How might a foreign government hack America’s voting machines? Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.
… America’s voting machines have serious cybersecurity problems. That isn’t news. It’s been documented over the last decade in numerous peer-reviewed papers and state-sponsored studies by me and other computer security experts. We’ve been pointing out for years that voting machines are computers, and they have reprogrammable software, so if attackers can modify that software by infecting the machines with malware, they can cause the machines to give any answer whatsoever. I’ve demonstrated this in the laboratory with real voting machines — in just a few seconds, anyone can install vote-stealing malware on those machines that alters the electronic records of every vote.
It doesn’t matter whether the voting machines are connected to the internet. Shortly before each election, poll workers copy the ballot design from a regular desktop computer in a government office, and use removable media (like the memory card from a digital camera) to load the ballot onto each machine. That initial computer is almost certainly not well secured, and if an attacker infects it, vote-stealing malware can hitch a ride to every voting machine in the area.
Why hasn’t more been done? In the United States, each state selects its election technology, and some states have taken steps to guard against these problems. But many states use machines that are known to be insecure — sometimes with software that is a decade or more out of date — because they simply don’t have the money to replace those machines.