Political action committees aren’t the only entities attempting to influence the upcoming U.S. presidential election. Supposedly, Russia wants a say in who should lead the country. At least that’s the opinion you could form after reading the many news stories that allege Russia is behind the recent hacks targeting the Democratic National Committee and the Democratic Congressional Campaign Committee.
Attack attribution aside (I shared my thoughts on that topic in an earlier blog), these data breaches raise the question of whether attackers could actually impact an election’s outcome.
Not to scare you, but hacking the vote is pretty easy. Some possible ways of carrying this out, like hacking electronic voting machines, have been discussed extensively, while others, such as targeting organizations that poll voters, probably haven’t been considered. I’m not trying to frighten people by bringing up these scenarios. As far as I know, none of the methods I’m going to discuss have been used to sway an election. To me, this is an opportunity to present these possible situations to the security community and, by freely talking about them, ensure that voting goes as smoothly as possible on November 8.
Hack early, hack often
Tampering with electronic voting machines is the usual example that’s presented when discussing how hackers could sway an election, and for good reason. Many electronic voting machines use legacy technology that’s no longer supported by the vendor, according to a study from the Brennan Center for Justice at NYU School of Law. Many electronic voting machines run Windows XP, which Microsoft stopped issuing security patches for in 2014. Even worse, some machines are running Windows 2000, which Microsoft hasn’t supported since 2010.
Additionally, several states use electronic voting machines that don’t print paper-trail backups of voting results, including presidential swing states like Florida and Pennsylvania. Without a printout, election officials don’t have a way to audit election results and ensure that electronic voting machines properly captured a person’s vote.
Spill campaign secrets
But hackers don’t have to change or delete votes to influence an election. The computers and servers used by candidates, their staff and organizations tied to their political party contain troves of data that could have damaging results if publicly disclosed.
The Democratic National Committee found itself in this situation after it was hacked, resulting in the release of emails that showed the organization favored Hillary Clinton over Sen. Bernie Sanders in the primary. The public release of these emails didn’t prevent the former secretary of state from becoming the Democratic nominee for president. However, the incident, which occurred right before the Democratic National Convention, did little to help unite the party around Clinton after a contentious, heated primary.
Hackers realize that politicians, and people linked to them, have sensitive information stored on laptops and servers and in cloud services. If this information were to find its way to the public, it could cause people to reconsider their vote, a point not lost on attackers. For example, hackers could break into a campaign’s email server and look for messages that promise donors influence in the candidate’s administration if they write a large check. Naturally, a person running for office would rather keep these details private.
Classified campaign details don’t even need to find their way to Wikileaks to impact an election. Attackers could sell this information to a rival candidate or political action committee, potentially providing them with documents on campaign and debate strategies.
Just stay home
Hackers might also sway election-day voting by breaking into the computers that operate traffic lighting systems and interfering with the ones around polling stations to create massive traffic jams. Voters, turned off by the thought of spending their afternoon stuck in traffic, could decide to skip voting.
That’s assuming hackers don’t first convince you to stay home because your vote isn’t needed.
They could pull that off by hacking polling companies and changing the poll results. With some quick keystrokes, a hacker could, for example, give candidates who have a slim lead over their opponents an instant 15-point advantage. If you’re a voter and hear on the news that the person you’re supporting has a commanding lead in opinion polls, you could assume that your vote won’t really matter and be less likely to head to the polls. This type of attack would be especially detrimental in swing states where a few thousand votes can determine the outcome of an election.
Hackers could also initiate an attack targeting live election coverage on cable or network television stations. As polls close on the East Coast, a hack could be carried out that changes the exit poll numbers gathered by news organizations. Since polls close later in the Midwest and on the West Coast, voters may decide to skip voting if their candidate has what appears to be a big lead. Or hackers could lower some candidates’ exit poll numbers, giving the appearance that they won’t win the election. Voters, dejected by this news, could decide not to vote.
Cybersecurity issues have become a reality in our technology-centered lives and could extend into areas we wouldn’t associate them with, like how people pick their leaders. But nothing, not even the threat of hackers, should prevent you from exercising your right to vote.
Lior Div is the CEO of Cybereason. This column previously appeared in Network World.