ELECTION 2016

How to hack an election

Six things to watch for on Election Day

6 ways to hack the U.S. election

The U.S. government is mounting an unprecedented effort to defend the integrity of the 2016 presidential election Tuesday as hackers threaten to undermine the process at an unprecedented level.

“It’s all hands on deck,” a senior Obama administration official told NBC on Monday, revealing that for the first time hundreds of military and intelligence cyberexperts who work out of top-secret facilities will be monitoring the U.S. election.

Fear of cybersecurity threats has plagued the 2016 presidential election since June when the Democratic National Committee site was hacked, with the U.S. government later determining the culprits were associated with Russian intelligence. Since then, a steady trickle of leaked emails, large-scale attacks, and escalating (if vague) threats of cyberwarfare between the U.S. and Russia have cast a shadow over November 8, and beyond. WikiLeaks dumped more than 8,000 new emails hacked from the DNC Sunday night, less than 48 hours before Election Day.

Now that the day is here, the most pressing question is whether hackers will try to sway the outcome of the election. Here are six ways hackers could influence or disrupt the process:

Hacking voting machines

Voting machines can be hacked. Security company Cylance demonstrated how it’s possible.

But a large-scale hack on these machines is unlikely, for one simple reason: Voting machines, by and large, are not connected to the internet, so any widespread attempt to hack enough individual machines to impact the overall vote would require a massive, coordinated on-the-ground effort.

“No electronic voting machine is bulletproof when it comes to cybersecurity,” Tod Beardsley, a senior security research manager at Rapid7, wrote. “But if an adversary needs to physically visit voting machines in order to fiddle with results, then he or she would need a whole lot of bodies in a whole lot of polling places in order to make an impact.”

As FBI Director James Comey pointed out, the system is too messy to be hacked. “The beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck,” Comey said.

Corrupting voter registration lists

Last year, 22 million records were stolen from the Office of Personnel Management. This incident revealed the vulnerabilities of large, online repositories of data, which are hard to defend from determined attackers (in this case, reportedly Chinese government–backed hackers) because they rely on legacy systems, whose updates have failed to keep pace with today’s cyberthreats.

Voter registration databases are also stored online. As the New York Times points out, voter databases are not treated as “critical infrastructure” by the federal government, meaning they do not receive the highest level of protection. If hackers gained access to such databases, they could remove or manipulate huge swathes of registered voters, causing confusion at polling stations and undermining the legitimacy of the election.

The FBI has already warned Arizona and Illinois that someone was “probing” their systems, and just last month a security researcher revealed the system’s vulnerability when he manipulated Indiana’s voter registration system using only a random person’s driver’s license number and the state’s public-facing registration website.

Hacking the Associated Press

Remember when the Syrian Electronic Army hacked AP’s Twitter account and claimed the White House was under attack and briefly wiped $140 billion off the S&P 500? Well, now imagine something similar happening on Tuesday.

The Associated Press is the media outlet which all others rely on when calling the election results. Covering over 3,000 county election centerst, AP has an unrivalled insight into election results and plays a critical role in the way election results are reported.

But, aside from getting its social media accounts hacked, how else could AP be vulnerable to an attack?

F-Secure’s Sean Sullivan found that AP’s Vote Count website, where clerks enter the numbers reported by stringers, was publicly available and not behind any sort of DDoS mitigation service. With access, hackers could enter false results that could temporarily spread misinformation throughout the country. Even if hackers couldn’t get into the system, they could at the very least hit it with a DDoS attack to prevent any of the clerks from accessing it.

“AP’s system could be a critical point of failure on election night,” Sullivan said. “A threat actor couldn’t actually change the vote, but the results could definitely be undermined.”

DDoS everything

Just weeks ago a crippling attack against DNS service provider Dyn prevented millions of users from enjoying some of the internet’s most popular destinations. It is clear that the sort of distributed denial of service (DDoS) attack, which overwhelmed Dyn, could have a serious impact on election day processions. Not only could it prevent voters from accessing social media and news sites to keep track of election results, it could prevent media outlets from keeping those same voters up to date with the latest information.

As Dan Breslaw and Igal Zeifman, experts from cyber security company Imperva, pointed out, there are a range of different online services that could become targets for such an attack. These include carpooling websites where people coordinate how to get to voting stations and mapping services which give information about the location of voting stations.

Attacks on such websites could prove to be enough of an obstacle to prevent voters from casting their vote. “For apathetic voters, this might be the excuse they need to simply stay home,” Breslaw and Zeifman said.

Five states — Alabama, Alaska, Arizona, Missouri and North Dakota — allow some form of online voting, which could become targets for hackers on their own.

Hack the grid

Though national infrastructure systems are often cited as prime targets in cyberwarfare, an attack on election day is unlikely. But if a group of hackers really wanted to mess with the U.S. democratic process on Tuesday, and they had the resources to do it (read: a state-sponsored group), then the obvious target would be the U.S.’s critical national infrastructure. Knock an electricity grid offline for long enough and you have to worry about more than voting machines. Think streets without traffic lights, or the the internet going dark.  

U.S. officials speaking to NBC said they “do not expect Russia to attack critical infrastructure” during the election, as it would be seen as an act of war.

That said, Obama’s homeland security adviser, Lisa Monaco said the administration was still concerned about “the efforts of malicious actors to intrude upon voter registration databases and other elements of our critical infrastructure, as well as our voting infrastructure.”

Hacking attacks of this scale are no easy task, yet it’s not impossible either. We saw what a hack of this scale could look like last December when a group linked to the Russian government knocked Ukraine’s electricity grid offline, leaving 230,000 Ukrainians without power.

Spread voter misinformation

Social media become one of the most powerful tools for the campaigns to spread information, and for those causing mischief to spread misinformation.

Alt-right trolls on the infamous 4Chan message board have been at the center of this campaign, telling Clinton supporters that they can vote by text, Twitter has already shut down one account posting such information.

Other tactics include suggesting voters demand paper ballots — something which makes the process of voting much more onerous — and fake ads with include the hashtag #Draftourdaughters, suggesting Clinton will call for a military draft if elected.

 

M-F 7:30PM HBO