Should we worry about foreign hackers tilting election results?

If they break into electronic voting machines, democracy is at risk

Karl D. Stephan | Aug 10 2016 | comment

Last month we learned that computer systems used by both the US Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) were hacked into, possibly by Russia. The initial news reports were confirmed by the FBI, which is investigating the breaches. While no actual damage appears to have been done —yet— it is not clear what the hackers might have learned, and what they might do with the information.

At a minimum, it is a chilling reminder that foreign powers can now remotely meddle with systems vital to our democratic process: a political party's internal analytical tools, not to mention electronic voting machines themselves.

A recent article on the Politico website enlarges on the latter possibility: that hackers, either foreign or domestic, could diddle with electronic voting machines and the associated systems enough to throw an election. Some computer scientists at Princeton have made a career out of showing how various brands of electronic voting machines can be hacked using simple methods that are accessible to clever teenagers. Usually, the hacks require physical access to the machines for a time, but if polling-place workers are not quite vigilant enough, one can imagine this happening.

And then anything can happen, from blatant count manipulation to subtle effects that would be hard to catch in an audit. The most vulnerable machines appear to be the touchscreen types that produce no paper audit trail. Many states and counties have recognized this vulnerability and have switched to optically-scanned paper ballots which automatically produce a paper trail, but even these systems can be hacked into at the count-totalling level where laptops and computer networks are used to add up the results. But there are still a lot of old vulnerable touchscreen systems in use.

The Politico article decries the inconsistent patchwork nature of our voting technology in the US, but fails to note that this can also be regarded as a strength. For offshore hackers to arrange a major hijack of a national election and be fairly sure it would work, they would have to target up-for-grabs states (several of them), get detailed information on the wide variety of systems being used, and devise sub-hacks for each one. While this kind of operation could be carried out, it's hard to see how, unless the foreign power had spies on the ground in the various states to provide information that would not be available any other way.

Nevertheless, huge elections can come down to a few critical votes in a few critical states, or even one, as the "hanging-chad" adventures of the Florida vote count of 2000 proved, leaving the whole nation in suspense for weeks and making the US Supreme Court an unwilling participant in the election as well.

While I normally eschew discussions of politics in this blog, I will limit my comments on the current Presidential contest to a phrase I heard from someone whose position prevented him from venting a franker opinion about the candidates: "It's a pity."

Pitiful or not, national elections are a vital part of the way the US government is made beholden to the people, and it is in the interest of every citizen to see that the process is as fair and transparent as possible. If a foreign country manages to put its thumb on the scales, so to speak, it would betray the election's whole purpose and be tantamount to invasion by a foreign power. For the same reason, contributions to domestic political campaigns by foreign entities are generally prohibited by law.

Voting in elections is an odd mix of the highly traditional and the cutting-edge high-tech. Most applications of engineering have fairly clear-cut goals: build a bridge here to carry so much traffic and cost this much and take that long to build, for instance. But in voting, it's not always clear what problems engineers are being called upon to solve.

Some readers may know that Thomas Edison's first patent was for an electric vote recorder that received votes made by pushing buttons, and printed out a paper tally of the results. He patented it in 1869 and a colleague tried to get the US Congress to adopt it. But getting through a roll-call vote faster by machine was not something that the committee evaluating the machine wanted to do. As the committee chairman reportedly said, "If there is any invention on earth that we don't want down here, that is it."

It wasn't until the 1880s that any kind of voting machine was used in the US in a general election, and legislatures were among the last entities to adopt them for their own voting process. So even the great inventive genius himself misjudged what highly political organizations really want in the way of automated voting.

Increasingly today, politics is about power. Power has always been a factor, but as other cultural forces—tradition, religion, courtesy, even fairness—wane in influence, the vacuum tends to be filled by the raw lust for power. So it is understandable that regimes and individuals who see power as the mainspring and goal of politics will stop at nothing to attain their aims. Just as our military has to exercise constant vigilance to keep armed threats at bay, we now have to defend the integrity of our elections from foreign interference, which is a new thing to a lot of local officials whose worst concern used to be finding enough volunteers to man the polls.

One of the best ideas for safeguarding election integrity was proposed by a Princeton cybersecurity expert quoted in the Politico article. If each lowly precinct simply posts its results in real time, on paper (and I would add, on the internet too), allowing independent vote-checking agencies to compile vote totals, this step essentially eliminates any chance of an outside entity hacking into the vote-totalling systems, because the multiple independent tallies would agree and call into question the "official" total.

To some extent, news agencies already do this, but the exact data paths by which they obtain their vote totals is not obvious to the viewer, and making it so would both raise their credibility and help ensure the integrity of the whole system.

Casting a meaningful ballot is one of the most important privileges of living in a democratic society. It is up to engineers and programmers to make sure that the voting systems this fall will allow every qualified citizen to do that. But it is up to the citizens to use that power wisely.

Karl D. Stephan is a professor of electrical engineering at Texas State University in San Marcos, Texas. This article has been republished, with permission, from his blog Engineering Ethics, which is a MercatorNet partner site. His ebook Ethical and Otherwise: Engineering In the Headlines is available in Kindle format and also in the iTunes store.

Today's lead story by Karl D. Stephan on the security of online electronic voting machines is more relevant than ever after the debacle of Australia's census night yesterday.

Every five years government statisticians run a census. This year, they estimated that 65 percent of the country would submit the information online. However, the census servers crashed, creating a gigantic muddle. The government claims that the problem was caused by a denial-of-service attack by hackers from the United States; critics say that the system was not powerful enough to cope with millions of people online at the same time.

Whatever the reason, the chaos suggests that the alarmists were right: personal data could be at risk. The government says that names and personal data have probably not been stolen. However, hacker victims normally only find out long afterwards when their data is dumped on the internet. Would you still feel safe casting your vote on a machine?