720-891-1663

Best Practices, Breach, Legal

Can The Ruskies REALLY Hack Our Elections?

1 Comment

With all the news lately about the Russians trying to change the outcome of the elections (like, I might add, the U.S. has been trying to do around the world for decades – think of the Shah in Iran, the Congo elections, Chile and many others – see here), the real question is can the election really be hacked.

The Pew Charitable Trust published a great piece on the subject which should make you think about the subject.

Here are my thoughts on the subject.  Feel free to comment.

#1 – As a concept, there is no “single point of failure” in the American election system.  That is both its strength and its weakness.  According to Pew, there are 10,000 election entities, mostly (by sheer numbers) counties and cities.  These organizations are, at best, loosely affiliated with each other.  The Clerk in Wichita, KS likely doesn’t even know the Clerk in Fort Smith, Arkansas, except maybe by chance and, for sure the systems used by the two cities are not, in any way, connected.

#2 – Your local voting machine is NOT connected to the Internet.  In fact it is not connected to much of anything.  It is likely loaded with it’s ballot by a flash drive, created at the Clerk’s office.  At the end of the election day, the results are read out on each machine and probably called into each individual election office, manually.  The machines are then locked up and driven to a warehouse, where they are stored, more or less securely until the next election.  Could you compromise that flash drive at creation time?  Likely.  Probably without a huge amount of effort.  But even if you do, that would only be used within a single election PRECINCT.  Not exactly an easy way to change the outcome of a Presidential election.

#3 – While we are on the subject of Presidential elections, the easiest way to change the outcome of that election is by way of fake news, promoted by influencers.  Not the fake news that the current office holder talks about, but rather real fake news.  The average voter assumes, for the most part,that whatever they read, if it supports what they believe, is likely true – it just reinforces their existing beliefs, without regard to whether those beliefs are correct. Or not. That is certainly what Russia did in 2016.  Those efforts can effect a change in the election results.

#4 – it doesn’t require flipping very many votes to change the outcome of a single election.  In this week’s PA-18 House election, the difference between winning and losing was around 627 votes.  Out of 250,000 or so votes.  So, if, via fake news, you can flip the minds of less than a thousand voters, you have just changed the outcome of an election.  That is probably a  lot easier and a lot cheaper than trying to hack voting machines.

“That keeps me awake at night,” said Nancy Blankenship, the clerk for Deschutes County, Oregon.

That quote gives me some hope regarding fending off the bad guys.

On the other hand, this quote worries me.  This clerk either is so clueless about technology that she should not have the job or is sticking her head in the sand.  In either case, it is a problem.

Sara May-Silfee, the director of elections for Monroe County, a community of 170,000 in eastern Pennsylvania, said she knows her county is secure, even if her state was one of 21 states targeted by Russian hackers in 2016.

“I can’t even begin to tell you how they’d hack us,” she said. “Nothing is hooked up to anything. How could anybody hack us? I’m not worried about anything. Sometimes it seems like a lot of hullabaloo.”

I wonder how she KNOWS her county is secure?  Perhaps the same way Target knew?  Or Home Depot knew?  Part of the problem is that County clerks are political animals.  Usually elected.  Highly unlikely from a technical background.

I saw an article earlier today that the Air Force was lamenting that they could not find good cyber security folks.  After all, they pay $37,000 a year plus allowances and benefits.  Someone who is competent could likely make 50% to 100% more in the private sector and not have to worry about having to listen to the whims of politicians who have no idea about tech, even though they feel the need to flap their gums about the subject.

#5 – in many locations, the vast majority (if not all) of the ballots are done via mail.  ON PAPER.  The old fashioned way.  Could you steal the ballots out of the mail?  Maybe?  But if you do, are you helping the candidate you favor?  Or hurting that candidate?  Could you hack that voting process?  Unlikely.

#6 -Could you compromise the central ballot counting process in any given city or county?  Maybe, but likely not easily.

#7 – Hackers could break into central state voter databases and add names, delete names or make changes.  This is one of the things that the Russians were reported to have been trying to do during the 2016 elections.  Is this possible?  Apparently, at least to a degree.  What backups, cross checks and security  measures any given voter database has, is, of course, unknown.  Reports have it that the Russians were successful at doing this, at least to some extent, in several states.

#8 – Many electronic voting machines still do not have a paper confirmation printout.  What this means is that there is NO way for the voter to know what the voting machine actually registered and no way for voting officials to verify the vote count.  THIS IS A BIG PROBLEM.  Without some independent means to verify the vote count, it is all a big guess.

At the hacking conference Defcon, there has been a contest for the last few years for hacking voting machines.  Every year, every single machine gets hacked.  Sometimes in just a few minutes.  In fact, it has been so embarrassing to voting machine manufacturers that they have resorted to threatening people who sell voting machines on the used market.  If the organizers of Defcon can’t get machines, they can’t embarrass the voting machine manufacturers.  If I was a manufacturer, I wouldn’t count Defcon’s organizers out yet.

Suffice it to say, this system is far from perfect.  However, hacking the tech is not only hard but will also have limited effect.  There is no central place to attack; no website to compromise.  Still, that doesn’t mean you can’t do anything.  Think back to PA-18 this week.  Only 600+ votes separated the winner from the loser.

Information for this post came from The Pew Charitable Trust.

Facebooktwitterredditlinkedinmailby feather

One Reply to “Can The Ruskies REALLY Hack Our Elections?”

  1. Raymond Hutchins says:
    March 23, 2018 at 5:44 pm

    Good piece. Informative. Thanks for taking the time to write it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy