Why Election Day hacking risks are overblown

November 4, 2016

Aliya Sternstein

Despite speculation and suggestions that digital saboteurs could strike on Election Day, there's actually little evidence that criminal hackers will attempt to target voting systems to disrupt the polls, according to experts.

"I haven’t seen any outright malware, in particular nothing that attempts to influence voting systems," says Johannes Ullrich, a researcher at the Internet Storm Center, a firm that specializes in monitoring web forums of malicious software and other threats.

Hackers have played more of a role in this year's presidential election than ever before. The Obama administration has gone so far as to publicly accuse Russia of orchestrating the campaign of cyberattacks on political organizations such as the Democratic National Committee to interfere with US elections. There have been WikiLeaks data dumps and even FBI alerts about tampering with state voter registration databases. 

Even so, concerns that hackers might actually try to tamper with voting booths to change the public's vote Tuesday may be overblown. Many cybersecurity experts say there's no indication that tools designed to attack voting infrastructure are for sale on internet forums where criminals buy and sell these kinds of exploits, and there's little chatter about attacking polling systems or processes. 

"In terms of Dark Web monitoring, we have not seen any specific election-related malware discussion," says Scott Donnelly, director of technical solutions at Recorded Future, a company that specialized in analyzing the so-called Dark Web, the portion of the web accessible only with anonymizing software.

One reason for the lack of tools designed to target voting infrastructure is simply due to the disparate nature of the nationwide voting systems. While plenty of critics have said voting systems are outdated and vulnerable, a digital attack in most cases would require physical access to machines. And, if an attacker was able to infect one polling station, that doesn't mean they could hit others.

"No electronic voting machine is bulletproof when it comes to cybersecurity," wrote Tod Beardsley, a senior security research manager at Rapid7, in Passcode. "But if an adversary needs to physically visit voting machines in order to fiddle with results, then he or she would need a whole lot of bodies in a whole lot of polling places in order to make an impact."

Additionally, voting machines aren't connected to the internet during polling hours, said Douglas W. Jones, an associate professor of computer science at the University of Iowa.

"You'd have to attack through the county office, and software changes on these machines require changes on pull-and-replace chips. You can't do that from St. Petersburg or Tehran."

But while experts aren't seeing evidence of vote-altering malware for sale on criminal forums, it doesn't negate the possibility that related cyberattacks might have an impact on Tuesday.

For instance, Mr. Donnelly noted that the type of distributed denial of service, or DDoS, attack that took down a portion of the web last month could have a major impact if directed at sensitive targets on Election Day.

"When results are coming in, if coverage gets knocked offline, that could cause confusion and delay. If you are looking to make an impact on a very important day or to change the narrative of the day, something like that is obviously a risk," he said.

Mr. Ullrich of the Internet Storm Center has picked up on some internet chatter about attacking state board of election websites.

"These are typically low-traffic websites that are not protected against a DDoS attack, he says. "In particular for volunteer-type organizations, getting behind a free service like Cloudflare," a web host protection firm, "may be a simple, fast move to protect themselves."

Amid the growing evidence that Russian-linked hackers breached US political institutions ahead of the election, the Department of Homeland Security said that it would offer states additional help to secure their voting systems ahead of the election. 

But even if the polls are safe from digital attacks on Tuesday, experts say that election officials still need to take actions to make voting infrastructure more protected against attackers.

"Our democracy can't afford additional sources of voter disengagement," wrote Jamie Winterton, director of strategy for Arizona State University's Global Security Initiative, in Passcode. "While we need to avoid making baseless claims and overblowing the problem, the US must still take basic precautions to protect the vote."