Last week the FBI warned state government to shore up the defenses around their voter registration databases. Hackers have been scanning them in an effort to find vulnerabilities to exploit, FBI Director James Comey told U.S. lawmakers last Wednesday.
"There's no doubt that some bad actors have been poking around,” Comey said. If you ask the security community and government officials, those “bad actors” are either the Russian government or entities linked to it and the rash of recent politically-tinged security incidents are an attempt to meddle in November’s election.
The prospect of another nation influencing how the U.S. selects its leaders has rightfully sparked a greater dialogue around how to protect the country’s election system. I welcome these discussions, but feel there’s so much more that needs to be added to the conversation about how hackers can interfere with an election. Talking about these points will not only lead to better information security around voting, but improved protection for all organizations.
Hacking electronic voting systems isn’t the only way to influence an election
Electronic voting systems are an obvious target given that many run versions of Windows that Microsoft no longer supports. But there are other, more subtle ways to affect voting that don’t require infiltrating the technology that people use to cast their ballot.
I’ve written about this topic before, but this subject is worth approaching again. You wouldn’t necessarily associate infrastructure security with voting security but the two are linked. If hackers infiltrate the power grid and cut power to polling stations, it doesn’t matter whether electronic voting machines or manual ones are being used: without lighting, people won’t be able to see the ballot. A power outage will most likely lead to the closure of polling stations over safety concerns.
Additionally, if there’s no power, the traffic lights won’t work, undoubtedly creating massive traffic jams. Getting people to vote is enough of a challenge. Now add a 30-minute traffic jam to the general apathy people feel about voting, and it’s easy to see why voters may stay home instead of casting a ballot.
Mess with a voter’s mind
Attackers can also take a psychological approach to hacking the vote. For instance, hackers could break into the companies that conduct polls and change those results. Suddenly, candidates who voters aren’t supporting have a commanding lead over their opponents. Given how close elections have become in recent years, and this presidential election in particular, people could believe that either Hillary Clinton or Donald Trump gained voters seemingly overnight. To make the doctored results even more credible, attackers could launch this type of attack following a debate when voters are likely to decide or change who they’re voting for based on how the candidates perform.
Now consider the impact of any these voting hacks in a swing state where victory can be determined by a few thousand votes. I’d argue that these approaches can have a greater impact than exploiting an unpatched flaw in an electronic voting machine running Windows 2000. After all, figuring out what OS an electronic voting machine is running and how to break into it takes a fair amount of work. By comparison, hacking into the industrial control system that handles power distribution is easier and can have larger results.
A bigger perspective leads to better information security
I’m not trying to spread fear by bringing up these alternative ways to hack the vote. I want to encourage people to apply a greater, more encompassing view to information security. Hopefully, by thinking about other, less obvious ways attackers could break into your organization will lead to adopting a greater perspective on how to improve information security for all systems and not just the ones that immediately come to mind.