5 ways to address election system weaknesses
- By Eric Hodge
- Sep 05, 2017
Over the past few months, a steady stream of information has surfaced about Russian efforts to hack the 2016 presidential election. The attacks were specifically focused on voter databases and voting software, with attempts to alter or delete voter information in Illinois and Arizona and intrusions into campaign databases. Experts believe that the goal was to change the outcome of the election.
In the past, the voting process wasn’t seen as a target for hackers. Most cyber criminals go after credit card data or Social Security numbers in order to steal peoples’ identities for financial gain. The 2016 presidential elections revealed a new way of thinking. Election hacking wasn’t driven by the desire to make money, but by an effort to meddle with election results, directly by targeting voter data and indirectly through leaks of confidential information to the media.
Elections that are vulnerable to hacking will undermine confidence in the security of the voting process, eroding voters’ faith and confidence in our democracy. More insidious still is the potential theft of sensitive voter data, which typically includes full name, address, date of birth, last four digits of Social Security number, voter history, activity status, felony convictions and military status. This detailed personal data would be a gold mine for cyber criminals bent on exploiting the election process or perpetrating identity theft.
With the next mid-term elections just a year away, states must move immediately to prevent future tampering. To address election system vulnerabilities, state election officials must develop a plan that focuses on five areas:
1. Secure databases. First, a state board of elections should lock down databases where voter information is kept so voters feel secure in the state’s ability to protect their identities. This can be difficult, however, as election processes, which range from counting the votes to making sure the voting machines are secure, may not be well controlled. Voting management and voting machine technology vary greatly from state to state or even county to county within the same state, creating a broad range of potential vulnerabilities. Securing voter databases will require a statewide effort with strong guidance on best practices.
2. Implement secure voting procedures. States must ensure that votes are counted accurately and completely. Security analysts have warned for years about the security risks of touch-screen voting machines, and in the last election the Russians made progress toward hacking voting machines and systems. If a state has not taken clear, public measures to ensure the public that the selection they make in the voting booth is being recorded and reported properly, then confidence in our elections will suffer.
States should start with an inventory of the people, processes and technologies they have in place in all their counties. Examine current privacy and security procedures and identify any vulnerabilities. From that baseline, states can establish a roadmap for effective policies and procedures to protect against security breaches.
3. Shore up election audit processes. States must be able to ensure that their vote totals can be reviewed and audited. In the 2016 elections, there were recounts in five different states and allegations of voter fraud in two others where the recount process and the accuracy of voting machines were called into question. The inaccuracy and unreliability of the auditing process allowed for enough doubt that both parties started to question not only the credibility of the original vote count, but the electoral process itself.
In every state, voting machines should be secured and sealed at the end of the day, and paper ballots or data cards should be transported in a sealed box to a secure location by an approved state official. States need a proven chain of custody, with everything recorded, audited and handled much like a financial transaction or court document. In smaller jurisdictions today, it’s not uncommon to see ballot boxes left open, old ballots kept in unsecured storage areas or even homes where it’s possible to tamper with them. Tightening up those processes, and in some cases the technologies, is key to making sure the vote is accurate and that any recounts will find the same number of votes as the first count.
4. Properly vet any new voting management systems. When new systems are introduced into the election infrastructure, new avenues of attack can come with them. Some states have deployed voting management systems that were compromised in 2016. When a state makes a change or an addition, it is important to assess the new technology for any new vulnerabilities that attackers can exploit. Proper security procedures must be a priority during the implementation process.
5. Educate. Most of the time, the easiest part of the system to exploit is the human being that sits in the middle of it. John Podesta, who led the Clinton campaign, fell for a phishing scam, and Wikileaks obtained and published his emails, exposing the party’s strategies and embarrassing exchanges. If a state focuses on its systems while neglecting to educate everyone in its network about how to recognize a hacker’s ploys, it is inviting the same consequences that befell the Democratic presidential campaign.
The Russian attack on the 2016 presidential election highlighted the vulnerabilities of our election process and procedures. Hacking elections is a threat we’ve never had to deal with before and something most states were clearly not prepared for. With the mid-term elections only a year away, states still have significant work to do to prevent future tampering.
Eric Hodge is director of consulting at CyberScout.