Modern field guide to security and privacy

Why Election Day hacking risks are overblown

Experts who track the sale and development of malicious hacking tools say they've seen no evidence that criminal attackers are planning to target voting systems on Tuesday. 

Rick Bowmer/AP
People cast ballots in early voting at Salt Lake County Government Center on Nov. 1.

Despite speculation and suggestions that digital saboteurs could strike on Election Day, there's actually little evidence that criminal hackers will attempt to target voting systems to disrupt the polls, according to experts.

"I haven’t seen any outright malware, in particular nothing that attempts to influence voting systems," says Johannes Ullrich, a researcher at the Internet Storm Center, a firm that specializes in monitoring web forums of malicious software and other threats.

Hackers have played more of a role in this year's presidential election than ever before. The Obama administration has gone so far as to publicly accuse Russia of orchestrating the campaign of cyberattacks on political organizations such as the Democratic National Committee to interfere with US elections. There have been WikiLeaks data dumps and even FBI alerts about tampering with state voter registration databases

Even so, concerns that hackers might actually try to tamper with voting booths to change the public's vote Tuesday may be overblown. Many cybersecurity experts say there's no indication that tools designed to attack voting infrastructure are for sale on internet forums where criminals buy and sell these kinds of exploits, and there's little chatter about attacking polling systems or processes. 

"In terms of Dark Web monitoring, we have not seen any specific election-related malware discussion," says Scott Donnelly, director of technical solutions at Recorded Future, a company that specialized in analyzing the so-called Dark Web, the portion of the web accessible only with anonymizing software.

One reason for the lack of tools designed to target voting infrastructure is simply due to the disparate nature of the nationwide voting systems. While plenty of critics have said voting systems are outdated and vulnerable, a digital attack in most cases would require physical access to machines. And, if an attacker was able to infect one polling station, that doesn't mean they could hit others.

"No electronic voting machine is bulletproof when it comes to cybersecurity," wrote Tod Beardsley, a senior security research manager at Rapid7, in Passcode. "But if an adversary needs to physically visit voting machines in order to fiddle with results, then he or she would need a whole lot of bodies in a whole lot of polling places in order to make an impact."

Additionally, voting machines aren't connected to the internet during polling hours, said Douglas W. Jones, an associate professor of computer science at the University of Iowa.

"You'd have to attack through the county office, and software changes on these machines require changes on pull-and-replace chips. You can't do that from St. Petersburg or Tehran."

But while experts aren't seeing evidence of vote-altering malware for sale on criminal forums, it doesn't negate the possibility that related cyberattacks might have an impact on Tuesday.

For instance, Mr. Donnelly noted that the type of distributed denial of service, or DDoS, attack that took down a portion of the web last month could have a major impact if directed at sensitive targets on Election Day.

"When results are coming in, if coverage gets knocked offline, that could cause confusion and delay. If you are looking to make an impact on a very important day or to change the narrative of the day, something like that is obviously a risk," he said.

Mr. Ullrich of the Internet Storm Center has picked up on some internet chatter about attacking state board of election websites.

"These are typically low-traffic websites that are not protected against a DDoS attack, he says. "In particular for volunteer-type organizations, getting behind a free service like Cloudflare," a web host protection firm, "may be a simple, fast move to protect themselves."

Amid the growing evidence that Russian-linked hackers breached US political institutions ahead of the election, the Department of Homeland Security said that it would offer states additional help to secure their voting systems ahead of the election. 

But even if the polls are safe from digital attacks on Tuesday, experts say that election officials still need to take actions to make voting infrastructure more protected against attackers.

"Our democracy can't afford additional sources of voter disengagement," wrote Jamie Winterton, director of strategy for Arizona State University's Global Security Initiative, in Passcode. "While we need to avoid making baseless claims and overblowing the problem, the US must still take basic precautions to protect the vote."

Staff writer Jack Detsch contributed reporting.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.