The New Yorker
April 18, 2018
Last month, when Congress authorized three hundred and eighty million dollars to help states protect their voting systems from hacking, it was a public acknowledgement that, seven months out from the midterm elections, those systems remain vulnerable to attack.
America’s voting systems are hackable in all kinds of ways. As a case in point, in 2016, the Election Assistance Commission, the bipartisan federal agency that certifies the integrity of voting machines, and that will now be tasked with administering Congress’s three hundred and eighty million dollars, was itself hacked. The stolen data—log-in credentials of E.A.C. staff members—were discovered, by chance, by employees of the cybersecurity firm Recorded Future, whose computers one night happened upon an informal auction of the stolen passwords. “This guy—we randomly called him Rasputin—was in a high-profile forum in the darkest of the darkest of the darkest corner of the dark Web, where hackers and reverse engineers, ninety-nine per cent of them Russian, hang out,” Christopher Ahlberg, the C.E.O. of Recorded Future, told me. “There was someone from another country in the forum who implied he had a government background, and he wanted to get his hands on this stuff. That’s when we decided we would just buy it. So we did, and took it to the government”—the U.S. government—“and the sale ended up being thwarted.” (Ahlberg wouldn’t identify which government agency his company had turned the data over to. The E.A.C., in a statement, referred questions about “the investigation or information shared with the government by Recorded Future” to the F.B.I. The F.B.I., through a Justice Department spokesperson, declined to comment.)
Another case to consider: the Department of Homeland Security recently discovered a number of rogue cell-phone simulators—technical tools that are commonly called “Stingrays”—in Washington, D.C., and has been unable to identify who was operating them. Stingrays are typically used in this country by police or intelligence agencies to surveil suspects and intercept their communications, but D.H.S. officials suspect that the ones they found may have been part of a foreign government’s spying arsenal. As a pair of Princeton computer scientists, Andrew Appel and Kyle Jamieson, have pointed out, cell-phone simulators, which mimic legitimate cell towers, happen also to be handy and inexpensive vote-hacking devices. On the Freedom to Tinker blog, Appel and Jamieson have posted easy-to-follow diagrams showing how the transmission of voting information from polling places could be intercepted by a Stingray and surreptitiously altered before being sent on to its intended destination, a central tabulating computer.
The voting machine that Appel and Jamieson picked to illustrate this hypothetical “man-in-the-middle” attack was the DS200, a popular optical-scan voting machine that reads marked paper ballots, made by a company called Election Systems & Software. The DS200 machine is not connected to the Internet, a feature that offers a great deal of protection from hacking—but not absolute protection. As the Princeton professors demonstrate, trusting this “air gap” when there are other points of entry into the system—such as, in the DS200’s case, a modem that sends data over phone lines—is both naïve and dangerous. When I contacted Election Systems & Software for a comment on the machine’s susceptibility to hacking, I was sent an explanatory leaflet called “Modeming as It Relates to Unofficial Results Transmission.” That document catalogues a number of security features that, on their face, would appear to prevent interception. “Only unofficial results are ever transmitted via modem,” the document says, and, even then, all transmissions are encrypted. The company says these safeguards make the Stingray-aided hacking of their machines “highly unlikely.” But, as Appel told me, there is nothing stopping poll workers from sending official results via modem, and encryption only works if the software of the sender and that of the receiver are implemented perfectly. That, he said, rattling off the many ways an encrypted system could be penetrated, rarely happens. And, despite the security features of the DS200, the danger posed by sending voting data over phone lines has convinced several states—including New York, Maryland, Virginia, and Alabama—to prohibit the use of modems for the transmission of election results.
One of the enduring myths about American elections, and one that persists even after the revelations of 2016, is that they are largely insulated from hacking because we have no centralized voting system—elections are overseen by roughly nine thousand counties, and voting takes place in over a hundred and fifty thousand polling places—and because most voting occurs offline. “Our diverse and locally-run election process presents serious obstacles to carrying out large-scale cyberattacks to disrupt elections, and that standalone, disconnected voting systems present a low risk,” the National Association of Secretaries of State wrote last year, in a briefing paper titled “Key Facts and Findings on Cybersecurity and Foreign Targeting of the 2016 US Elections.” Yet the intelligence community, computer scientists, and hackers themselves have found that while decentralization may be a deterrent, it is not a defense.
In their briefing paper, the secretaries of state—twenty-four of whom are their state’s chief election official—also contend that “the November 2016 election was not hacked.” Though Russian agents attempted to breach the voting systems of at least twenty states and, in one of them, Illinois, lifted thirty-five hundred complete voter files and parts of ninety thousand more, “compromising voter registration systems,” the secretaries say that did “not affect election results.” This extremely limited understanding of hacking fails to take into account that compromising voter-registration systems—eliminating voters from the rolls, deleting voting histories in ways that cause voters to be purged from the system, or creating discrepancies between a state’s voter registry and the poll books used on Election Day—can disenfranchise voters, and disenfranchising voters can change outcomes.