Today is inaugeration day and as Donald Trump prepares to be sworn in as the 45th President of the United States, those reflecting on his run-up to office have a myriad of controversial claims, rumours and stories to draw upon. One such controversy lies in the election supposedly being hacked, with further follow-up on these claims revealing an influence campaign supposedly undertaken by Russia. After meeting with Intelligence Community leaders, President–elect Donald J. Trump said in a statement:
“While Russia, China, other countries, outside groups and people are consistently trying to break through the cyber infrastructure of our governmental institutions, businesses and organizations including the Democrat National Committee, there was absolutely no effect on the outcome of the election including the fact that there was no tampering whatsoever with voting machines. There were attempts to hack the Republican National Committee, but the RNC had strong hacking defenses and the hackers were unsuccessful.”
While the Russian involvement in the US presidential elections will continue to be argued past Trump’s inaugeration, across the pond in the UK the former head of MI6 publically warned against switching elections to electronic voting because of the risk of hacking and cyber-attacks.
But what is the real cyber threat to electronic voting and what kind of damage could it do?
Waiting for the inaugeration to kick off stateside, CBR’s Ellie Burns sits down with Chris Wysopal to look into the impact of a hack on an election, as well as the practicalities of how cyber-criminals could actually pull of such an attack.
EB: How could a cyber-criminal hack electronic voting?
CW: Depending on the goal of the cyber-criminal, a successful hack on an election could be implemented in a number of ways.
For a cyber-criminal hoping to create suspicion and disrupt the result of an election, this could be achieved touching just a small number of votes – far too few to truly impact who is elected. But by just highlighting a few successful vote tampering successes in just a few strategically planned areas, panic and suspicion could lead to mistrust of the entire election result.
Changing the result itself requires a much bigger and more sophisticated approach – altering the figures without drawing attention.
When it comes down to how the attack is achieved, it depends on the electronic voting system being used in that particular case. In the U.S. alone, there were roughly a dozen different types of machine used during the last election, ranging from touchscreen systems with no paper trail, to optical scanning system, where you fill out the vote on paper, which is then scanned into the machine.
Each has different weaknesses. For instance, the touchscreen with no paper trail has the highest risk, as if a criminal is able to tamper with the machine itself or the tabulation systems that are counting the votes, then there is no way to go back and check what happened. For that reason, many hackers are likely to focus on such systems.
But even the optical scanning system is not infallible, as there could potentially still be disruption at the tabulation stage. And while it may be possible to go back and count the original paper copies, the delay and disruption could lead to the mistrust of the results that a hacker desires.
EB: With most electronic voting systems isolated from the internet, how do hackers overcome the air gap to change the result?
CW: The electronic voting machines themselves, whether touchscreen or optical scanning, are not – or at least, should not be – connected to the internet. There needs to be a memory card or removable media, which moves between those machines and the systems that will then count the votes for that area.
The vote tabulation systems should also not be connected to the internet. But they just tend to be computers (often Windows computers), and there’s always the fear that someone had the “great idea” to connect it to the network.
So, assuming nothing is connected to the internet, there is still the challenge of removable media. And when it’s a general purpose media – such as a USB stick or camera-type memory card – malware can be put onto the media. So, if a hacker is able to get their hands on the media, or is able to hack any computer along the line that the media is inserted into, you can see how malicious code can jump the air gap.
We’ve seen this before. Wherever there’s an air gap, hackers attack another machine that the removable media goes into, which then gets used across the air gap, so hackers can get the malware where you want it to be.
In the case of infecting an electronic voting system, a hacker would probably target election officials or the IT team people who work on those systems. Through thorough research and a spear phishing campaign to infect as many machines as possible, the hacker would hope to infect at least one system where the removable media that goes into the electronic machine is inserted into.
EB: What damage could it do?
CW: Ultimately, there is a chance that the vote numbers could be tampered with. If a hacker were able to tamper with the data itself on the electronic voting system, as that is where the first count is seen then it would be very hard to know what the original votes were and, therefore, if they had been tampered with.
EB: Could hackers change an election result? What sort of intelligence would be needed to ensure the changes weren’t detected?
CW: Vote tampering with the goal of influencing a result, if it were to be successful, would need to be subtly and in line with the expectations for that area. For instance, if changed to dramatically, the voting officials may become suspicious that the result didn’t appear to reflect the demographic of the area.
But for that reason, changing the outcome of an election would be extremely hard – even through compromising the systems themselves could be achieved by many advanced hackers.
The sophistication and understanding of exactly what votes to move and where, so that it wouldn’t be recognised, while making a difference would have to come from a nation state intelligence service.
EB: How could detecting a hack of voting systems in certain areas lead to a complete distrust of the overall result?
CW: If a hacker just wants to disrupt, it’s fine for the hack to be detected. As, if it’s detected a number of places, or if a number of different areas are using the same electronic voting machines, then all the votes would need to be recounted. Ultimately, this would cause massive disruption – and is much easier to pull off.
We saw this in the U.S election, allegations of Russian involvement all serve to create mistrust of the democratic system and of public officials. Showing that the election systems can’t be trusted 100 per cent can be enough to lead those whose candidate and/or party did not win the election to distrust the entire result.