Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<img class="alignright wp-image-4711 size-medium" src="https://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2016/11/vote-election-politics-iStock_89474883_XLARGE-300x197.jpg" alt="Elections in the United States of America" width="300" height="197" />Could the presidential election be hacked? 

With Election Day upon us, concerns about the security of the U.S. election system have reached a fever pitch. But how likely is it that a breach could affect the election? Could hackers really make cries of a “rigged” election come true?

The U.S. government is definitely concerned about hacks meant to influence the election process. In October, the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence on Election Security issued a <a href="https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national">joint press release</a> squarely blaming Russia for attacks into U.S. political organizations such as the Democratic National Committee – hacks meant to affect the election. The press release noted that
[T]he U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks . . . are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process.
While the joint press release notes that in fact there have been recent scanning and probing of election systems in various states, it also downplays the ability to alter election results, given the “decentralized nature of our election system in this country” and various protections in place, such as ensuring that voting machines are not connected to the internet. In the meantime, emails stolen from the Democratic National Committee continue to leak out, with another 8,000 emails released on Nov. 6, just two days before the election. 

Perhaps to soothe public concerns, <a href="https://www.dhs.gov/news/2016/10/10/update-secretary-johnson-dhs-election-cybersecurity-services">DHS has also offered to assist state and local election officials with cybersecurity services</a>. This assistance includes hygiene scans for internet-facing systems, vulnerability assessments, and sharing of information about cyber incidents and best practices for securing voter registration databases.

Although 33 states have considered DHS assistance, at least one state, Georgia, has refused federal government help, despite the fact that <a href="http://www.npr.org/sections/alltechconsidered/2016/08/20/490544887/after-dnc-hack-cybersecurity-experts-worry-about-old-machines-vote-tampering">Georgia runs electronic-only machines</a> with no paper trail and with a vulnerable operating system dating back over a decade. And it’s not just Georgia running old and outdated voting machines. According to reports, Florida, Kentucky, Massachusetts and Texas are just some of the states where machines can be as much as 15 years old. And many of those machines are running a version of Windows XP, an operating system no longer security patched or updated by Microsoft.

Recent events show that vulnerabilities do exist at the local level. A hack into the <a href="http://www.chicagotribune.com/news/local/politics/ct-illinois-state-board-of-elections-hack-update-met-0830-20160829-story.html">Illinois State Board of Elections</a> in June exposed the personal information of 200,000 voters. A more limited attack affected Arizona’s voter database around the same time. And in Florida, in October, the FBI found evidence of a cyberattack on a vendor used by Florida’s election system, potentially exposing the personal information of Florida voters.

But despite these incidents, it seems unlikely that the outcome of the presidential election can be determined by these hacks. There is not one central place for a cyberattack that would affect the voting in all 9,000 jurisdictions where voting takes place, so the decentralized nature of local voting makes it extremely difficult for any particular incident to be a determining factor.

Nonetheless, hacks into voter registration databases, the DHS warning about state-sponsored attacks and the continuing trickle of stolen emails from political organizations serve to undermine public confidence. Those on the losing end of any election can then point to those vulnerabilities to claim that the results are untrustworthy. So at the end of the day, the real threat is not to the actual election results but perhaps to the perception of U.S. democracy.

Privacy and Security in the Voting Booth