Connectivity

How Hackers Could Send Your Polling Station into Chaos

Election security experts say officials should prepare for cyberattacks that target data about voters.

Oct 5, 2016

Hackers looking to disrupt the election on November 8 could have better luck stealing your voter registration information than your ballot.

Indeed, election security experts say Internet-connected voter registration databases could prove to be the biggest vulnerability this Election Day. They say election officials should develop contingency plans to safeguard their precincts from cyberattacks, like ensuring that there is a paper record or other kind of reliable backup of the voter database on hand at the polling station.

During this election season we’ve seen cyberattacks on the e-mail servers of the Democratic National Committee and state voter registration databases, which have heightened concerns that a nation-state adversary like Russia could use the Internet to disrupt the U.S. elections in November.

Attacks on voter registration databases are the biggest cybersecurity threat facing the election, argues Dan Wallach, a computer science professor at Rice University who studies the security of electronic voting systems. If an attacker could damage or destroy these databases, say by deleting names, they could effectively “disenfranchise significant numbers of voters,” Wallach told the House Committee on Science, Space, and Technology last month during a hearing on election security.

Federal legislation passed after the “hanging chad” debacle during the presidential election in 2000 requires that each state maintain an electronic database of registered voters. These databases are now typically online, making them vulnerable to cybercrime. In August, we learned that foreign hackers attacked voter databases in Arizona and Illinois. Just last week, Department of Homeland Security officials revealed to the Associated Press that in recent months hackers have in fact targeted voter registration systems in 20 states.

A dedicated adversary could plausibly pursue a number of strategies to disrupt elections by infiltrating voter registration databases in key states. For example, an undetected deletion of voter data before Election Day could lead to a larger-than-expected demand for so-called provisional ballots, which are available for people whose verification info is not immediately available at the polling station. The provisional ballot process is time-consuming, so an attack like this could lead to long lines and wait times, which might cause people to leave without voting.

Hackers could also target a relatively new technology called digital poll books, which election officials are deploying in polling stations all over the country. These systems are essentially computerized versions of the paper lists that poll workers have traditionally used to check in voters. They can shorten wait times and generally improve the convenience of the voting process. But officials in a number of jurisdictions have connected these to the Internet so they can conveniently send information about voter check-ins to other machines important for election management, says Gregory Miller, cofounder of the Open Source Election Technology Foundation, a nonprofit elections technology research institute.

Though most digital poll book systems provide the option to connect to the Internet, we don’t have much information yet regarding the extent to which this is actually going on in polling stations across the country, says Miller. 

There is no federal guidance to date regarding the use of digital poll books. In May, the Election Assistance Commission, the federal body in charge of testing and certifying voting systems, published a checklist of best practices for securing voter registration data. It does not explicitly recommend that this data be kept from the Internet, however.

Ultimately, the Constitution gives states dominion over their elections, so it will be their responsibility to protect databases and polling stations from cyberattacks. According to the AP, 21 states have asked the Department of Homeland Security to help with scans of key websites for vulnerabilities before the November election.