It also prompted Homeland Security (DHS) Secretary Jeh Johnson to suggest that the nation’s voting systems should be considered “critical cyber infrastructure.”
The risk is more with insiders happily clicking on an email attachment and installing something malicious.
Kevin McAleavey, cofounder and chief architect, the KNOS Project
Johnson held a conference call on Aug. 15 with state election officials, in which he offered DHS help in making those systems more secure.
Whether that will make any difference two months before the election is dubious. As numerous experts note, while there is wide consensus that US voting systems are vulnerable, nobody knows for certain how vulnerable.
“Election administrators are trained to run elections, not defend computer systems,” said Hall. “The voting systems we use in many cases don't keep the kind of evidence one would need to detect an attack, let alone recover from it without disruption or loss of votes.”
There is not nearly enough time to patch voting systems anyway, since there are actually 50 elections, run by more than 8,000 jurisdictions in the 50 states. As Schneier noted, each has, “different rules, all run by different organizations, without any coordination or minimal coordination, so there’s not a lot the federal government can do except oversee.”
In some ways, that might seem to be an advantage, since it would be much more difficult to hack 8,000-plus different systems than one standardized system.
But, as is also obvious, it doesn’t require tampering with every system to change the results of an election. It could be done by just making minor, perhaps undetectable, changes to votes in a few key precincts in a few swing states.
“If the vote is as close as in 2000, it could be very easy by essentially targeting a jurisdiction where the vote is expected to be close and actually changing a few votes,” Hall said. “This could be especially easy for states like Maryland that will likely allow very liberal internet voting, which is horrifically insecure.”
And election officials have had decades of warnings that they have essentially ignored, from people like Appel and his colleagues.
Schneier said on WGBH that security experts have been talking about it for 20 years. Hall said hacking projects nearly a decade ago in California and Ohio found that, “all the machines examined had deep, deep vulnerabilities that could be used to change votes, disrupt elections, and violate ballot privacy. We have no indication that those flaws have been fixed, and in many cases they're still out there,” he said.
That doesn’t mean those running the nation’s election systems are entirely helpless, however.
Sign up for Computerworld eNewsletters.