses.

It was four years ago this month when officials in Arizona discovered that election officials’ passwords had been stolen, one of the first indications that the 2016 election was under cyberattack.

Studies led by the DHS and the FBI later said that Russia had most likely conducted research and reconnaissance against election networks in all 50 states.

The integrity of the November election hinges on the same registration systems, which are “public-facing” — connected to the Internet and accessible to a wide variety of state and county officials and often the companies they hire to run their election systems. But that access also leaves them open to potential attack.

A well-known threat comes from ransomware, when an invasion of a computer system locks up records, making them inaccessible. Atlanta and Baltimore have been hit by devastating attacks that made it impossible to pay parking tickets or record deeds, and towns from Florida to Texas have also been paralysed with ransomware.

For elections, there is a separate concern that hackers, short of shutting down a system, could undermine the integrity of voter information.

If hackers slip into voter registration lists and modify addresses, or falsely indicate that voters moved out of state, the result could be digital disfranchisement. Even just getting into the lists — without manipulating them — hackers could seed doubts of tampering. That may explain why Russian hackers made a show of stealing Illinois voter data in 2016, according to DHS officials, even though they didn’t tamper with it.

“As we looked out across the country and saw ransomware running wild across state and local government agencies, it was reasonable to conclude that voter registration databases, highly networked and highly centralised, could be next,” said Mr Krebs, the Homeland Security cyber chief. States have “stepped up” over the past year, he added.

Indeed, security is now better across the country, but voter registration data is still vulnerable and accessible to the outside world.

Some states and counties manage their registration systems internally, but many rely on a maze of private contractors that can be ripe targets. The firms retrieve the data over the Internet and keep it in the cloud, often with limited security. In 2016, one contractor, VR Systems, was targeted by Russian hackers, according to a classified assessment by the National Security Agency.

The company, which has long maintained that any attacks were unsuccessful, had access to registration data in swing states like North Carolina, Florida and Virginia.

“Most people don’t realise how many times registration systems are accessed by vendors and parties with little security,” said Harri Hursti, an election security expert who consults with states and counties across the country. “The justification for this is that it is public data, so nobody can steal it, but that ignores how dangerous it would be if someone modifies it.”

Before the coronavirus outbreak, the advantages of online voting were obvious for Americans with disabilities, those living abroad, military personnel posted to remote locations — even Alaskans living in the wilderness.

But the risks were made vivid a decade ago in Washington state. An online voting experiment was called off after researchers hacked the system to elect HAL 9000 — the computer from the film 2001: A Space Odyssey — and played the University of Michigan fight song every time a ballot was cast.

The experimenting is back, but once again it is not going well. New Jersey is a case in point.

In April, with the virus sweeping the state, officials moved quickly to expand mail-in voting. But they also decided to explore online voting by hiring Democracy Live, whose OmniBallot system was identified by Michigan and MIT researchers as vulnerable to undetected hacking.

New Jersey officials made the online voting available to county clerks for municipal and school board elections last month, but did not publicise it widely for fear of inviting trouble.

“We didn’t want to put out an explanation for potential bad guys to decide that this was something they wanted to exploit,” said Alicia D’Alessandro, spokesperson for New Jersey’s secretary of state.

The result: just one voter used the online system. The cost to the state: $89,000 (£70,000), and still no real test of whether it works or not.

Like New Jersey, Delaware, West Virginia and Colorado have contracted with Democracy Live.

Mr Halderman of Michigan and Michael Specter, a researcher at MIT, determined that Democracy Live’s online voting and ballot-marking systems could not withstand concerted hacking attempts, and also presented privacy concerns.

The researchers reported that ballots could be manipulated to change votes and that, in some cases, the company’s servers received voters’ identifying information.

“Democracy Live is getting a database of how every single voter voted,” Mr Specter said. “What if that ends up in bad hands?”

The New York Times