The hackers settled in, arranged their laptops on a small table and got right to work. The clock was ticking. They began by carefully combing through the online voting system’s code, rapping at their keyboards and exchanging a pitter-patter of techie jargon. They toggled between screens. One displayed the unblemished interface that prospective voters would see. The other was black, threaded with lines of code: a sketch of their half-drafted attack. The first few hours were full of dead ends: a rejected ballot; an unexpected security fix, made in real time by election officials to thwart their efforts. Had they been found out? Suddenly, one of the four hackers paused midscroll. He’d found a seemingly trivial mistake, the code equivalent of an unlocked window. “Let’s steal things! Yes, let’s steal,” one of them said, tugging at his mop of dark hair. “Let’s get their ballot public key – GPG export or Base64 out to a file.” University of Michigan computer science professor Alex Halderman and his team of graduate students demonstrated in 2010 that it’s possible for a few hackers to quickly manipulate online voting systems. This was not a war room in Russia, where hackers allegedly have worked to infiltrate email servers to disrupt this year’s election. It was the office of Alex Halderman, a computer science professor at the University of Michigan. The hackers were graduate students, proving a point about Washington, D.C.’s fledgling voting system: that internet voting is vulnerable, a hunk of cybersecurity Swiss cheese. It was Sept. 29, 2010, just a few weeks before the city’s system was to be launched.
Halderman, who has a mild demeanor and a slowpoke drawl, reminded his students of the weight of their task: “Remember how serious this is,” he said as they began to launch their attack. “This is the future of democracy these guys are jeopardizing.” Yet, when America turns out to vote on Election Day, more than 30 states will allow some form of internet voting, relying on technology eerily similar to what these students so deftly hacked. Despite years of urgent warnings from computer scientists and condemnation from the federal government, thousands of votes will stream in through insecure portals.
Perhaps most alarmingly, of the 11 swing states in play in this year’s presidential election, five – Colorado, Florida, Iowa, Nevada and North Carolina – allow military and overseas residents to cast ballots online. These electoral battlegrounds expect to receive thousands of ballots that cybersecurity experts warn are insecure and susceptible to tampering. And together, they amount to 65 electoral votes.
Those experts fear it could throw the results of the presidential election into doubt.