Russia is at it again. U.S. intelligence officials warn Moscow is trying to interfere with the 2020 election – allegedly to help both Donald Trump and Bernie Sanders.
This raises the question: How safe is the election? How worried should we be? Media, politicians, and pundits toss around words like “election security” and “election interference,” but these terms are vague and squishy. What, specifically, are the biggest risks? Physical attacks on the voting machines? The tampering of results? Cyberattacks? Russian bots?
It’s not entirely clear. So I spoke with election security experts – a mix of election officials, consultants, and cybersecurity gurus – to better understand the vulnerabilities in the voting system, tease out the biggest risks and illustrate what could go wrong.
The result is a “risk spectrum,” of sorts, organized in ascending order of magnitude, from “possible, but likely immaterial” to “holy hell, we have a real problem." The order is not what you might expect.
Risk: Attacks on voting machines — 'Supply Chain Attack'
These are relatively safe, say the experts. “Voting machines, and voting tabulation machines, are not connected to the network at all,” said Trevor Timmons, the chief information officer of Colorado’s Department of State. “So they’re not susceptible to someone sitting at a keyboard in a far-flung territory, and directly attacking them.” He adds, the machines are kept under lock and key, monitored 24/7 with video surveillance, and tracked with access logs.
Yet, devious minds can overcome all of this. Enter the “supply chain attack.”
The scenario: On election night, an official sticks a USB flash drive into a vote tabulation machine – which is secure, uncompromised, and air-gapped from the internet – to fetch the results. So far so good. What the official doesn’t know is that a few months earlier, the USB stick was manufactured by a foreign agent who smuggled in malware, and now it feasts on the system. The USB stick is a Trojan horse. It corrupts the files and tinkers with the votes.
The good news? States know about the risk and take precautions. In Colorado, for instance, officials purchase USB drives somewhat anonymously, without revealing their role in the election, and they’ll only buy from U.S. manufacturers, following the same protocol as the Department of Homeland Security. “These are the same secure USBs that the feds use for military and the intelligence community,” said Timmons. “They’re not cheap. They’re not the $5 drives you buy from Best Buy, but that’s one way we can protect the election system.”
Yet, there are some ballots that do touch the internet: email absentee ballots. “Twenty-six states allow the transmission of ballots, digitally, to people overseas,” said Forrest Senti, director of Business and Government Initiatives for the National Cybersecurity Center. “And that represents a vulnerability.” Senti’s team spent 18 months to make these systems secure, but acknowledges that since they use the internet, they’re still at risk of a hack.
Risk: Attacks of the voter database
This is more vulnerable. The voter database itself “has some connectivity to the internet,” said David Becker, executive director of the Center for Election Innovation and Research, explaining that they’re linked to the internet to facilitate things like online voter registration and keeping files updated.
We know they’ve been hacked before. The Senate Intelligence Committee found that in 2016, Russian hackers “were in a position to delete or change voter data” of the Illinois voter database, but found no evidence they had actually done so. “There’s been a tremendous amount of work in the last couple of years to strengthen the walls around these,” said Jennifer Morrell, an election security consultant who has written a series of Risk-Limiting Audits. And if a hacker breaches these defenses? Some of the chaos they could unleash: Flip the party affiliation of voters from Republican to Democrat, change the first digits of everyone’s mailing address, or purge the records of all minority voters. “Anything that can sow confusion — that’s the concern,” said Morrell. “Is it a viable concern? Mmmh. There’s been a lot of work to shore these up.”
Risk: Vote reporting system
Pretend it's election night, Nov. 3. Imagine a random voter, Joe Schmuckately, casts his vote in a high school gym in Pennsylvania. Now imagine the chain of vote tabulations that stretches from Joe’s gym to the county level, then to the state of Pennsylvania, and then, eventually, to the consolidated numbers Wolf Blitzer reports on CNN.
Becker stresses that almost the entirety of that chain – “well over 95 percent” – is air-gapped from the internet, and therefore less vulnerable to attack. Here’s how it works: once the votes are counted at Joe’s gymnasium, a volunteer takes a USB drive (never connected to the internet, barring supply chain attack) and drives it to the county level, where the votes are consolidated, once again by an air-gapped USB drive, and then it’s quickly driven to the state level. (In LA, they transport these precious vote totals using helicopters.) They often relay the results over the phone, in parallel, to double-check for accuracy. This physical consolidation of the votes – separated from the internet – is why it can take so long for the unofficial results to be reported on election night.
But now there’s a hitch.
In the final link of this chain from the gym to Wolf Blitzer, the results — or at least the unofficial results — do get uploaded to the internet. A web page is used to upload the tallies. “These are not the tabulated results from the voting system,” Timmons stresses. “It’s a website that’s publishing the unofficial results.” And websites are vulnerable. Every state is hyper-aware of this risk, and has worked with the Cybersecurity Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, to constantly monitor their sites for breaches. Systems are in place to manually review the real-time results, keep secure backups, and use two-factor authentication when updating the site.
Even so. No site is 100 percent hack-proof — just ask the NSA.
If the site is breached? Timmons reiterates an attack on this website would not imperil the actual results, but nonetheless, we now live in a hyper-connected age where on election night, we breathlessly watch the returns trickle in, and we assume these “unofficial results” are the actual results. So if someone distorts the unofficial results, even if an audit can later prove the real winner, the egg is already broken.
Scenario: Moscow hacks the website that consolidates the unofficial results for Pennsylvania, a crucial swing state, goosing Donald Trump’s totals and giving him the win. Wolf Blitzer calls Pennsylvania for Trump. He wins the election by a narrow margin. Much of the U.S. despairs, much of the U.S. rejoices. Minutes, hours, or perhaps days later, an audit catches the attack and reports that in actuality — oops! — the Democratic candidate won the actual vote. Trump and his supporters refuse to accept the new total, tweeting, “IT’S RIGGED. FAKE VOTES!!!” The faux-president refuses to leave the Oval Office. Trump supporters take to the streets. Democratic supporters take to the streets. The best case scenario is a constitutional crisis, the worst case is a second Civil War.
Risk: Attacks against the candidates
So far we’ve covered hacks on the voting system, but attacks on the candidates, or their campaigns, could be just as damaging. Consider one of history’s most enthralling What Ifs: If John Podesta’s email account was not hacked, would the 2020 election be a referendum on President Hillary Clinton?
“You don’t have to take control of the voting machine to affect the final outcome,” said Etay Maor, chief security officer of Intsights, a cybersecurity firm. “And it can be very unsophisticated.” To illustrate the point, Maor describes an artificial intelligence seminar he gave in Asia. He brought up the example of self-driving cars. “You don’t have to hack and control the AI system to make the car crash,” Maor told the crowd. “All you have to do is blind the camera, and you’ve done the same thing. You don’t have to be super sophisticated.”
How could this mindset work in an election? A rudimentary “blind the camera” scenario: A day or two before the election, the Bernie Sanders campaign is breached by a phishing attack, destroying its access to internal polls, get-out-the-vote databases, and phone numbers of eligible voters. Everything is wiped. As Maor puts it, a malicious actor could “just send in malware that says, have fun, and destroy everything you see!”
Risk: Incompetence of election officials and volunteers
“There’s another risk that we don’t want to talk about, and I’m probably going to get into trouble for saying this,” said Morrell, laughing a bit. “And that’s the people running the elections.” She explained that most jurisdictions are run by elected officials, and “we don’t necessarily elect the best and brightest.”
She quickly clarifies that many are competent, bright and skilled, but with over 8,000 jurisdictions across the United States, some of the elected officials – a county clerk who never attended college, for example, and who was elected 20 years ago – lack the training, knowledge and background to shift to a system that now requires “cyber-hygiene practices, audibility and programming.”
Seti agreed. “This is not anything against them [election officials and volunteers], but it’s not what they’re trained for.” He explained that many of the volunteers are vetted only with a “high-level background check,” and that while the larger jurisdictions have more rigor, the smaller ones … less so. “If you’re thinking like a hacker, what are the different ways you can exploit things? You’re not going to target San Francisco, you’re going to target some 10,000-person town in Death Valley.”
Risk: Disinformation campaigns
The deepest risks, the experts warn, are not about codes or cyber-attacks, but social media and psychology. “I’d be completely surprised if there’s no disinformation campaign of some sort,” said Maor. Everyone said some version of the same thing — disinformation is the real threat. We know the Russians hatched this plan in 2016, and intelligence officials warn that it’s happening again in 2020. The Mueller Report found no evidence that Russia physically changed the votes. Yet, officials did find a smoking gun — a smoking canon, really — that an army of bots and trolls, smoothly coordinated by Russia, succeeded in ginning up conflict, inflaming our anxieties, and turning citizen against citizen. The Russian agents touched every hot button like they were playing a piano: Black Lives Matter, white supremacists, the NRA, gay marriage, global warming, police brutality. “This was one of the lowest costs, highest reward foreign policy coups ever,” Becker said, real pain in his voice. “They got us to oppose our own democracy without firing a shot.”
Some specific types of disinformation campaigns:
Disinformation Risk: Fake sites
Remember those websites that upload the unofficial voting results? They can be faked. “If I were an adversary, and I wanted to create a false impression about an outcome prior to the official results coming out, an way easier way to do it would be to spoof the official election site,” said Becker. “That’s incredibly easy. There are high schoolers who can do that. Probably junior high schoolers.” Spoofing the results is not just a hypothetical — it happened in Ukraine.
Disinformation Risk: Deepfakes
A chilling hypothetical scenario, from The Talking Point Memo’s Nicholas Diakopoulos and Deborah Johnson: “Trump advisors develop a strategy to get out the vote among his base: disaffected white voters. Campaign staff synthesize a deep fake video of [Elizabeth] Warren [in this scenario, the hypothetical Democratic nominee] in a supposed closed-door meeting with a few members of the Congressional Black Caucus and post it on Twitter and YouTube. In the cellphone-quality video, she’s heard saying disparaging and hateful things about white men in the United States.”
Warren immediately denies the video and calls it a fake. CNN and MSNBC immediately call the video a fake. Perhaps independent auditors conclude that definitely, undeniably, without a doubt, the video is a fake.
It doesn’t matter. The video still goes viral and rallies Trump’s base, helping him boost voter turnout.
I ask Maor what we can do to minimize this risk. He paused, thought, and then said, “I’m sorry that I don’t really have an optimistic thing to say about deep fakes. It’s a very challenging form of attack.”
Disinformation Risk: Reverse deepfake
Feeling sinister? Then consider this additional wrinkle of deep fakes: it’s hard to tell who made them. “The attribution with deep fakes is difficult,” said Maor, “so it can be very easy to do a reverse attack.” You can attack yourself and then frame your opponent. Suddenly, you (the one who created the deep fake) claim to be the victim. As Maor described, “Candidate A releases a deepfake of themselves, and then says, ‘look at what Candidate B is doing!’”
The only silver lining is that all of the candidates possess impeccable integrity, and it’s tough to imagine anyone in the race actually doing this.
Disinformation Risk: Amplification of normal glitches
Glitches are part of any system. Even in a clean election with zero corruption and zero foul play, a nationwide tabulation system that involves over 8,000 jurisdictions and 150 million votes will, from time to time, produce some minor errors. Just as the cash registers at a grocery store, even without any theft, rarely balance to the penny. Maybe a polling site temporarily runs out of ballots. Maybe a new voting machine has a confusing interface, and a voter thinks (mistakenly) that their candidate is not on the ballot, and uploads a video to Twitter. “News flash, elections aren’t perfect,” said Morrell. “And one of the biggest risks we’re going to face is that bad actors, whether foreign or domestic, will amplify normal election day glitches as disinformation.”
This is the real risk. This is the vulnerability that terrifies the experts, because it’s almost impossible to defend. Becker explains that the Russian apparatus is sophisticated, and could be on the hunt for any whiff of problems with voting machines (even if inaccurate), and then mobilize its social media army to fan the outrage and fear. Maybe this starts on Twitter or Reddit or Facebook, but is then picked up by the media and further exacerbated. “There’s just enough truth there,” said Becker, “and those things get amplified to reduce voter confidence, and the impact of that is devastating.”
The Meta Risk: This very article
Consider the analogy of terrorism. The real goal of terrorists is not just to claim lives, but to make us afraid to fly on planes, leave our homes, and do what we normally do. The goal of terrorists is to make us obsess about terrorists. Similarly, perhaps the real risk to election security, paradoxically, is that we fret too much about the risk of election security. The media can exacerbate the problem. In an odd and meta sense, articles like this could stoke the flames of doubt and panic. If a publication, hungry for clicks, frames a piece as “7 Ways the Election Could be Hacked!” that could undermine confidence in the system, suppress voter turnout, and feed ammo to those who think the system is rigged.
So to be crystal clear, the takeaway of this article is not that the voting system is doomed or critically exposed. The takeaway is that while, yes, of course there are vulnerabilities in this sprawling system of over 8,000 jurisdictions, the risk of material vote manipulation — enough to swing the election — is relatively low. Yet the risk is far higher, and almost a certainty, that a disinformation campaign will distort and weaponize any glitches in the system, exaggerate the damage, and twist us against ourselves.
Consume your news and choose your sources accordingly.
The Endgame Risk: Loss of confidence in the system
“Objectively, the 2020 election will be the most secure election we’ve ever had,” said Becker. “We’re more aware of the vulnerabilities than ever before.” He adds that $800 million in federal funding has beefed up election security with measures like software upgrades, training for cyber-hygiene, and conducting audits. Every battleground state will use paper ballots, ensuring that when the dust settles, we should have confidence that the votes will be accurate.
Yet, he’s a realist. He knows that even if the system is actually working properly, the mix of disinformation campaigns, spoofed sites, deep fakes, and collective sense of panic are likely to accomplish the ultimate goal of foreign agents: to destroy our faith in the voting system, and to some extent, democracy itself.
“The default for the majority of eligible voters in this country is to not vote,” said Becker, noting that during presidential elections, the turnout is above 50 percent, but for every other election it’s below 50 percent. So if their default inclination – to not vote – is then greeted with troubling news of chaos at the polls or that voting machines are crooked or that voter fraud is swamping out legitimate votes, then this acts as a confirmation bias, and they’ll skip the election.
Becker is not worried about turnout in 2020, which he predicts will be “off the charts.” But if another divisive, toxic disinformation campaign breeds a sense of despair, he fears that turnout for 2022 and beyond will “drop through the floor.” He paused. “This is what keeps me up at night.”
“The target is the person,” said Maor. “The target is the human. It’s not machines.” The target, in other words, is you. The voter. If you’re convinced the system is rigged, and if enough people are convinced the system is rigged, then the system is rigged. “Our confidence in the election system is like gold,” said Seti. “It’s only valuable if people believe in it.” Like gold, if the perceived value vanishes, then so does the actual value. This is true of voting systems, democracy, gold, or, for that matter, bitcoin.