Creating chaos at the polls: Putting election hack risks into context
U.S. voting system is vulnerable to attack, and democracy could be a casualty
By Bob Sullivan, ThirdCertainty
With the U.S. blaming Russia for hacker attacks on state election systems, and the myriad possibilities for election chaos such attacks raise, it’s important to put them in proper context. I went to Harri Hursti, a globally known election security consultant, for some answers.
Hursti cut his teeth in the Finnish military fending off electronic attacks during the Cold War. He may be best known for the Hursti Hack(s), in which he demonstrated how the voting results produced by the Diebold Election Systems voting machines could be altered. HBO turned the Hursti Hack into a documentary called “Hacking Democracy.”
Related essay: Digital election systems must be improved
At present, Hursti’s consultancy, Nordic Innovation Labs, advises governments around the world on election vulnerabilities. Here’s what we discussed. Text edited for clarity and length:
Sullivan: A member of Congress says there is “no doubt” that Russia is behind recent attacks on state election systems. What do you think of that?
Hursti: U.S. Rep. Adam Schiff, D-Calif., said he doubted (Russians) could falsify a vote tally in a way that affects the election outcome. He also said outdated election systems makes this unlikely, but really, it just makes it easier. The voting machines were designed at a time when security wasn’t considered, included, or part of the specifications at all.
These outdated computers are extremely slow. They don’t have the extra horsepower to do decent security on top of the job they were designed for. Basically, the voting machine is as powerful as today’s refrigerator or toaster. But outdated doesn’t mean it’s forgotten and obsolete. It means that it’s common, and therefore a lot of people still today know how those systems work and can subvert them.
Sullivan: There’s concern, but no proof, that certain states’ voter registration systems may have been tampered with.
Hursti: It’s meaningless to claim there’s no evidence, since the systems don’t have the capability to report when they’re altered. Unless we study the system, we can’t know one way or the other.
In addition, the number of vendors and different systems is low, so a skillful attacker doesn’t need to learn hundreds of systems. A skillful attacker only needs to learn one system in order to manipulate enough votes to tilt the election. This means the attacker has more places to go to be strategic. They can go to 10 smaller jurisdictions with fewer resources and less (attention).
Also, the diversity between small jurisdictions is limited. And some states have made statewide decisions that one system is used across the state. An attacker can choose the jurisdictions based on the systems they are best skilled to attack. From an attacker’s point of view, you could not ask for an easier target.
Sullivan: How can the U.S. be so sure it’s Russia?
Hursti: It can’t. It is very hard to find where a network attack is coming from. It is equally easy to make certain that investigators will find ‘the trail’ which is pointing to the wrong direction. Therefore under the assumption that you’re dealing with a skillful attacker, any trail found is a red flag.
Sullivan: Given your Cold War background, does this feel familiar? Could it have been Russia?
Hursti: Something we in the Western world don’t understand is how deeply patriotic Russians are. Individual Russian, and self-organized groups are willing to go to great lengths on their own, with their own initiative, if they believe that what they do will benefit Mother Russia, and/or in the hope and belief that their actions, once known, will be rewarded. So these kinds of self-initiated actions, which do resemble organized operations, are commonplace.
Also, it is good to understand how high the level of science education is in Russia and the Eastern Bloc. The percentage of people in the general population of Russia who possess the relevant skill sets for carrying out this kind of attack is higher than we assume. And that’s not just Russia, but the whole Eastern Bloc. It was very high and is still.
Sullivan: What would an appropriate response be if the U.S. discovered foreign hackers in its election system?
Hursti: The first action is obviously to secure your home base. Taking into account the difficulty of identifying the actual attacker, a public retaliation toward an assumed attacker may be part of the attacker’s plan and intensify the attack. Hence, public retaliation is not an effective defense. Public disclosure is important, but after the situation has been properly handled.
Sullivan: Finally what is the real risk here? Could a Russian hacking throw the Nov. 8 result into doubt? Could Trump supporters, should they lose, blame Russia, for example?
Hursti: There are myriad risks. Massive breaches of voter registration databases might lead to discouragement of people to participate in the democratic process and cause them to drop out by ceasing to be registered voters. It also poses a national security-level threat, by allowing malicious actors and adversaries to gain valuable intel, whether it is personal-level attacks or whether it is for hybrid warfare psychological operations.
More stories related to election security:
How hackers could influence the presidential election
Cast ballot for tighter security on voter data
Trump wins by wide margin as top lure for spam campaigns
Novel raises question of whether election could be hacked