As we approach the 2018 midterm elections, you’re probably hearing a lot about how vulnerable the U.S. voting system is to malicious hackers. CBS even has a weekly series about the “cyberthreats and vulnerabilities of the 2018 midterm elections.” While election hacking is possible (and it’s good that more people are paying attention to that possibility), the truth is a little more nuanced. The risk of actual voter fraud in the 2018 election resulting from election hacking is extremely low. Here’s why.
While it’s true that election machines are hackable, the wide range of voting methods used across the USA means that the chance of an attack altering actual vote counts and affecting the outcome of an election is practically zero. Voting methods are not standardized across the U.S. For example, in the State of Washington where WatchGuard is headquartered, we can vote by mail. Many states use Direct Recording Electronic (DRE) systems that record votes directly into a computer’s memory (these are what we usually think of as “voting machines”), but many states still use paper ballots or keep paper records of votes as a fall-back method to verify the electronic vote counts. You can see a list of voting methods by state here. Also, many states have been developing more thorough methods of detecting and preventing hacking attempts since 2016. Committing voter fraud in 2018 would need to be a massive, coordinated effort spanning multiple states and affecting multiple methods of voting – much more complicated than hacking a few networked voting booths.
In August of 2018, penetration testers found several software vulnerabilities in voting machines during an event at the hacking convention DEF CON. While it’s true that vulnerabilities exist in voting machines, the hackers at DEF CON had full physical access to the machines. This makes them much easier to hack, since the attackers can try to manipulate physical ports to gain access, or look through the insides of the machines to guess how they work. Having physical access to voting machines in the real world is much less likely. Voting machines are also not usually networked from precinct to precinct, so to actually change vote totals a team of hackers would need to surreptitiously open up dozens of voting machines across dozens of locations and muck around inside of them without anyone noticing – not a likely scenario. A hacker could potentially focus on key districts in key battleground states to reduce the number of machines that would need to be breached, but the logistics required for such a plan make it highly impractical.
It’s far more likely that hackers will affect the 2018 election by spreading propaganda online (like what Russia did in the 2016 presidential election), by stealing and leaking sensitive or politically damaging material, or by accessing and modifying voter registration records. In a bit of a catch-22, the only way to improve election security overall is to standardize the electronic voting systems used across the country. This makes a hack more likely since it gives attackers a single target to aim at, but picking a single voting systems will allow security experts to focus on making that system as secure as possible.