Already, the 2016 election has been profoundly shaped by hacks. From Hillary’s vulnerable email server to Wikileaks’ string of Russia-linked email dumps, digital security has been one of the major forces driving the news. So far, all the hacks have been about information — in their way, not so different from October Surprises and smear campaigns of previous elections — but they raise an even more troubling question. With allegedly state-sponsored hackers already playing an active role in the campaign, could the integrity of voting itself be at stake?
It’s a hard question — but let’s start with the bad news...
Individual voting machines are vulnerable
Like most municipally-contracted technology, voting machines are terrible in basically every way. They’re expensive, old, prone to failure, and unpleasant to look at. As you might expect, they’re also not that hard to break into. Computer scientists have been demonstrating that for at least 10 years, generally by physically cracking open the machines and installing election-rigging software. Election boards have been slow to respond, and the demonstrations have just gotten better as the years go by.
Princeton computer scientist Andrew Appel, one of the main figures doing those demos, has argued that no voting machine is entirely immune. “It’s a general principle about computers,” he wrote earlier this year. “They run whatever software is installed at the moment.” That fatalism holds true in the everyday practice of security as well: once your opponent has physical access to your device, the fight is pretty much over.
The important question isn’t “can this machine be hacked?” but “can we verify whether it’s working properly on Election Day?” Voting machines aren’t doing too well on that front either. The key safeguard is a paper trail — either a paper ballot scanned into an optical reader, or a touchscreen interface that prints out a paper receipt when a vote is cast. That record prevents voting tallies from being changed after the fact, allows an audit if the result is disputed, and enables frequent checks to make sure votes are being accurately recorded. But according to a Brennan Center study, a full 20 percent of Americans’ votes this November will be cast on systems without that paper trail, which give election officials few protections if a machine is compromised.
The larger system is extremely hard to hack
At the same time, there’s a big difference between hacking a single machine and tipping election results overall. Voting machines aren’t networked together — in fact, they aren’t directly connected to the internet at all — so nearly every compromise would require physical access to each specific machine. There are a few exceptions — notably Diebold’s AccuVote machines in Georgia, which could be remotely attacked through their ballot definition system — but the attack is complex, the machines are rare, and it would be hard to discreetly swing an election through that method alone.
Tailored physical access (basically, breaking into a warehouse full of voting machines) would be simple enough for a single precinct, but stuffing enough ballots to tip the election would require a coordinated effort across hundreds of precincts, all performed covertly enough that the results aren’t called into question. It would be a massive undertaking, and unlike most digital attacks, it would have to be performed entirely on US soil, under the eye of election officials. That’s a lot harder than sending a few phishing emails. If you’re worried about a domestic, partisan threat, it’s also worth noting that all those officials come from different areas and levels of government, so you’d need a pretty broad conspiracy to pull anything off.
This is roughly what a joint statement from Homeland Security and the Intelligence Community said earlier this month, simultaneously urging election officials to seek federal help with cybersecurity and ensuring voters that it would be “extremely difficult” for foreign actors to alter ballot counts or election results, due in large part to the decentralized nature of the system. The Brennan Center came to the same conclusion, and as fear of election-day chaos has mounted, it’s an important point to keep in mind.
That’s not to say a few hacked machines couldn’t do damage on Election Day, but it’s worth considering exactly what it would look like. If irregularities appeared in the paper records, officials would be quick to remove the offending machines and move the precinct back to old-school paper ballots. Even machines without paper backups are subject to periodic test ballots, and if a machine started changing or dropping votes en masse, it would be hard to go entirely undetected.
At that point, the effect of a hack isn’t so different from the voting machines just breaking down, which of course happens all the time. That’s not exactly good news, but so far we’ve managed to muddle through.
Voter data is still insecure
While ballots and voting machines are the most important part of the election infrastructure, they’re not the only part, and there’s plenty of lower-hanging fruit for hackers to go after. Voter rolls are particularly vulnerable, and unlike voting machines, they’re connected to the web. Hundreds of thousands of new registrations flood into state tallies in the run-up to Election Day, so voter rolls have to be somewhat network-accessible for simple logistical reasons.
There’s also reason to think that hackers are targeting that data. This year has already seen attacks against voter registration systems in Arizona and Illinois, with the latter attack bringing down the system for 10 days and stealing data on as many as 200,000 voters. If an attacker went farther, actively erasing certain voters from the rolls, it could easily cause havoc on Election Day, as we saw with even legal registration surprises in the Democratic primary.
The good news is that, like the voting machines, rolls are distributed. Hackers might compromise the election board’s version of the voter registration list, but there would be plenty of other evidence that each voter was registered, including previously distributed voter rolls (typically retained by each state party) and actual registration forms. If a voter’s registration can’t be verified on Election Day, they’re supposed to be given a provisional ballot that can be defended in court after the fact — which, at least in theory, should limit the effect of voter roll attacks.
The biggest threat is chaos
Just stopping outright fraud doesn’t mean we’re in the clear, though. If all the machines in a Miami precinct decide they’re only going to register votes for Hillary Clinton, it would call the whole system into question, even if everyone’s vote is ultimately counted correctly. Others have speculated about hacking the reporting itself, breaking into the Associated Press system that reports polling data to the public at large. This is the most plausible way an election hack could succeed, kicking up enough dust to sow doubt about any result the system produces. If there’s tangible evidence of fraud, it’s hard to say if any subsequent result could satisfy the public.
In some ways, that’s also good news. If chaos is the biggest threat, it means we’re already protected from other threats like covert vote manipulation and outright fraud. The only way we’ll get into trouble is if everyone freaks out. Otherwise, we should be fine.
Of course, that’s not exactly reassuring if you’ve followed the last few months of election news. People are freaking out already! But that’s really more of a general America problem than a hacking problem specifically — which brings us to the next big point.
The worst problems have nothing to do with hacking
Of course, chaos could be a problem even without a digital attack. If one candidate simply refuses to accept the outcome of the vote as legitimate — as Trump has suggested he might — then you’ll end up with a crisis of the system no matter what. Voting-machine failures would make that crisis more acute, but no more so than the kind of recount we saw in 2000. The real problem is a fraying of political norms. A digital attack could worsen that problem, but it wouldn’t create it.
The same is true for the voter roll attack. In theory, the provisional ballot system should ensure that anyone with a irregular-but-valid registration has the opportunity to vote. The problem is, certain states have spent years undermining that system for partisan ends, trying to shrink the pool of voters to build a more ideologically friendly electorate. There are also plans for coordinated voter intimidation (which is very much illegal) from Trump supporters unaffiliated with the campaign. As a result, many voters will be encountering a much more hostile environment at the polling station, making a voter roll attack potentially much more damaging.
Those problems are bigger threats than outdated voting machines, and solving them is much more urgent. Digital security is part of the answer -- fewer people will trust a system if the Russians keep breaking in -- but the real problem is political. How do you keep trust in a system amid the most fractious election in decades? How do you convince the losing side to accept the results when there may be an entire industry stoking their sense of resentment and betrayal? Replacing old equipment might be the easy part.