Democralypse Now? US election first battle in new age of cyberwarfare

Hacking attempts against more than 10 US state election databases have increased fears about Russian efforts to disrupt or influence the 2016 presidential election.

Cyberattacks against voting databases in Arizona, Illinois and at least eight other states have only heightened concerns in the wake of the hack and subsequent leak of emails from the Democratic National Congress.

The US government has not shied from pointing the finger of blame firmly towards Moscow as previously reported. The Russian government "directed the recent compromises of emails from US persons and institutions," the Department of Homeland Security and the Office of the Director of National Intelligence alleged earlier this month. US security agencies are publicly accusing Russia of trying to interfere with the election process after allegedly escalating from cyber-espionage to cyber-sabotage.

Federal officials suspect Russian hackers tried to breach a contractor for Florida's election system, exposing voters' personal information in the process, CNN reports.

Amid these heightened tensions, the CIA is reportedly preparing for cyberwar against Russia, or at least looking into scenarios for a conflict largely fought in the arena of public opinion, where leaks of sensitive information on rival political elites are the weapons of choice.

Spin cycle

Accusations are flying left, right, and centre as experts urge calm assessment and caution. Tod Beardsley, senior research manager at Rapid7, likened attempts to hack the election system to the routine scanning and probing of corporate networks.

“There is wide speculation around the current ‘probing’ activity directed at online voter registration sites,” he said. “In isolation, this might seem alarming. However, all online systems are ‘probed’ all the time. Automated and routine vulnerability scans of internet assets is a normal part of online weather, is sourced from all over the world, and is well understood by experienced IT security practitioners.”

Even if voter record databases were corrupted then the effect would be disruptive rather than disastrous, according to Beardsley.

“If online voter registration records are vandalised on election day in order to deregister otherwise legitimate voters, polling places can and will fall back to the paper-based provisional balloting system guaranteed by the Help America Vote Act of 2002 (HAVA). So, while an outage of voter registration records would certainly be inconvenient, it would not prevent the election from taking place. It just wouldn't be worthwhile in terms of effort, cost, and risk to attack elections this way, given the ease of local recovery through provisional balloting."

Vote early, vote often

The presidential election is now only two weeks away and this has served to heighten speculation – present during every recent election cycle – over the possibility of someone "hacking the election".

Hackers have been threatening to steal voting results data as well as voters’ personal information. The MIT Technology Review concludes that “voter registration information” is more at risk than your ballot.

Tim Erlin, senior director of product management at Tripwire, said the 2016 US presidential elections are the “first major election where foreign cyberattacks have been discussed as a material threat”, something he expects to become the norm.

“There’s no more business as usual when it comes to cybersecurity and US elections,” Erlin said. “The United States is going to have to come to grips with a future where electronic interference in elections by foreign powers is standard operating procedure.”

Even apparently minor problems in election systems need to be scrutinised closely.

“The information security community has learned over and over that the first discovery of a breach never uncovers the full scope,” Erlin warned. “We should apply that lesson to any election related compromises as well. There’s likely more to uncover here as well.”

Robert McFarlane, head of labs at Head London, commented: “The levels of hysteria and hyperbole have been the highest of any US election in living memory, but it’s certainly not inconceivable that we could see some high-stakes hacking. However, I’d suggest the underlying reasons behind this would be geopolitical: these elections have made the US look weak on the global stage and Putin desperately needs to deflect from the Syrian campaign. As such, a Russian-sponsored hack would serve to humiliate and destabilise an already shaky America.

“Of course, it also doesn’t help that Trump’s babbling rhetoric actively appears to invite outside interference to help secure his victory – or at the very least call a defeat into question. There are, clearly, a great many ways a hack could backfire on Trump, as well as the sponsor – whether that’s external or domestic. In fact, being able to point the finger of blame at the Russian Federation (or any state they don’t like) would be a convenient win for the Yanks by further isolating the perpetrator as an aggressive opponent of democracy.”

Democralypse Now?

Rapid7’s Beardsley has published a detailed blog on the hacking threats facing the US election system here.

The US election system is “massively complex” and “appears to embody the absolute worst practices when it comes to information security”, he writes.

There are cleartext, internet-based entry points to the voting system. There is an ageing installed base of voting machines running proprietary, closed-source code, produced by many vendors. And there is a bizarrely distributed model of authority over the election, where no one actually has the power to enforce a common set of security standards.

Despite this assessment, Beardsley is inclined to downplay the widely discussed hacking threat against voting machines. “It is possible that foreign hackers could infiltrate voting machine software, and therefore cause votes cast for one candidate to be counted for another,” Beardsley said. “However, such an attack is literally incredible. Voting machines in the US are never [as far as we are aware] directly connected to the internet on Election Day, which means the attacker would need to get at the machines well before November 8, while the software is being written or loaded on to the machines.

“While this sort of infiltration is possible, such a campaign would require formidable espionage assets, have a high risk of being detected before the election, and the effects would be noticeable in bizarrely inaccurate exit polling during and after the election.”®