Security experts warn lawmakers of election hacking risks

The hundred-plus security experts say many US states are "inadequately prepared" to deal with the rising cybersecurity risks of state and federal elections.
Written by Zack Whittaker, Contributor

(Image: file photo)

More than a hundred security researchers and computer science experts have warned in a letter to lawmakers that not enough is being done to ensure the integrity of state and federal elections.

The letter, published Wednesday, argues many US states are "inadequately prepared" to respond to cybersecurity risks with upcoming elections.

The hundred-plus co-signatories, including cryptographer Matthew Blaze, security expert Bruce Schneier, and PGP creator Phil Zimmermann, say the US "needs prompt action to ensure prudent elections security standards."

The experts also outlined several recommendations that would "form the basis of robust, enforceable, sensible federal standards that can restore needed confidence in American elections," including ensuring that any electronic election machines produce a voter-verified paper ballot to establish the "official record of voter intent."

The letter was released to coincide with a Senate Intelligence Committee hearing on Wednesday, where experts testified to the state of election security in the wake of several recent news reports that further detail Russia's efforts to influence last year's presidential election.

Among the most explosive claims include one report citing a leaked classified NSA report, which revealed the US knew about Russia's hacking effort against dozens of state voting systems days ahead of the presidential election. Not long after, a Bloomberg report said the Obama administration used a "red phone," dedicated to communicating with the Kremlin on cyber incidents, to warn the Russians to back off their attempts to influence or sway the election. A recent Politico report cited a security researcher who found documents that "could be used to hack an election," including passwords, instructions for election staffers counting responses, and 6.7 million Georgia state voter records.

During the hearing, Homeland Security acting deputy undersecretary of cyber security Jeanette Manfra confirmed 21 states were targeted by Russian hackers, but would not identify the states affected.

Though neither the Obama nor Trump administrations have pointed to any "detected" changes in votes cast at the ballot box, one leading election expert and academic warned of the dangers posed by undetectable vote manipulation.

Ahead of his testimony to the Senate intelligence panel, professor Alex Halderman said in an op-ed for The Washington Postthat it's "possible to reprogram a machine to cause any candidate to win, without leaving a trace."

"The research team created malicious software -- vote-stealing code -- that could spread from machine to machine, much like a computer virus, and invisibly change the election outcome. Since then, cybersecurity experts have studied a wide range of US voting machines -- including both touch screens and optical scanners -- and in every single case, they found severe vulnerabilities that would allow attackers to sabotage machines or alter votes," Halderman wrote.

These voting machines, known as direct recording electronic (DRE) systems, are used in dozens of states, many of which don't have a paper audit trail to confirm a hard copy of a person's vote.

With the next election due in 2018 and several local elections expected in the meanwhile, the experts are asking for members of Congress to provide funds to upgrade state technologies and replace paperless voting electronic systems to "include a good old-fashioned paper ballot," allowing a physical record of a vote that's out of reach from cyberattacks."

"There's evidence this agenda can fly even in the age of hyperpartisan gridlock," said Halderman.

Editorial standards