The upcoming U.S. presidential election can be rigged and sabotaged, and we might never even know it happened.
This Election Day voters in 10 states, or parts of them, will use touch-screen voting machines with no paper backup of an individual's vote; some will have rewritable flash memory. If malware is inserted into these machines that's smart enough to rewrite itself, votes can be erased or assigned to another candidate with little possibility of figuring out the actual vote.
In precincts where vote tallies raise suspicions, computer scientists will be called in the day after the election to conduct forensics. But even if a hack is suspected, or proven, it would likely be impossible to do anything about it.
If the voting machine firmware doesn't match what the vendor supplied, "it's like you burned all the ballots," said Daniel Lopresti, a professor and chair of the Computer Science and Engineering Department at Lehigh University in Pennsylvania. "We have no way to confirm that we can really trust the output from the machine," he said.
This election in particular has computer scientists and security experts worried. They are concerned that electronic voting machines, voter tabulation and registration systems will be hacked. If an attack causes a polling place backup and some voters to leave and go home, the vote is reduced. This may be as effective as voting-machine tampering in affecting the outcome. It may also undermine confidence in the results. Pennsylvania is attracting the most concern. It is a swing state and many counties use touch-screen systems that do not use a paper ballot or produce a paper record -- for the voter to inspect -- of the voter's intent.
Lopresti was an expert witness for the plaintiffs in a Pennsylvania case challenging the use of touch screen voting machines. The lawsuit (Banfield v. Cortes) was filed in 2006 by 24 state residents. It argued that the state's election system does not retain a physical record of votes, and suffered from a "lack of meaningful and appropriate security measures." The plaintiffs wanted a system with paper verification of each vote.
But the response by Pennsylvania was to spend nearly 10 years fighting this lawsuit, even as other states reversed course on touch-screen systems.
In 2007, Maryland, for instance, decided to replace touch-screen terminals. Budget issues delayed rollout until 2014, but when Maryland voters head to the polls in November they'll be filling out paper ballots that are fed into an optical-scanner system.
Pennsylvania argued in court, in part, that the electronic voting records were permanent records. The court agreed.
Lopresti can't explain Pennsylvania's decision to stick with touch-screen systems without paper verification. "They tended to believe that some of us were putting forth doomsday stories," he said, and they trusted the technology, he said.
Pennsylvania officials may have worried nonetheless.
On Feb. 2, 2015, two weeks before the voters lost their final appeal in their case, the state appointed Marian Schneider, one of the attorneys representing the voters in their lawsuit, to the post of secretary for elections and administration with oversight for elections and IT systems.
Michael Churchill, an attorney who also represented the plaintiffs, said there has been no change in Pennsylvania, since the court case, in the use of electronic voting machines without paper backup. "However there is much more attention to security issues," he said, in an email. (State election officials didn't respond by press time to questions about security from Computerworld.) But will this extra attention be enough?
Following the 2011 municipal primary, officials in Venango County, Pa., had concerns about the vote, including a tie in one race. David Eckhardt, a computer science professor at Carnegie Mellon University, is also a Judge of Elections at one polling place, and was asked by the county to examine the iVotronic voting terminals and Unity tabulation software made by Election Systems & Software, Inc.
Eckhardt didn't find positive evidence of tampering, but did find "positive evidence of IT practices which were imprudent enough to theoretically provide a wide enough door for a well-equipped, motivated attacker to have tampered with the election." His report included a recommendation for an "explicit written security protocol governing the practices of Election staff."
Most county governments are better prepared to safeguard boxes of paper ballots than to safeguard boxes of flash memory," said Eckhardt.
In the absence of voter-verified paper records, getting at the truth of a vote will be difficult.
Cynthia and Ernest Zirkle ran for the Democratic County Committee of Fairfield Township, N.J, in June 2011. It was a very small election, with fewer than 100 votes.
This election used one electronic, touch-screen voting machine with no paper copies of the individual votes. Ms. Zirkle and her husband lost the election. But she knew the results were wrong, because she had a good idea about who had voted for her. Proving it took work.
"There was no verifiable paper trail, or back-up paper to see if the names were reversed," said Ms. Zirkle, in an interview. What she suspected was true: The votes that the Zirkles should have received went to their opponents.
The ballots were programmed incorrectly -- and testing prior to the election missed the problem. Consequently, Ms. Zirkle gathered affidavits from people who said they had voted for them. This was used to help convince a judge to order a new election. The Zirkles easily won their new election.
The list of electronic voting machines in use is long, in part because they stay in service for many years and models vary by purchase dates. Although researchers may pick a certain touch-screen system for testing, the sharpest criticisms are directed at a particular class of machine -- those without a voter-verified paper record.
There are about 10 states that use Direct Voting by Electronics (DRE) without Voter Verified Paper Audit Trail (VVPAT). The list is approximate because county systems may vary. Some of the states with at least some electronic-only systems include New Jersey, South Carolina, Georgia, Louisiana, Pennsylvania, Virginia, Kentucky, Indiana, Texas, Delaware, according to Verified Voting.
State officials insist their systems are secure. Getting at voting machines, in particular, may require a physical attack. But computer security threats follow an evolving pattern that may start with physical access and move on from there.
At the same time Pennsylvania voters filed their lawsuit in 2006 challenging the electronic system, computer scientists at Princeton University were demonstrating how to hack touch-screen voting machines. The scientists physically hacked into a machine, replaced the original memory card with an infected card, rebooted, and returned the original memory card. The machine was now infected. Researchers even used a minibar-type key to open the electronic machine.
Whether the Princeton attack was fair demonstration or not may not be as important as understanding the process in computer security.
Progression of a hack
"Things go through a sequence that looks like: Theoretically possible, proof of concept, weaponized," said Eckhardt.
Scientists work to understand the threats coming down the road. The same process has been applied to viruses, rootkits, BIOS rootkits, and now ransomware, which is arguably the next stage after something is weaponized, and that's commercialization, said Eckhardt.
State-level actors are weaponizing things, said Eckhardt, and they "have the money and they are good."
The IT and security practices around voting, aggregation and registration systems may vary considerably from state to state and county to county. This gives attackers options and opportunity.
"Hypothetically, what if endpoint protections, or the lack thereof, allowed ransomware to execute?" said Zach Lanier, director of research at security firm Cylance. The message to election officials might be: " 'You can't have an election until you pay $1 million to unlock all your machines.' "
The attackers may not care who wins.
The goal instead may be "to create a mistrust in the 'system,' " said Samir Kapuria, the senior vice president and general manager of Symantec's Cyber Security Services business unit. "You don't want people to lose faith in the outcome of the election."
The risk "is less about throwing an election, as opposed to creating a lack of confidence in the results," said Kennet Westby, president of Coalfire Systems, an IT audit and compliance firm.
If the goal is to wreck confidence in the U.S. election, then Donald Trump's recent comment that he fears a "rigged" election is just more stirring of this pot.
Elections are decentralized, run by states and local governments, and a near-universal worry shared by cybersecurity experts is that the election staffs may be out-gunned by hackers.
A majority of poll workers are retired senior citizens who "may not be computer literate," said Jim Christy, vice president of investigations and digital forensics at cybersecurity start-up Cymmetria. The average age of poll workers is estimated to be over 70, he explained. Christy was also a former chief election judge in Anne Arundel County, Md.
"Mistakes, ignorance, and manipulation of the poll workers is possible as the average training for poll workers is only 2.5 hours," said Christy.
The U.S. Department of Homeland Security recently offered nationwide help with cybersecurity issues, and Pennsylvania is one of the states that has accepted this assistance.
But there will be concerns about the level of federal involvement, said Daniel 'DJ' Rosenthal, a cybersecurity expert in Kroll's Investigations and Disputes practice. He has previously worked in the Obama administration on cyber security and counterterrorism.
Federal involvement in state and local elections is "inconsistent with our structure" of the federal system, and state governments may fear that federal involvement in local elections could mean a start to creating standards for other systems. The federal government is involved in election security -- after the attack, to investigate breaches, but does not have a preventive role, he said.
Andrew Appel, a computer science professor at Princeton, testified before a U.S. House committee on Sept. 28, and urged lawmakers to eliminate use of touch-screen voting machines, in the same way they outlawed punch-card ballots following the 2000 presidential contest between George W. Bush and Al Gore.
Appel said more states are using optical scanners, and while the scanning machine has a computer in it, there is also a "ballot of record, and it can be recounted by hand, in a way we can trust," he told lawmakers.
Despite all the potential risks ahead, Eckhardt says, "People should vote. The only way that your vote for sure doesn't get counted is you don't cast it."