Any attempts to sabotage an election through cyber attacks ultimately would be geared to affecting the vote count, either to change the outcome of the race or to sow doubt on the validity of the election itself. Just as banks strive to secure their depositors’ assets, governments also work to ensure the fidelity of their election returns. But, as bank accounts are vulnerable to cyber attacks, so are vote totals—to varying degrees. While most tabulation databases are safe from everyday hacker threats, nation-states with highly advanced cyber operations theoretically might be able to mount an effective cyber attack on a U.S. national election by bringing their best offensive cyber capabilities to bear. State governments, which are responsible for the voting process, pay close attention to tabulation security. Ron Bandes is a network security analyst in the CERT division of the Software Engineering Institute of Carnegie Mellon University. He also is president of VoteAllegheny, a nonpartisan election integrity organization. Bandes points out that in many states, two tallies occur. One is done at the local level, usually by the county. The other is a statewide count comprising all the county totals. These counts are cross-validated. “The outputs from the voting machines have to match the inputs to the tally system,” Bandes points out.
The preferred method for tabulation saboteurs would be a network link with the election results database. Chuck Brooks, vice president of government relations and marketing for Sutherland Government Solutions, allows that if the vote database is connected to a network, that data is more accessible to hackers. Much of this threat can be prevented by basic cyber hygiene, however.
… Bandes shares Brooks’s concerns about Internet voting. “As a pretty-well informed citizen, I’m very opposed to Internet voting,” Bandes says. “Although it has some obvious advantages for military and overseas citizens, even there I oppose it.” He continues that most experts believe it is acceptable to apply for an absentee ballot online, but voters should not cast a ballot electronically.
Yet the absence of an Internet connection to a vote tabulation database does not immunize it from hacking. A cyber system penetration expert who spoke on background warns that even if a tally database is not online, the human factor can inadvertently open it up to malicious activity. A key network manager might accidentally infect the database with malware that would wreak havoc on election night. The United States conceivably could face a Stuxnet-type attack on some of its key election databases in the upcoming presidential election, he warns. Whether the totals change or are thrown into doubt, the result still is the sabotage of a U.S. presidential election.