As U.S. elections increasingly are digitized, the same threats faced by other users of cyberspace loom as potential vulnerabilities to voting and ballot tallies. Candidates and interest groups have expressed concern about the validity of the upcoming election based on real and perceived cyber threats. Voting systems connected to the Internet as well as those that are isolated are susceptible to intrusions that could shake up an election. The threat to an election can take two forms. One is an attack that actually changes the outcome by altering the vote count to favor one candidate over another. The other threat is tampering that may not clearly change the outcome but sows doubt among the electorate and reduces public trust about the validity of an election and the sanctity of the democratic system. The Office of the Director of National Intelligence (ODNI) and the Department of Homeland Security (DHS) issued a joint statement on October 7 expressing confidence that the Russian government “directed the recent compromises of emails from U.S. persons and institutions, including from U.S. political organizations. … These thefts and disclosures are intended to interfere with the U.S. election process.”
The statement goes on to say that while some U.S. states have seen evidence of hackers scanning and probing their election systems, “it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or elections results by cyber attack or intrusion” because of the decentralized nature of the U.S. election system as well as inherent local protection measures. However, the statement also warns state and local election officials to be vigilant and seek cybersecurity assistance from the DHS. Private sector cybersecurity experts view a broad range of threats that conceivably could throw a national election into chaos, even if enacted only on a state level.
Elections start with voter lists, and those lists are vulnerable to hacking and alteration to a limited degree, say professionals who have worked on election cybersecurity. The threat can range from merely downloading voter names and addresses to altering registrations or even adding to or deleting voters from the rolls.
And significant damage to the electoral process could be inflicted even with a limited effort. If only a small number of voters—perhaps 5 percent—had their eligibility changed or were stricken from a voting list, the entire process would be called into question and the results could be held in abeyance pending an investigation. At the very least, the public would lose confidence in the workings of their democratic system, these experts agree.
These threats span the range of elections. Even presidential elections largely are administered at the state and local level, and the FBI has reported that two state voting databases—Illinois and Arizona—were the targets of attempted hacks this year. Information for roughly 200,000 Illinois voters was exfiltrated successfully. And in late September, FBI Director James Comey testified to Congress that hackers are “poking around” state voter registration lists.