Election hacks target more than machines; ballot security at risk

Lax or nonexistent security on systems that accept ballots by email or fax, as well as the physical machines used to cast or count ballots, open the door to election hacking. Georgia this year replaced a voting machine system in use since 2002 that was deemed vulnerable to security breaches. Getty Images Plus
Battle for the Ballot, a special project of States Newsroom
This is the third in a series of stories looking at voters’ concerns and voting issues in the 2020 election. Tomorrow: Supreme Court ruling on Voting Rights Act opened way for new restrictions

There is no evidence, despite partisan claims to the contrary, that mail-in ballots are rife with voting fraud — but there are parts of the election system that security researchers say are at far greater risk for malicious activity.

National elections like the one in November, when Americans will decide whether Donald Trump or Joe Biden will lead the country for the next four years, are really thousands of smaller elections administered by state and county governments. And each of those governments has its own procedures for ensuring ballot and information security, and for purchasing, maintaining and testing the equipment that it uses to conduct its election.

For instance, even though more than 30 states allow overseas voters to cast their ballots by email, fax or through other electronic means, there are no standards for even basic security measures like encryption. Georgia voters who are in the military or overseas must postmark a mailed absentee ballot by Election Day and make sure the county registrar receives it within three days afterward.

Lax or nonexistent security on systems that accept ballots by email or fax, as well as the physical machines used to cast or count ballots, open the door to election hacking.

Georgia rolled out a new $104 million voting machine system for 2020 to replace technology considered vulnerable to hacking that was in use since 2002. With the new machines, voters use large touchscreen devices to make their selections. The ballots are then printed out for a voter to review, and a barcode is then scanned to tabulate them.

Hackers and security researchers at the annual DEFCON conference have in recent years made a point of looking at how secure — or insecure — the nation’s voting infrastructure is, known as the DEFCON Voting Village

This year, instead of the hands-on hacking of election machines that have grabbed headlines in years past, the Voting Village focused on in-depth discussions about the integrity and security of our election infrastructure. Among the topics of discussion were the vulnerabilities to election systems presented by fax machines, email voting and more.

Hack the vote

Earlier this month, a Russian newspaper reported that the personal information of 7.5 million Michiganders was posted on a Russian hacker site. It appeared to show the their voter identification number and polling places. The paper claimed the site had been hacked in an attempt to solicit money from the U.S. government.

But Michigan’s Department of State denied that this was a data breach of any sort, as the information being posted is already publicly available.

“Public voter information in Michigan and elsewhere is accessible to anyone through a FOIA [Freedom of Information Act] request. Our system has not been hacked,” SOS spokesperson Jake Rollow told Michigan Advance in an email. 

Voters in other key battleground states, including North Carolina and Florida, were also targeted in the dark web database, as were those in Arkansas, Connecticut and New York. 

While the public is largely inured to news about data breaches because of how frequently they happen, data security — also known as infosec — can be the first line of defense for an organization or a person trying to make sure their data or personal information remains secure. 

That focus on infosec was a big part of DEFCON talk this year by Forrest Senti, director of government and business affairs for the National Cybersecurity Center, and Caleb Gardner, a fellow with Secure the Vote. 

The talk focused on how certain fax machines that are used to accept ballots can present a vulnerability to election offices, with election officials frequently unaware of the security issues stemming from a fax number that is often posted online.

Without proper security, all a hacker would need is the phone number to take over an election official’s fax machine, allowing them to search other computers that are on the same network or install a malicious program to steal documents. 

“Even if you don’t get any ballots through a fax machine, it still represents a vulnerability,” Senti said.

Thirty-one states and the District of Columbia allow voters to return ballots by email and fax, according to the National Conference of State Legislatures

In the 2016 election, 455 ballots were cast by overseas voters in Cochise County, according to data by the United States Election Assistance Commission. That includes votes cast via the county’s un-encrypted email system, faxed or through an online portal run by the Arizona Secretary of State’s Office.

In 2018, some 29,000 ballots were cast across the country by voters overseas using some form of online portal, email or fax, according to the data. 

While Senti and others say this number is not “statistically significant,” the shortcomings pose an outsized risk.

The greater fear is that the ballots themselves could be compromised.

In the DEFCON Voting Village’s 2019 report, hackers and researchers found that voting machines had a number of vulnerabilities. Some had security features turned off when they were shipped, some had voter data easily accessible, some had no passwords set and one even had an unencrypted hard drive.

Several states across the country use those machines.

The ES&S Automark is used in many states to help voters with disabilities mark their ballots. The machines have been in use for years, and the Voting Village found some concerning vulnerabilities.

“Immediate root access to the device was available simply by hitting the Windows key on the keyboard,” the report states. A user who gains root access on the device can see — and potentially change — any files or other systems.

The ES&S Automark obtained by the Voting Village was using software from 2007 and appeared to have last been used in a 2018 special election. The PIN code to replace the firmware on the entire device was listed as “1111.”

But there are no national guidelines for how election officials conduct these sorts of audits or tests on electronic voting devices; instead, it is up to each jurisdiction to develop its own methods of checking the devices.

For example, in Colorado, election officials roll a series of 10-sided die on a webcast in order to generate a random number that determines which machine-tallied election results will be checked for discrepancies.

“These jurisdictions have a lot of autonomy in what they do,” Mattie Gullixson, program manager for Secure the Vote, said. 

Information warfare

Some of the jurisdictions may also not have the manpower needed to institute the changes required to ensure safe election procedures. 

It’s estimated that a nationwide vote by mail effort could cost up to $1.4 billion, compared to $272 million for in-person voting. Localities could get monies from the Help America Vote Act or the CARES Act to offset costs associated with voting this election cycle, but election hacking and its interplay with COVID-19 will present an acute financial impact, according to Gullixson and Senti.

And hacking isn’t limited to computer systems: Disinformation from foreign actors is commonly referred to as “social hacking” for its manipulation of social behavior.

“How do you (fight) against messages that say, because of COVID, this voting center has been shut down?” Gullixson said. “Those levels of mis- or disinformation could be one of the stronger negative drivers in people voting this year.”

Gullilxson’s background is in election administration and shortly after the 2016 election, she said that mis- or disinformation led many voters to call the elections office confused, asking questions that were fueled by disinformation circulating on social media.

The FBI and the Cybersecurity and Infrastructure Security Agency has already issued an alert urging Americans to be on the lookout for new websites or changes to existing websites made by foreign or malicious actors with the intention of spreading such misinformation.

“Information warfare has been around as long as warfare has been around,” Gullixson said. 

In fact, in 1985, the Russians started a disinformation campaign dubbed Operation INFEKTION that aimed to make the world believe the United States had created AIDS, a conspiracy theory that is still active today.

So far in 2020, Russian, Chinese and Iranian hackers have been caught by Microsoft in attempts to target both the campaigns of President Donald Trump and former Vice President Joe Biden.

China has also been caught by Facebook using fake accounts to speak on election matters. And just this month, Facebook and Twitter removed dozens of Russian accounts aimed at dissuading left-leaning voters from voting for Biden.

So how does one combat this type of warfare?

It starts with voters.

“There are growing efforts to try to tackle that but it starts with the voter realizing they could be manipulated in that way,” Gullixson said. 

The FBI has shared similar advice, saying that voters should make sure to get their election information from their state and county officials instead of Facebook pages, as they could very well be hacked or fake pages. 

Despite what may seem like a lot of doom and gloom, Gullixson and her colleagues are hopeful that the attention these issues have been getting will help shape policy around voting for the next 15 years for the better.

We just have to make sure we can get through it unscathed, she said. 

Georgia Recorder reporter Stanley Dunlap, Michigan Advance reporter Laina G. Stebbins, Maine Beacon reporter Evan Popp and Colorado Newsline reporter Chase Woodruff contributed to this report.

This story has been updated.