*Hacking voting machines isn’t necessarily what you should be worried about. It’s fake headlines like this one that could upend Election Day.
As the 2016 U.S. presidential election draws mercifully to a close, hacking and computer security has injected itself into nearly every aspect of the campaign. And amid allegations of widespread, politically motivated Russian hacking, American officials and voters are carefully watching Tuesday’s balloting for any wrenches hackers might try to throw into the electoral machine.
False claims of election hacking and voter fraud and suppression could cause widespread chaos and cast into question the validity of the election outcome. And such a misinformation campaign, experts say, is far easier to pull off than hacking election machines on a mass scale and picking a winner.
Even so, critical vulnerabilities abound in the election system — from paperless voting machines to voter registration databases to the internet itself.
In a suspicious political climate, and amid claims by Republican nominee Donald Trump that the election is rigged against him, what’s at risk Tuesday is as much the perception of the election’s outcome as the actual votes tabulated.
“What happens if Twitter, Facebook, and everything goes down? What happens if media picks up incorrect reports of who has won?” said Arizona Secretary of State Michele Reagan. “That’s just as scary as machines not tabulating correctly. The result is the same: The public becomes very uneasy very quickly.”
They’re not idle concerns. Hackers have targeted voter databases in Illinois and Arizona, and state officials have beseeched the federal government for help to secure voting systems. As of Thursday, 48 states have sought help from the Department of Homeland Security, which is offering a handful of services to protect election-related computer systems.
Looming over that scramble is Moscow. The U.S. intelligence community concluded last month that the Russian government had “directed” a cyber attack on Democratic Party, resulting in the theft of a large number of emails.
Publishing of hacked emails by WikiLeaks, DCLeaks.com, and Guccifer 2.0 “are consistent with the methods and motivations of Russian-directed efforts,” according to an Oct. 7 statement by DHS and the Office of the Director of National Intelligence. Moscow also uses media outfits to spread disinformation, especially in Europe, contributing to political upheaval and polarization, security experts say.
On Friday, the online persona Guccifer 2.0, who cybersecurity researchers say is a Russian front, accused the Democrats of rigging the election — an example of the kind of misinformation operation that could be conducted as voters head to the polls. “I also call on other hackers to join me, monitor the elections from inside and inform the U.S. society about the facts of electoral fraud.”
Plenty of hacks or other cyber disruptions are possible on Nov. 8, but a concerted attack to directly tilt the results of the election is unlikely.
Because states and counties run their own elections and use different equipment to do so, federal officials said it would be extremely difficult for hackers to swing the election. FBI Director James Comey has called the American voting system “clunky and dispersed” and, as such, is largely protected against widespread attacks.
But individual states — including some swing states where the vote can determine an election, such as Florida in 2000 — could be at risk. Some precincts in Pennsylvania, for example, use paperless voting machines, and could place that key state in this year’s election in the crosshairs. In Georgia, where Democratic nominee Hillary Clinton has a small but disappearing chance of an upset win, touch screens record votes but don’t leave a paper receipt. That makes them much tougher to audit, election experts say.
A paper trail allows election authorities to check results in the event of malfeasance or malfunction, said Pamela Smith, president of Verified Voting, a nongovernmental organization that has exhaustively catalogued voting equipment around the country. She has called for “auditable systems being robustly audited” — a mantra as clunky as the nation’s voting system itself.
Candice Brose, a spokesperson for the Georgia Department of State, said officials there do have limited auditing ability — namely, a receipt showing the total number of votes cast on an individual machine. Brose said the state has invested in testing and maintenance of voting machines, and has hired a private contractor to protect its networks. Brose would not identify the contractor.
The potential of attacks wiping large numbers of voters from the registration rolls is perhaps an even greater concern. Hackers have already targeted voter registration databases in Illinois and Arizona; Reagan, the Arizona secretary of state, said her computer systems blocked 11,000 attacks in September alone.
Smith said voters who show up at polling places and don’t find their names on the registration rolls would likely be allowed to cast provisional ballots. But that would spur even more delay — and doubt — for the election’s results, on top of potential long lines and late poll closings.
The vote’s “actual legitimacy is affected by the perception of legitimacy,” said Ben Buchanan, a fellow at Harvard’s Belfer Center who has studied risks to the voting system.
And then there’s the fear of hacking, or other cyber-meddling, of the systems that count the votes — not to mention of media and social media outfits that broadcast the results. False or misleading information planted by hackers or other bad actors could create chaos by broadcasting false results or alleging malfeasance where there is none.
Moscow’s hacker corps has a history of executing such attacks. In 2014, Kremlin-linked hackers broke into a system displaying vote totals for Ukraine’s presidential election to claim that a far-right candidate was leading. Russian state media quickly latched onto the results as evidence that Ukraine’s post-revolutionary government had been co-opted by fascist forces.
U.S. media organizations largely rely on Associated Press vote counts to assemble and verify the huge number of election results. Sean Sullivan, a researcher at cybersecurity company F-Secure, examined some of the AP’s digital infrastructure and found what he calls troubling security practices. He said the AP, which calls races based on its centralized count of state results, could well be attacked.
“Hacking an election is hard,” Sullivan said. “Why not pwn the messenger instead?” he said, using hacker shorthand for dominating one’s opponent.
AP spokeswoman Lauren Easton declined comment on the news organization’s security measures. She said AP is working “diligently” to ensure the vote will be “gathered, vetted, and delivered” on Election Day.
In a tight, heated race, with plenty of voters sensitive to any allegation of wrongdoing, media outlets are prime targets for attack. Outlets such as the Guardian, the Los Angeles Times, and Forbes have all been compromised by hackers in the past, and could be hit again and used to spread false information on Election Day.
That could spark a cascade of false or incendiary information — particularly fretful when armed militia groups in several states like Georgia are girding for battle in the event of a Trump loss.
In the event of a disinformation campaign, a place like Georgia would have limited ways to respond. “This is a tough thing to address,” acknowledges Brose, the spokesperson for Georgia’s election authority. “It’s hard to completely knock down somebody’s tweet.”
Confronted with a Twitter post or Facebook posting claiming fraud, election authorities would have to move quickly to gather necessary evidence and rebut the claim. But as media fact-checkers and state authorities have discovered this year, it is far easier to spread falsehoods than to push a rebuttal to the forefront the public’s consciousness.
And even that task could be made harder if hackers decide to take down parts of the internet, as they did in a massive October denial of service attack that blocked access on the East Coast to many major websites and online applications. This week, hackers have probed Liberia’s internet infrastructure with a similar DDoS attack, knocking out down the internet in the small West African nation. Some analysts believe the operation is a test run for a bigger attack.
A similar Election Day strike against the U.S. internet’s infrastructure could have unforeseen consequences and, unnervingly, officials don’t really know how they would respond.
Georgia election authorities, for example, rely partly on social media to communicate with the public. If Facebook and Twitter go down under a DDoS attack, the state government would be hamstrung in responding to a misinformation campaign that it is already ill-equipped to handle.
Reflecting on the challenge of dealing with misinformation, Reagan, the Arizona official, offered what might be a coda for the entire 2016 election: “I don’t have the answer for how you stop people from believing false stories on the internet.”
Getty Images/Foreign Policy illustration