Credits: FT News
Hacking democracy was as easy as abcde. When Carsten Schurmann sat down to hack one of the voting machines used instead of paper ballots in the state of Virginia, he used a simple online tool to discover a flaw in the machine that had been public — and remained unfixed — for 14 years.
And he already knew the password, because he had found that on the internet, too. The password was abcde. Wearing a short-sleeved shirt and wire-framed glasses, the Danish computer science professor described how simple it had been to get in to the WINvote machine, after which he was able to tamper with the vote tally.
“The machines are all vulnerable,” he said. “I’m not a hacker but I tried the first thing and it worked.” Not that he was doing it for real. Mr Schurmann was at last year’s Def Con, a cyber security conference, which assembled 25 pieces of election equipment and invited attendees to test their vulnerabilities. All 25 were hacked.
Virginia was one of the 21 states that the US government believes had their election systems targeted by Russian hackers in 2016. The state learnt from Mr Schurmann’s work and has banned this type of voting machine, requiring replacements before the midterm elections this November.
But Mr Schurmann believes not all states are as alert to the problem, and it alarms him. “This is a make or break election,” he said. “People need to trust the result.”
Def Con is repeating the experiment with voting systems this year, on a grander scale. The conference, which began life as a gathering for hacker hobbyists, is playing an important role in bringing together the federal government, the security industry and election officials, as they race to help states shore up their cyber defences in time for the midterms.
Indictments issued last month by Robert Mueller, the special counsel investigating Russian interference, against 12 Russian intelligence officers set out in detail how they targeted the 2016 US election. As well as hacking the Democratic National Committee, they successfully stole 500,000 voter records from one state and attacked the computers of a vendor which sold software used to verify voter registration.
In this election cycle, Microsoft said it has already prevented hacks on three congressional candidates, targeted by “phishing” attacks trying to steal their credentials. Facebook has uncovered another Russian political influence campaign on the platform that reached about 300,000 people.
Jake Braun, co-founder of the Def Con “village” (room) devoted to election issues, said he believes the event’s organisers have contacted more election officials than anyone else since the 2016 election — even more than the federal government.
They have invited over 7,000 of them to participate in this year’s conference, which got under way in Las Vegas on Thursday. It is impossible to tell what fraction will turn up, because the conference does not pre-register attendees.
One attendee is Noah Praetz, director of elections for Cook County in Illinois, who has worked on elections for 18 years, since what he calls the “wedding planner era of election administration”.
Then, the main challenge was getting voters and ballots to the polls, dealing with problems such as transport or long queues outside polling stations.
At Def Con he is speaking not about corralling voters but defending against hackers, competing for the attention of an audience that can drift between hacking competitions and other conference areas known as villages devoted to, for example, finding flaws in connected cars or lock-picking.
“It is a crazy place,” he said. “But I think everybody is there for the right reason — they are concerned about democracy in America.” In a conference room at the faux Roman Caesars Palace hotel in Las Vegas, organisers will be holding a mock election while “white hat” hackers try to find vulnerabilities in voting machines and e-poll books, which track who has already voted.
There is also a replica of an entire election office network, so hackers can work out how sensitive data is transferred around the system. The organisers have gone to great lengths to assemble the technology, even buying machines on eBay, where they ended up after being sent to a recycling company.
The white hats, good-guy hackers, hope that once found, the flaws will be fixed.
Aside from the hackers trying to help, election officials are getting more traditional support ahead of the midterms. The federal government has given states $380m to upgrade their election security and the Department for Homeland Security is offering support with expertise. Non-profit organisations have been drafting guidance and running mock elections. Cyber security companies including Cloudflare, Synack and Akamai are providing their services to states free of charge.
But few are confident that they have enough money, talent and guidance to ensure that November’s election passes without a hitch. The new federal funds are not enough to rip out all the old technology and start again, states still struggle to compete with the private sector for top notch cyber security experts, and there are no mandatory rules for voting equipment security.
While election officials get stuck into their new role as cyber defenders, some security experts are frustrated that their years of warnings have not been heeded. Finnish computer programmer Harri Hursti, the other co-founder of the Def Con voting village, participated in a study in 2007 that found “hundreds and hundreds of vulnerabilities” in election software that is still being used today. “Nothing has been fixed,” he said, waving his arms in exasperation.
In fact, cyber security may even be weaker than in the last US presidential election, he added, because many authorities have introduced e-poll books, to manage who has voted, which are “horribly vulnerable”.
“Election security as a whole has taken massive steps backwards since 2016,” he said. Hugh Thompson, chief technology officer of Symantec, said he spent most of his weekends from 2001 to 2005 working on election security, after voting machines were introduced because of concerns about hanging chads in the 2000 presidential election contested by George W Bush and Al Gore.
“The risk that I think most of us worried about at that time is still the biggest one: someone goes into a state or a county that doesn’t really matter in the grand scheme of the election, is not going to change the balance on x, y or z, but then publishes details of the attack,” he said. “Undermining confidence in the vote is scary.”