Creating chaos at the polls: Putting election hack risks into context

U.S. voting system is vulnerable to attack, and democracy could be a casualty

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

With the U.S. blam­ing Rus­sia for hack­er attacks on state elec­tion sys­tems, and the myr­i­ad pos­si­bil­i­ties for elec­tion chaos such attacks raise, it’s impor­tant to put them in prop­er con­text. I went to Har­ri Hursti, a glob­al­ly known elec­tion secu­ri­ty con­sul­tant, for some answers.

Hursti cut his teeth in the Finnish mil­i­tary fend­ing off elec­tron­ic attacks dur­ing the Cold War. He may be best known for the Hursti Hack(s), in which he demon­strat­ed how the vot­ing results pro­duced by the Diebold Elec­tion Sys­tems vot­ing machines could be altered. HBO turned the Hursti Hack into a doc­u­men­tary called “Hack­ing Democracy.”

Relat­ed essay: Dig­i­tal elec­tion sys­tems must be improved

At present, Hursti’s con­sul­tan­cy, Nordic Inno­va­tion Labs, advis­es gov­ern­ments around the world on elec­tion vul­ner­a­bil­i­ties. Here’s what we dis­cussed. Text edit­ed for clar­i­ty and length:

Sul­li­van: A mem­ber of Con­gress says there is “no doubt” that Rus­sia is behind recent attacks on state elec­tion sys­tems. What do you think of that?

Harri Hursti, Nordic Innovation Labs
Har­ri Hursti, Nordic Inno­va­tion Labs

Hursti: U.S. Rep. Adam Schiff, D-Calif., said he doubt­ed (Rus­sians) could fal­si­fy a vote tal­ly in a way that affects the elec­tion out­come. He also said out­dat­ed elec­tion sys­tems makes this unlike­ly, but real­ly, it just makes it eas­i­er. The vot­ing machines were designed at a time when secu­ri­ty wasn’t con­sid­ered, includ­ed, or part of the spec­i­fi­ca­tions at all.

These out­dat­ed com­put­ers are extreme­ly slow. They don’t have the extra horse­pow­er to do decent secu­ri­ty on top of the job they were designed for. Basi­cal­ly, the vot­ing machine is as pow­er­ful as today’s refrig­er­a­tor or toast­er. But out­dat­ed doesn’t mean it’s for­got­ten and obso­lete. It means that it’s com­mon, and there­fore a lot of peo­ple still today know how those sys­tems work and can sub­vert them.

Sul­li­van: There’s con­cern, but no proof, that cer­tain states’ vot­er reg­is­tra­tion sys­tems may have been tam­pered with.

Hursti: It’s mean­ing­less to claim there’s no evi­dence, since the sys­tems don’t have the capa­bil­i­ty to report when they’re altered. Unless we study the sys­tem, we can’t know one way or the other.

In addi­tion, the num­ber of ven­dors and dif­fer­ent sys­tems is low, so a skill­ful attack­er doesn’t need to learn hun­dreds of sys­tems. A skill­ful attack­er only needs to learn one sys­tem in order to manip­u­late enough votes to tilt the elec­tion. This means the attack­er has more places to go to be strate­gic. They can go to 10 small­er juris­dic­tions with few­er resources and less (atten­tion).

Also, the diver­si­ty between small juris­dic­tions is lim­it­ed. And some states have made statewide deci­sions that one sys­tem is used across the state. An attack­er can choose the juris­dic­tions based on the sys­tems they are best skilled to attack. From an attacker’s point of view, you could not ask for an eas­i­er target.

Sul­li­van: How can the U.S. be so sure it’s Russia?

Hursti: It can’t. It is very hard to find where a net­work attack is com­ing from. It is equal­ly easy to make cer­tain that inves­ti­ga­tors will find ‘the trail’ which is point­ing to the wrong direc­tion. There­fore under the assump­tion that you’re deal­ing with a skill­ful attack­er, any trail found is a red flag.

Sul­li­van: Giv­en your Cold War back­ground, does this feel famil­iar? Could it have been Russia?

Hursti: Some­thing we in the West­ern world don’t under­stand is how deeply patri­ot­ic Rus­sians are. Indi­vid­ual Russ­ian, and self-orga­nized groups are will­ing to go to great lengths on their own, with their own ini­tia­tive, if they believe that what they do will ben­e­fit Moth­er Rus­sia, and/or in the hope and belief that their actions, once known, will be reward­ed. So these kinds of self-ini­ti­at­ed actions, which do resem­ble orga­nized oper­a­tions, are commonplace.

Also, it is good to under­stand how high the lev­el of sci­ence edu­ca­tion is in Rus­sia and the East­ern Bloc. The per­cent­age of peo­ple in the gen­er­al pop­u­la­tion of Rus­sia who pos­sess the rel­e­vant skill sets for car­ry­ing out this kind of attack is high­er than we assume. And that’s not just Rus­sia, but the whole East­ern Bloc. It was very high and is still.

Sul­li­van: What would an appro­pri­ate response be if the U.S. dis­cov­ered for­eign hack­ers in its elec­tion system?

Hursti: The first action is obvi­ous­ly to secure your home base. Tak­ing into account the dif­fi­cul­ty of iden­ti­fy­ing the actu­al attack­er, a pub­lic retal­i­a­tion toward an assumed attack­er may be part of the attacker’s plan and inten­si­fy the attack. Hence, pub­lic retal­i­a­tion is not an effec­tive defense. Pub­lic dis­clo­sure is impor­tant, but after the sit­u­a­tion has been prop­er­ly handled.

Sul­li­van: Final­ly what is the real risk here? Could a Russ­ian hack­ing throw the Nov. 8 result into doubt? Could Trump sup­port­ers, should they lose, blame Rus­sia, for example?

Hursti: There are myr­i­ad risks. Mas­sive breach­es of vot­er reg­is­tra­tion data­bas­es might lead to dis­cour­age­ment of peo­ple to par­tic­i­pate in the demo­c­ra­t­ic process and cause them to drop out by ceas­ing to be reg­is­tered vot­ers. It also pos­es a nation­al secu­ri­ty-lev­el threat, by allow­ing mali­cious actors and adver­saries to gain valu­able intel, whether it is per­son­al-lev­el attacks or whether it is for hybrid war­fare psy­cho­log­i­cal oper­a­tions.

More sto­ries relat­ed to elec­tion security:
How hack­ers could influ­ence the pres­i­den­tial election
Cast bal­lot for tighter secu­ri­ty on vot­er data

Trump wins by wide mar­gin as top lure for spam campaigns
Nov­el rais­es ques­tion of whether elec­tion could be hacked

 

 


Posted in Data Breach, Data Security, Featured Story