Stealing votes with software. It may have been a plot in the political thriller TV show “Scandal,” but that doesn’t mean it couldn’t happen in real life, too. In fact, Homeland Security Secretary Jeh Johnson said Wednesday that it’s a major concern.
In light of the hacking attacks on the Democratic National Committee and another fundraising organization for the Democrats, the US government should ask whether to treat elections as “critical infrastructure,” Johnson said at a breakfast in Washington, DC sponsored by the Christian Science Monitor.
That official designation often refers to physical infrastructure, like the power grid and dams. But elections are critical to democracy, Johnson said, which could justify adding elections to the US government’s list of 16 critical infrastructure sectors. “There’s a vital national interest in our election process,” he told reporters at the event.
Not everyone is sure that adding a new label to elections goes far enough to protect the democratic process. Vishal Gupta, CEO of cybersecurity firm Seclore, said the government has to put its money where its mouth is and the computer systems involved in voting.
“By simply changing the designation of these systems without laying out a clear and concise plan for bolstering defenses, very little is accomplished from an information security perspective,” Gupta said in an email.
The Department of Homeland Security declined to comment further on how it might protect elections.
The department works with county and state officials to help keep critical infrastructure safe — and secure elections are part of that mission, a Homeland Security official said. Its role also includes recommending the best practices for keeping voting systems safe and helping respond to any security incidents that arise, the official added.
Is a hack plausible?
About 2,400 miles west of Washington, DC, where Johnson made his announcement, Black Hat is taking place. It’s a massive meeting of cybersecurity experts in Las Vegas, and researchers are demonstrating how any number of things can be hacked.
That includes next-generation ATMs, which read the more-secure EMV chips that will appear on more US debit cards as we approach 2017. It also includes connected cars, like theJeep that researchers Chris Valasek and Charlie Miller have found new ways to hack this year.
So the view from Black Hat suggests it’s possible. If you build it, they will hack.
What would a hack look like?
Dmitri Alperovitch, CEO of cybersecurity firm CrowdStrike, knows a little bit about the threats facing US elections. CrowdStrike said in June that hackers affiliated with two Russian government agencies breached the Democratic National Committee’s computer systems and accessed sensitive information.That claim has since been disputed, and someone claiming to be a solo Romanian hacker allegedly leaked sensitive emails and information from DNC systems. Alperovitch stands by his company’s findings.
When it comes to hackers changing elections, Alperovitch thinks the most vulnerable point in the election system isn’t electronic voting machines. Rather, it’s whatever computer any given voting precinct uses to send election results off to the county or state level.
“Those are just regular PCs,” he said from a suite at the Mandalay Bay resort in Las Vegas. “God knows what’s protecting those.”
Still, Alperovitch says electronic voting isn’t safe either. (He’s in good company. Cybersecurity specialist Bruce Schneier has written for years about how vulnerable such systems are.)
Alperovitch said hanging chads, a problem that made some paper ballots difficult to read in the 2000 presidential election, are easier to deal with than potentially hacked voting machines.
But the worst thing that could happen? That would be if the election appears to go off without a hitch, but the next day a hacker claims to have changed votes in a crucial precinct or county. That could damage voters’ trust in the result.
“All they need to do is sow doubt,” he said.