On Monday, the Washington Post reported that some election officials and intelligence officials have doubts about the ability of systems in the USA’s states and provinces to defend themselves against a sustained attack by a state-level actor. “America doesn’t have its act together,” Ion Sancho, a Florida election supervisor, fretted to the paper. “We need a plan.”
Despite the warnings, it would be incredibly difficult for a foreign power to directly tamper with a U.S. state’s election results. Still, voter rolls themselves could be vulnerable in a number of states.
Under the Help America Vote Act of 2002, each state must have one centralized, digital database of voters. One way that a malicious actor could impact an election (presidential or otherwise) would be to tamper with the registrations of a demographic group associated with the opponent of a candidate favored by the adversary.
It wasn’t a hack, but an intentional purge of Florida voters by DBT Online in 2000 (now owned by RELX Group) removed 173,000 mostly black voters from the voter rolls, many thousands of which probably shouldn’t have been removed. This gave many pundits a reason to question the outcome of that presidential election, and such incidents lend credence to suggestions that there might be ways to disenfranchise segments of society, swinging the final outcome.
The Observer attempted to answer two questions about America’s elections systems: Are the official results from vote tabulation systems stored on Internet-connected computers? And are official voter files kept on internet-connected computers?
Obviously, in most places it is possible to check one’s registration and the results of an election online. There is election data online in almost every state, but more often than not voters are viewing information from a copy of the database, not the official digital record.
Think of it like this: there are millions of kilogram weights in the world, but there is only one “Le Gran K,” a hundred year-old cylinder under glass in France which officially represents the standard for a kilogram. All those other weights are copies. It doesn’t make them wrong, but they aren’t official.
The official voter registrations can be held in computers that a person actually has to walk a drive to in order to merge new data into it. That’s called an air gap.
“You don’t connect your election management system to the internet just as you don’t attach your voting machines to the internet,” Pamela Smith, president of Verified Voting, a nonprofit organization devoted to accurate, fair elections, told Observer by phone. “Most states carry a prohibition against connecting any part of the voting system to the internet.”
We confirmed this with officials in states, including Colorado, Connecticut and Washington. Hopefully the recent uncertainty will be enough to put the dubious idea of voting online to death.
“Each one of the states,” Matt Masterson of the U.S. Election Assistance Commission explained in a phone call, “take a variety of steps to ensure the safety of the voter registration systems.” In particular, he highlighted intrusion detection, nightly backups and audit logs.
Masterson, who previously helped administer elections in the perennial swing state of Ohio, said that the state kept online registration data and the database separate. Online voter registration doesn’t have to go directly into the official database, after all. It can go into a temporary database that’s checked first and then merged into the official one.
Even if a malicious actor managed to access an official database of voters, “It would be very easy to tell a massive deletion or change,” Masterson said.
Stuart Holmes, a supervisor of the election system in Washington state, told the Observer that its voter rolls are networked but not publicly. “We’ve got a central database that’s not available to the public,” he explained. To access it, a user has to be at a computer on a State of Washington IP address. Visitors to websites that allow them to check their voter registration status are actually viewing a nightly copy of the voter rolls.
Well-intentioned policies intended to expand access introduce their own challenges. For example, Colorado election officials explained that in a state with same-day voter registration, it’s essential to keep the rolls connected to the internet in real time. In other words, it’s not possible to do day-to-day work on a copy of voter data that’s merged with an air gapped official database at regular intervals.
While it may give more people a chance to vote, such a time crunch and bottleneck could create opportunities for determined cyber-criminals.
There’s nothing that isn’t hackable. Even an air-gapped system can be breached by a determined adversary. For example, most discussion of cyber issues focuses on digital weaknesses, but people will always be the easiest to trick (what hackers call “social engineering“). That said, when official data hasn’t been connected to the internet, there are considerably fewer ways to reach it. In security parlance, that’s called “attack surface” or “attack vectors.”
A state level actor (most finger Russia) with aims to undermine a rival power might not even need to successfully tamper with results in order to achieve espionage goals. As The Post reports, Russia might want to do it, for example, to undermine the United States’ efforts to spread democracy abroad. Doing so probably won’t help it to work much better here.
“Just casting doubt can be a big problem,” Smith said.