As an election administrator and someone who tracks elections in the United States, I’ve already started hearing mutterings of distrust in the 2024 presidential elections well before a single vote has even been cast. Conspiracy theories have always been around, but now that they’ve become so mainstreamed, it’s time to take them head on. So it’s worth asking the question: Are our elections secure?
The answer is that it depends on whether we’re doing everything we should be doing to secure them.
At the annual DEFCON hacker conference, one of the things we do is hack into many of the types of voting machines in use, some older models, some newer ones. A good cybersecurity professional will tell you that no system is unhackable, and, yes, those machines can be hacked into with varying levels of difficulty. What we are doing is calling out the weaknesses not only so they can be addressed, but to demystify and proactively engage with any charges of shortcomings in our tech.
So, starting with these machines, what do we do about weaknesses that we find?
Sometimes cybersecurity doesn’t mean what you think it means. Besides always improving them, the best way to make any voting machine virtually unhackable — or as close as they can be to it — is simple physical security: Securing machines and limiting access as much as possible with clear, auditable, chain-of-custody procedures. Keeping hackers away keeps hacking away.
What about hacking online systems for voting, such as state voter databases and voter access websites? This is a bit more complicated, simply because there are more ways an attacker might approach them. Foreign adversaries in particular are always poking around to see if any obvious virtual doors have been left open that could be accessible from afar.
There are many ways IT professionals close those holes and keep an eye open for any suspicious traffic on their network — not just having good passwords and training professional users about phishing (the practice of sending phony emails to a target to get them to click on a tricky, malicious link). IT administrators can keep an eye out for unwanted traffic on their networks, for example. Local administrators like myself could use dedicated workstations that don’t otherwise allow users to surf the web or play with social media — and we can keep those work stations in a discrete VPN network to keep bad guys out.
But again, nothing will ever be perfect. Besides regularly and frequently looking for weaknesses through penetration testing (having professional, “ethical” hackers try to break into the system to identify weaknesses), the best, most basic strategy (assuming our network administrators are doing their own due diligence) is — once again — the lowest tech one: back everything up, have paper ballots, and have local polling places ready to go it alone with paper checklists.
Starting to detect a pattern here? Often the low-tech, physical security is the best security there is. It’s not the only thing, but it’s a doozy.
The most dangerous hack of all is deliberate misinformation and voter suppression. Automated phone calls delivering false election information or instructions are becoming more common, and that doesn’t even get us into the well-known pandemic of misinformation over social media. It is also why we should all look very carefully and conservatively at online voting, which presents a whole new and vast set of opportunities for phishing, smishing (text-based phishing), and vishing (good old-fashioned fake phone calls) campaigns that could easily disenfranchise many, many voters (perhaps enough to impact a result, even), all while stealing personal information in the process.
What happens if an election, either at the local or state level, gets hacked (and why it’s important to talk about it, even though it might be scary)?
If we’re smart and doing all our due diligence — that means best practices from the federal down to the local level — a hack will not be catastrophic. In fact, it needn’t do more than delay final results as systems are restored and results re-verified, by hand if necessary. We’re talking frustrating inconveniences and delays, but nothing that truly threatens our democracy.
We talk about “fault tolerance” in the IT world. No, we can’t 100% button elections down, but what we can definitely do is make them fault-tolerant.
And we absolutely must talk about these things because shining light onto the real challenges to the integrity of elections chases away the shadows in which conspiracy theories thrive.
Montpelier City Clerk John Odum is a certified ethical hacker.