J. Alex Halderman is a computer scientist who has shown just how easy it is to hack an election. His research group at the University of Michigan examines how attackers can target weaknesses in voting machinery, infrastructure, polling places and registration rolls, among other features. These days he spends much of his time educating lawmakers, cybersecurity experts and the public on how to better secure their elections. In the U.S., there are still serious vulnerabilities heading into the 2020 presidential contest
Given the cracks in the system, existing technological capabilities and the motivations of adversaries, Halderman has speculated here on potential cybersecurity disasters that could throw the 2020 election—and democracy itself—into question. Halderman, however, is adamant about one thing: “The only way you can reach certainty that your vote won’t be counted is by not casting it. I do not want to scare people off from the polls.” What follows is based on two conversations that took place in October 2018 and June 2019; it has been edited and condensed
The 2016 U.S. presidential election really did change everything. It caught much of the intelligence and cybersecurity communities off guard and taught us that our threat models for cyberwarfare were wrong. Thanks to the Mueller report, we now know that the Russians made a serious and coordinated effort to undermine the legitimacy of the 2016 election outcome. Their efforts were, I think, far more organized and multipronged than anyone initially realized. And to my knowledge, no state has since done any kind of rigorous forensics on their voting machines to see if they had been compromised. I am quite confident that the Russians will be back in 2020.
I think the intelligence community will continue to try to gain visibility into what malicious actors are planning and what they’re doing. It’s incredible, really, how much detail has come out of the indictments about specific actions by specific people in the Russian military and leadership. But it’s hard to know what we’re not seeing. And do we have a parallel level of visibility into North Korea or Iran or China? There are potentially a lot of sophisticated nation- state actors that would want to do us harm in 2020 and beyond.
Since the 2016 elections many states have made improvements to their election machinery, but it’s not enough, nor is it happening quickly enough. There are still 40 states that are using voting machines that are at least a decade old, and many of these machines are not receiving software patches for vulnerabilities. Nearly 25 percent of states do not have complete paper trails, so they cannot do postelection auditing of physical ballots. Election security is not a partisan issue. Yet there are roadblocks, especially oming from Republican leadership in the Senate, that make it unlikely that an election security bill is going to advance. I think that is a terrible abdication of Congress’s duty to provide for the common defense. Thus, many of the worst-case scenarios for election interference are still going to be possible in 2020.
Leading Up to Election Day
Cyberwarfare often involves exploiting known vulnerabilities in systems and the basic limits of people’s psychology and gullibility. During the primaries and in the months leading up to the election, influence operations on social media are going to get much more precise and data-driven than ever before—and therefore more effective and harder to detect.
Already presidential candidates are finely crafting political advertisements to specific demographics of voters to maximally influence them. So, you might receive one message from a candidate based on what’s known about you in consumer databases. And people with slightly different views on certain issues might receive a different message from the same candidate. Of course, the bad guys who are trying to spread outright fictions will begin to harness the same strategy.
As we saw in 2016, one of the goals of attackers is to increase the amount of divisiveness in society—to reduce social cohesion. Suppose the Russians purchase access to the same consumer-profile data that advertisers in political campaigns use to target you. They can combine that with data from political polls and purchased (or stolen) voter-registration lists to figure out exactly how much your individual vote matters and use those tools to push customized disinformation at narrow groups of people. Attackers may even impersonate political candidates. In a crowded Democratic primary season, there will be sweeping opportunity to deploy microtargeted messaging to turn people against one another, even when they agree about most things.
We all assume that more transparency is a good thing. But people have always taken facts out of context when it is helpful to them and harmful to their opponents. Candidates increasingly live with the threat of targeted theft of true information. When information is selectively stolen from particular groups that an attacker wants to disadvantage, the truth can be used as a powerful and one-sided political weapon—and as we saw with the 2016 Hillary Clinton campaign, it was incredibly effective. It is such a fundamental threat to our notions of how the truth in journalism should play out in a democratic process that I’m sure it’s going to happen again. And it can get a lot worse than the theft of e-mails. Imagine someone hacking into candidates’ smartphones and secretly recording them during private moments or while talking to their aides. My research group is polling political campaigns to assess how well they are protecting themselves from this, and so far I don’t think they are ready.
We’re also going to see information that is doctored or entirely synthetic and made to appear real. In some ways, this creates a worse threat. Attackers don’t have to actually catch the candidate saying something or e-mailing something if they can produce a record that is indistinguishable from the truth. We’ve seen recent advances in using machine learning to synthesize video of people saying things that they never actually said on camera. Overall, these tactics help to undermine our basic notions of what’s true and what’s not. It makes it easier for candidates to deny real things that they said by suggesting that the content of e-mails and recordings were forged and that people shouldn’t be believing their own eyes and ears. It’s a net loss for our ability to form political consensus based on reality.
Meanwhile each state runs its own independent voter-registration system. Since 2016 many states have taken great strides to protect those systems by installing better network-intrusion detection systems or by upgrading antiquated hardware and software. But many have not.
During the last election, Russians probed or attempted to get into voter-registration systems in at least 18 states. Some sources quote higher numbers. And according to the Senate Select Committee on Intelligence’s findings, in some of those states the Russians were in a position to alter or destroy the registration data. If they follow through this time, across entire states people will go to the polls and be told that they aren’t on the lists. Maybe they will be given provisional ballots. But if this happens to a large fraction of voters, then there will be such terrible delays that many will give up and go home. A sophisticated attacker could even cause the registration system to lie to voters who confirm their own registration status through online portals while corrupting information in the rolls that are used in polling places.
Attacks on preelection functions could be engineered to have a racial or partisan effect. Because of antidiscrimination laws, some voter-registration records include not only political affiliation but also race. With access to that database, someone could easily manipulate only the records belonging to people of a certain political party, racial group or geographical location.
In some states, online voter-registration systems also allow the voter to request an absentee ballot or to change the address to which the ballot is directed. An attacker could request vote-by-mail ballots for a large number of citizens and direct them to people working with the attacker who would fill them in and cast fake votes.
On Election Day
Election interference can be successful in many ways—it depends on an attacker’s goals and level of access. In a close election, if a coordinated group, say in Russia, thinks one candidate is much better than the other for their country, why not try to influence the outcome by undetectably manipulating votes? An attacker could infiltrate what are called election-management systems. There is a programming process by which the design of the ballot—the races and candidates and the rules for counting the votes—gets produced and then gets copied to every individual voting machine. Election officials usually copy it on memory cards or USB sticks for the election machines. That provides a route by which malicious code could spread from the centralized programming system to many voting machines in the field. Then the attack code runs on the individual voting machines, and it’s just another piece of software. It has access to all the same data that the voting machine does, including all the electronic records of people’s votes.
For 2020 I think ground zero for this kind of vote manipulation via cyberattack is an office building in the Midwest. Much of the country outsources its ballot design to just a few election vendors—the largest of which is a voting-machine manufacturer that, when I visited, told me it does the preelection programming for about 2,000 jurisdictions across 34 states. All of that’s done from its headquarters, in a room I’ve been in that I’d describe as being part of a typical work building shared with other companies. If attackers can hack into that central facility and remotely infiltrate the company’s computers, they can spread malicious code to voting machines and change election results across much of the country. The tactic might be as subtle as manipulating vote totals in close jurisdictions. It could easily go undetected.
The scientific consensus is that the best way to secure the vote is to use paper ballots and rigorously audit them, by having people inspect a random sample. Unfortunately, 12 states still don’t have paper across the board. And some states, instead of adopting paper, are now having officials do auditing by looking at a scan of the original ballot on a computer screen. We have new research coming out that shows how you can use a computer algorithm to essentially do “deepfake” ballot scans. We used computer-vision techniques to automatically move the check marks around so that the scan of your ballot filled out in your distinctive handwriting reflects votes different from the ones you recorded on the piece of paper.
It might actually be scarier if attackers don’t think one candidate is much better for their purposes than the other. Maybe their motivation is more general: to weaken American democracy. They could introduce malicious code that would make the election equipment essentially destroy itself when it is turned on in November 2020, which will cause massive chaos. Or they could have the equipment appear to work, but at the end of the day officials discover that no votes have been recorded. In the jurisdictions without paper backup, there is no other record of the vote. You would have to run a completely new election. The point of this kind of visible attack is that it undermines faith in the system and shakes people’s confidence in the integrity of democracy.
Election Night and Beyond
You need to get people to agree more or less about the truth and the conclusion of the election. But by the time November rolls around, we’re all going to be primed to worry about the legitimacy of our process. So much is going to depend on how close the race seems on election night.
The way that results get transferred from your local precinct to the display on CNN or on the New York Times Web site is through a very centralized computer system operated by the Associated Press and others. What if an attacker were to hack those computer systems and cause the wrong call to be made on election night? We’d eventually find out about it because states go back and do their own totalization, but it might take days or even a couple of weeks until we discover a widespread error. People who want to believe the election was rigged would see this as confirmation it was rigged indeed.
Only 22 states have a requirement to complete any kind of postelection audit of their paper trail prior to legally certifying the results. And in 20 out of those 22 states, the requirement doesn’t always result in a statistically significant level of auditing, because they do not look at a large enough ballot sample to have high confidence in the result, especially when results are close. It’s just based on the math and has nothing to do with politics. Only Rhode Island and Colorado require a statistically rigorous process called a risk-limiting audit, although other states are moving in that direction.
If, because of computer hacking, we don’t arrive at election results in many states, we enter unknown territory. The closest precedent would be something like the 2000 Bush versus Gore election where the outcome was ultimately decided in the Supreme Court and wasn’t known for a month after election day. It would be terrifying, and it might involve running the election again in states that were affected. You really can’t replay an election and expect to get the same results, because it’s always going to be a different political environment.
Or let’s say a candidate challenges a close election result. Under current rules and procedures, that is often the only way that people will ever go back and examine the physical evidence to check whether there was an attack. Right now we don’t have the right forensic tools to be able to go back and see what happened where and who might have done what. It’s not even clear who would have the jurisdiction to do those kinds of tests, because election officials and law enforcement don’t often go hand in hand. You don’t want to turn it over to the police to decide who won.
In a real nightmare scenario, attackers could gain enough access to the voting system to tip the election result and cause one candidate to win by fraud. Then they could keep that a secret—but engineer it in such a way that at any time in the future, they could prove they had stolen the election.
Imagine a swing state like Pennsylvania, which raced to replace its vulnerable paperless voting machines by the end of 2019. Despite this, the state still doesn’t require risk-limiting audits, which means outcome-changing fraud could go undetected. What if the whole election comes down to Pennsylvania, and an attacker was able to hack into its machines and change the reported results? They could set the manipulation so that if you sorted the names of the polling places alphabetically, the least significant digits of the votes for the winning candidate formed the digits of pi—or something like that. It would be a pattern that wouldn’t be noticeable but that could later be pointed in a way that undeniably shows the results were fake.
Say this information comes out after the new administration has been in power for a certain amount of time, and no one can deny that the president is not the legitimate winner. Now we have an unprecedented constitutional crisis. Finally, imagine if the nation-state that carries out this attack doesn’t release its information publicly but instead uses it to blackmail the person who becomes president. This is pushing slightly into the realm of science fiction, though not by much.
The reality is that most cyberwarfare is more mundane. It’s almost certain we’re going to see attempts to sow doubt that are connected to the vulnerabilities in the election system just because it is so easy. You don’t have to hack into a single piece of election equipment—all you have to do is suggest that someone might have.
It’s hard to have an open conversation about the vulnerabilities in the system without risking contributing to attackers’ goal of making people feel less confident in the results. But the fundamental problem is that the American election system is based on convincing the public to trust the integrity of the imperfect machinery and the imperfect people who operate it. Ultimately our best defense is to make elections be based on evidence instead of on faith—and it is entirely doable. There are so many problems in cybersecurity and critical infrastructure where you could offer me billions of dollars and decades to do research, and I’d say, Maybe we can make this a little bit better. But election-security challenges can be solved without any major scientific breakthroughs and for only a few hundred million dollars. It’s just a matter of political will.