Due to the many ways that attackers could affect the results from voting machines, those working on Election Day should have better training and retain “a pinch of paranoia,” according to Tony Cole, vice president and global government chief technology officer at FireEye.
“This is what our democracy is based on, is trust in the system,” Cole said, adding that people have to trust that their votes are being counted correctly for the election outcome to be trusted.
“Physical security has got to be way better,” agreed Jim Walter, senior researcher at Cylance SPEAR Team.
James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT) and author of the recent ICIT report “Hacking Elections is Easy,” explained that even with adequate funding, most counties do not provide their workers with adequate training to notice when someone might be tampering with a voting machine. And this doesn’t even include the worry that someone who volunteers to be an election worker might themselves try to hack the voting machines.
“The malicious insider is very, very difficult to identify,” said Cole. “Most counties have very little background checks.”
Advocates for the security of voting machines cite the lack of Internet connection or an “air gap” as a source of security for elections, but the potential for physical hacks as well as Internet-connected tabulation systems make the security of that air gap less certain.
“The air gap is no longer a defense,” said Scott, adding that hackers can even buy the malware needed to get into voter databases or the spreadsheets used to tabulate votes. “State tabulators will oftentimes use Excel as their spreadsheets.”
Scott also said that voting machines can be hacked from the manufacturer level by including malicious, self-destructing code in machine software updates.
“At the manufacturer level, that’s always the easiest place,” Scott said. “If I were the adversary coming in, I would poison the update.”
“For people to say you can’t hack an election, that’s crazy,” Cole said.
