America's presidential election is not only a constitutional right, it's a symbol of the country's freedom. But in the wake of data breaches that have pimpled the last few years--in both corporate America and political campaigns--government intelligence and cybersecurity experts are warning that November's presidential election is next on the list for a large-scale hack.
In late August, Yahoo broke news that foreign hackers had breached the state Board of Elections websites in Illinois and Arizona, which the FBI's cyber division followed up with an alert to election officials across the nation to increase voting system security.
Earlier this year, hackers breached the Democratic National Committee's network, leaking emails that led to the resignation of DNC Chairwoman Debbie Wasserman Schultz the night before Hillary Clinton accepted the presidential nomination. And last month, hackers released emails belonging to Colin Powell, the Republican former secretary of state under George W. Bush.
Hackers could pose a threat come November elections, said Mark Graff, founder of cybersecurity company Tellagraff and the former chief information security officer for Nasdaq, during his keynote speech at the New York Institute of Technology's Annual Cybersecurity Conference last week.
"Russian intelligence has operated disinformation campaigns to undermine the fate of the electorate in former Soviet states like the Ukraine and Estonia," he said.
When it comes to the mechanics of voting in the U.S., there are some major flaws. According to a 2015 study by the Brennan Center for Justice, 43 states will use electronic voting machines in November's election that are at least 10 years old. Another 14 states will use voting machines that have been in use for 15 years or longer. Almost every state will use some machines that are no longer in production, and replacement parts for them are difficult to find. Like any other old piece of firmware or software, these old machines are more vulnerable to hackers.
The report also gave details about a two-year-old warning from the Presidential Commission on Election Administration, a bipartisan organization, that described the state of America's aging voting system as an "impending crisis."
The cyber-nightmare on election night that Graff says is possible probably won't involve a massive attack that prevents each voter from voting. He doesn't believe that is feasible; hackers will have to target specific systems in specific states, he says.
As 31 states allow military and overseas voters to return ballots via email, hackers could intercept these emails and change the votes cast or bring down the email server to which the absentee ballots are sent. Meanwhile, five states have internet portal voting, which is susceptible to DDoS (distributed denial of service) attacks that could prevent voting in those states.
Louisiana, Georgia, and South Carolina all have electronic voting systems that do not provide a paper record for each vote. This creates a problem: "Paper records are very important when it comes to electronic or online voting," said Graff. A recent Politico report found that out of eight European countries that tested digital voting, six are now using paper ballots again.
Another problem is the physical security of voting machines; most are stored in unguarded warehouses, Graff says. He argues that hackers could potentially break into the sites where Direct Recording Electronic machines are kept and alter the firmware. Vote aggregators (the machines that collect votes from all over a state) are unencrypted and Wi-Fi-enabled, which means hackers can intercept the votes and delete or manipulate the results.
Alex Halderman, a computer science professor who has studied voting machine security, told Politico that he believes there will be consequences if the U.S. voting system isn't fixed. "We are in a collision course between the technology we use in election administration and the growing reality of politically motivated, state-level cyberattacks," he says.
But Graff's biggest nightmare has already happened on a small scale. Hackers could target news and media outlets to prevent the results from being reported and instill mistrust and confusion. Media outlets like The New York Times, The Financial Times, Bloomberg, and The Washington Post have already been hacked or disrupted.
As the U.S. Constitution authorizes states to manage the time, place, and manner for voting, there is no nationwide security standard that all state Board of Elections need to meet. Voting is totally decentralized, but the Department of Homeland Security is offering to help any state that wants assistance in protecting its systems from hackers.
Decentralized voting systems, however, could change. Earlier this week, Georgia Representative Hank Johnson introduced two bills that he believes will help improve voting security a few years down the road: the Election Infrastructure and Security Promotion Act, which, if passed, would classify voting systems as critical infrastructure to be protected by the Department of Homeland Security; and the Election Integrity Act, which will map out a planned response for voting system failures and control the types of voting machines states are allowed to buy.
Fortunately, we've yet to see an election outcome compromised by hackers. Since the U.S. election system operates through a patchwork of different systems in each state, Graff believes it would difficult to pull off a large-scale breach.
"Oddly, our wildly disorganized, motley federated voting system protects us somewhat against direct cyber-interference affecting the November 2016 outcome," he said. "But there is a true threat to our democracy if we allow confidence in our voting systems to be diminished."