Could computer hackers disrupt the US election? It’s happened in other countries.
Hackers have targeted elections in Mexico, Canada, Russia, and South Korea. Experts warn that it could happen in the US, causing temporary disruptions and perhaps delaying election results.
Will the US need to defend its right to vote from Internet hackers on Tuesday? If the experience of neighboring countries is any indication, the answer could be “yes.”
Already this year, Mexico and the Dominican Republic have both fended off cyberattacks on their national elections by the hacktivist group Anonymous. In Canada in March, the National Democratic Party had its party elections disrupted. Cyberattacks in the past year have also hit national elections in Russia, Ukraine, and South Korea.
To be sure, such attacks do not necessarily translate to the US election system. For all its flaws, US states still rely primarily on voting systems that utilize paper ballots or other paper backup systems that can be re-counted or audited to confirm votes. Yet the threat of even a temporary disruption or manipulation of electoral websites run by county and state officials if it affects perceptions of the vote outcome – even if it did not affect the actual results – remains a worry, cybersecurity experts warn.
RECOMMENDED: Top 5 most expensive data breaches
Last year a video appeared on YouTube claiming that Anonymous would target this year's presidential primaries and possibly the election itself. While some quickly dubbed the video a hoax, cybersecurity professionals aren't immediately dismissing the threat.
"These [hacker] attacks on elections are becoming quite an epidemic actually," says Carlos Morales, vice president of Global Sales Engineering and Operations for Arbor Networks, whose team worked with the Mexican Instituto Federal Electoral to soften the blow from attacking hacktivists.
During Mexico's federal election, hackers claiming to be part of the Anonymous online collective bombarded the Federal Electoral Institute (IFE) website that tallies votes with a distributed denial of service (DDoS) attack – which shoots data from myriad computers to make it hard to block the attempt to clog the Internet pipes at the target site.
Not only that, faked images were planted that appeared to show vote tallies being manipulated. In the Dominican Republic, the hacktivist group Anonymous Dominicana threatened a DDoS attack on Junta Central Electoral, the central election authority to disrupt the vote count and cast doubt on the validity of the election.
In both cases, the hacktivists failed mainly because both nations took action ahead of the vote to put in place systems that could deal with the electronic bombardment.
"Attacked, yes; damaged or disabled, not at all," said René Miranda, IFE’s chief information officer, as reported in a Mexican cybersecurity magazine.
One wild card in the United States, however, that could be directly affected by DDoS style attacks – the simplest, cheapest, and most anonymous kind of attack – is the rise of Internet-based voting. At present, some 32 states make online voting available to some 3 million registered voters, including military personnel and citizens abroad, according to the Carlsbad, Calif.-based group Verified Voting, which tracks voting technology.
Six of the states with Internet voting place some security restrictions on how completed ballots can be returned, while 24 others permit electronic votes to be returned "without restrictions," running the risk of ballots being intercepted and altered, the study says.
A DDoS attack that blocked a vote server on Election Day could have the effect of nullifying thousands of votes. Even though the votes would arrive by e-mail eventually, it would be a question whether state officials allowed them to be counted.
"There's going to be many more votes this year cast by Internet – we just don't know how many," says David Jefferson, a cybersecurity researcher at Lawrence Livermore Laboratory. "There is a question about what happens to those who might send in their ballot on the last day, but find that the vote servers are under a DDoS attack that lasts through closing of the polls – blocking their vote."
It's probable the vote would be delivered eventually, he says, but too late. So then the question is whether the vote would be counted. Certainly there would be strong pressure to do so – especially if the votes were from military personnel overseas – regardless of legal rules about the timing of delivered votes, he says.
There's also the possibility that website data could be manipulated by hackers.
"That would be embarrassing and cause conspiracy theorists or even honest people who don't understand the technology to worry about the actual counts," Dr. Jefferson says. "But that should not affect in any fundamental way the vote count."
Internet voting company officials say threats to the voting systems are overblown.
"We take security issues extremely seriously," Lori Steele, chief executive officer of Everyone Counts, a San Diego-based Internet voting company that provides services in Colorado, Utah, Washington, Florida, and Illinois told the Monitor in a July interview. "We use military-grade encryption and feel ours is the highest-level security of any voting system, including when you compare systems like mail or polling stations."
Others discount the Anonymous video on YouTube entirely and say while there may be a latent desire by hackers affiliated with Anonymous to do some harm to the US election, there's not much evidence that anything is cooking, say close observers.
"There's been nothing credible in the way of a plan emerging," says Gregg Housh, an unofficial spokesman for Anonymous, a loosely knit collective of hackers who have come to the defense of WikiLeaks and its embattled founder, Julian Assange. "Lots of people have said things like, 'I wish this [hacking the US election] could be done,’ but no actual credible threats exist that I've seen…. I would assume if something big does go wrong, though, that it will be blamed on Anonymous as usual."
RECOMMENDED: Top 5 most expensive data breaches