Think tank: U.S. elections are far from hack-proof

In the wake of high-profile hacks of Democratic Party systems and attempts to infiltrate state voter databases, intelligence and homeland security officials have been rushing to reassure Americans that the upcoming election cannot be hacked. But one cybersecurity think tank says not only are voting systems vulnerable, they are easy to hack.

FBI Director James Comey recently described the U.S. voting system as "clunky as heck," and because it is not a high-tech networked system, "it is hard for an actor to reach our voting processes."

Panelists at a discussion sponsored by the Institute for Critical Infrastructure Technology did not dispute the characterization of voting systems as clunky, but they argued that it does not make them immune from hacking or manipulation.

The panelists said even machines that are not connected to any network can be corrupted via removable media such as USB drives, and the black-box nature of many voting systems means there is no way for election officials to run diagnostics before or after votes are cast.

ICIT recently released a two-part report, titled "Hacking Elections Is Easy," that outlined a range of vulnerabilities, infiltration points and tactics that could be used to undermine credibility in an election or even manipulate the results.

"In all likelihood, cyber-physical attacks against electronic voting systems may continue to go unnoticed due to a lack of cyber-hygiene culture, a lack of verifiable and thoroughly tested security mechanisms, a lack of standardization, and a lack of public attention," the report states.

Furthermore, "in 2016, 43 states relied on voting machines that were at least 10 years old and that relied on antiquated proprietary operating systems such as Windows XP, Windows 2000, unsupported versions of Linux, and others," the report states. "Vulnerabilities for these operating systems are widely available for free download on Deepnet."

The report also says electronic voting machines are so unsophisticated that an "[18-year-old] high school student could compromise a crucial county election in a pivotal swing state with equipment purchased for less than $100."

In addition to manipulating individual machines, the panelists said that when devices are connected to networks to tabulate or transmit results, those results can be intercepted or manipulated.

"If you wanted to go influence results on a national scale, you're not going to be successful," said Tony Cole, an ICIT Fellow and a vice president at FireEye. "However, if you want to go influence the election in a swing state, in a regional area where it could have a significant influence, you potentially could."

Cole said a concerted effort by a team of individuals, possibly with nation-state backing, could tip a close election one way or the other.

"All these voting systems today are in church basements locked up, in elementary schools -- I mean, those are our polling places," he said. "Wherever those systems are stored, it would not be difficult for somebody over a period of four years to work on actually compromising a multitude of those systems...in a swing region in a swing state. It wouldn't difficult at all to have a small, dedicated team focused on that."

Most election workers do not have the training or expertise to know whether anyone is trying to tamper with hardware, Cole said. Plus, they are vulnerable to phishing scams and might accept free USB drives that hackers could use to access systems.

However, he argued that a more likely and feasible method of manipulating an election is downstream in the tabulation and data transmission process.

"Invariably, there are going to be some regions, some states where people have machines that they are interconnecting to the tabulation system, so once you have that, you bridge the air gap and you have the possibility of a tainted result," he said.

He was quick to point out that although it is technically feasible, the odds that hackers will influence the outcome of this year's election are low. "Nevertheless, I don't want this problem to get tucked away for four more years and no focus on it so an adversary has another four years to study it to see if they can do it in 2020," he added.

Cole said an organization such as the National Institute of Standards and Technology should issue mandatory security standards for electronic voting systems to improve election security. But he warned that the approach would not eliminate the problem.

"Everything is hackable given enough time and resources, and people need to be aware of that," he said.