The U.S. Cybersecurity and Infrastructure Agency (CISA) is tasked with understanding and mitigating threats to the cyber and physical infrastructure of the United States. As part of this mission, the CISA assesses voting software to identify potential vulnerabilities and insulate election processes from cyberattacks, tampering, and other malevolent activities.
Last year, CISA issued an advisory that outlined several voting software security concerns and vulnerabilities. Campaign leaders, politicians, state regulators, and others involved in local, state, or federal election processes should familiarize themselves with CISA findings to better understand potential threats to election integrity.
In mid-2022, CISA issued an advisory detailing its concerns about the security of the voting software used by 16 different states. In total, computer scientists found nine unique vulnerabilities across these states’ voting software. They also included recommendations for preventing or detecting the exploitation of these vulnerabilities.
On the one hand, CISA Executive Director Brandon Wales stated that “states’ standard election security procedures” would prevent or detect exploitation of these vulnerabilities. On the other, though, CISA also encouraged states to take prompt action to reduce the vulnerability of its voting software. These recommendations seem to indicate that states might not be doing enough to preserve election integrity.
Some, including computer scientist J. Alex Halderman, have long warned of the intrinsic dangers of using digital technology to record votes. According to Halderman and like-minded computer scientists, computers are inherently vulnerable to digital attacks and require multiple layers of safeguards.
While there are several potential vulnerabilities to be mindful of, the most concerning include:
The Risks of Malicious Code
Voting machines in each district rely on a centralized election management system (EMS). Each machine within a district is connected to this system, which facilitates the sending and receiving of data. The EMS uses that connection to monitor the machines and, in theory, detect and prevent attacks. However, this connection additionally represents a major vulnerability that hackers can exploit in several ways.
First, if a bad actor gains physical access to the election management system, they could disseminate malicious software, which would spread to all machines within the district. Alternatively, a skilled group of hackers could potentially disseminate the malicious code remotely.
Poll workers frequently use secure USBs to transfer data during an election. However, if one of these USBs contains malicious code, poll workers would unknowingly spread that code back to the EMS, thereby corrupting thousands of ballots.
Those are just a few of the attack vectors that bad actors could use to exploit the connection between voting machines and the central election management systems they communicate with.
The Use of Cellular Modems
Many voting machines are equipped with cellular modems. As the name suggests, these modems connect voting machines to cell phone networks, allowing the transmission of unofficial election night results. This feature helps election officials provide the public with rapid results. However, connecting voting machines to a cellular network also exposes them to additional risks.
Bad actors could only exploit this connection to alter unofficial election results. While this wouldn’t corrupt the actual outcome of an election, it could fuel dissent and call the integrity of the process into question.
The good news is that cellular modems are only used in a handful of states. The bad news is that targeting one or two of these states in a tight election could have a major impact on public perception of the election’s integrity.
Voting Village and Its Role in Combating Election Fraud
CISA is chiefly responsible for protecting the United States government and its elections from cyberattacks. However, DEF CON, an annual hacker convention, is critical for combating election fraud. Every year, thousands of hackers, cybersecurity professionals, and even government officials gather in Las Vegas to glean insights into the current threat landscape.
Since 2017, DEF CON has allocated a section of the expo hall to Voting Village. Each year, event organizers gather a collection of voting machines and give some of the top hackers in the world a chance to crack the devices. Several devices can be found in Voting Village, including voter registration systems, voting machines, and ballot processors.
Some, including many voting machine manufacturers, consider Voting Village to be little more than an unorganized spectacle. However, others believe that this annual event is a great tool for examining the vulnerability of election machines that can put Americans at ease about the integrity of their elections.
The Burning Question: Can Voting Software Be Hacked?
Hypothetically, yes, voting software — like any other software — can be hacked. Fortunately, agencies like CISA, conventions like DEF CON, and some of the most knowledgeable computer scientists in the world work together to preserve the integrity of U.S. elections.
With that said, it is critical that each state’s election officials do their part to mitigate the risks of cyberattacks. States using potentially vulnerable equipment should go above and beyond to strengthen their security posture so that they can ensure fair, accurate, and trustworthy election processes.
Want More Insights About Election Integrity, Voter Beliefs, and Political Trends?
Ballot integrity is just one of the many issues on voters’ minds this election cycle. If you would like to better understand your target demographics, you should partner with Aristotle, a leader in political data.
To learn more about our dynamic assortment of campaign management and data analytics services, contact us or schedule a demo. We look forward to informing your decision-making and empowering your next initiative.