It’s official. The evidence is clear and convincing. Foreign powers who sought to influence America’s elections have achieved their objective without firing a shot. It wasn’t malware, compromised electronic voting machines, Facebook, Twitter, or the twelve previously indicted Russians. It wasn’t even the latest Russian woman.
It was us.
Franklin Delano Roosevelt famously said during his 1933 inauguration address that “The only thing we have to fear is fear itself.” Fast forward to the 2018 mid-term elections, and the only other thing we have to fear is our fear of election tampering.
According to the recent Unisys Security Index, “In western democracies such as the U.S., the UK and Belgium, news about hacking is causing people to lose confidence in election systems. The results have serious implications for democracy. For example, nearly one in five U.S. consumers say they will not vote or are unlikely to vote in the 2018 mid-term elections due to concerns about election tampering.”
One in five Americans says they won’t vote because of fear of election tampering.
The fear of something happening is greater than the actual probability. Reality doesn’t matter in the current context. It’s perception, and 20 percent of the voting public believes their vote either won’t matter or will be affected.
This perception is driven not just by reporting, but by security companies attempting to showcase their thought leadership and technical acumen. It’s also a favorite topic for the hacker community.
In August of this year, Time reported that an 11-year old was able to hack into a replica of a voting website in ten minutes at a DefCon Hackathon called “Vote Hacking Village.” According to the announcement “This year you are invited to test more than 30 pieces of electronic voting equipment, most of which are still in use across the U.S. today. Join us for an interactive training that will simulate a Board of Elections office where participants can defend or hack mock office network and voter registration databases.”
The goal for the kids wasn’t to hack replicas, but to “hack into replicas of the Secretary of State websites for several battleground states.” About thirty-five of the thirty-nine kids were able to successfully exploit vulnerabilities on the sites. The perception is now cast — battleground states are weak and vulnerable to election tampering.
Unless you read the response from the National Association of Secretaries of State (NASS). They had a different view. “While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.”
Never let breathless reporting get in the way of reality.
That’s not to say that machines aren’t vulnerable — they are, as the adults at the conference demonstrated. But the machines aren’t vulnerable in the context of the kids’ event reported by Time. To believe that hacking a website could alter the actual election results is the red meat that drives views, clicks and revenue. The medium that is being used to make the news is the same medium being monetized to report the news. That is the definition of a vicious cycle.
But that’s also not to say there aren’t digital upgrades needed, and desperately in some places.
McAfee, a security firm, last month noted that several states were using .com domains for county election sites instead of the .gov extension. Government agencies which use the .gov domain are subject to more vetting during the registration process to give the public confidence about who they are actually dealing with.
One would think that if you had been a high-profile example about the integrity of the voting system, you’d be the poster child for best practices.
Unless you’re Broward County, home of the infamous 2000 presidential election recount, and inventor of the ‘hanging chad’ political meme that has persisted for 18 years. At the time I am typing these words, Broward County is http://www.broward.org.
Not .gov, but .org.
And not the more secure https, but the unsecure http.
Adding the ‘s’ onto http does a couple of things. It’s called SSL, or Secure Sockets Layer. It encrypts the traffic between the website and user, making it more difficult to compromise the information being consumed. Second, it gives the user confidence that if they are connecting to a certain site (such as https://thehill.com), that they are connecting to the actual site and not an imposter.
Is there any hope?
One potential solution lies in an unlikely place for most Americans. Many of us by now have heard of bitcoin, and the other various cryptocurrencies. The same underlying mechanism that allows two people who don’t know each other, and by default don’t trust each other, to exchange value is the same mechanism being used by West Virginia to allow voting by overseas military members. It’s not just for the dark web anymore.
This November, a blockchain application will allow serving members of the military who are currently abroad to vote electronically instead of the cumbersome, and often rejected, absentee ballot. Before the old guard rejects this outright, there is precedent: The tiny nation of Estonia and a major market force in the Nasdaq. The impetus for this goes back to 2007 when Estonia was savagely attacked in cyberspace by Russia.
According to the BBC, “Online services of Estonian banks, media outlets and government bodies were taken down by unprecedented levels of internet traffic. Massive waves of spam were sent by botnets and huge amounts of automated online requests swamped servers.
The result for Estonian citizens was that cash machines and online banking services were sporadically out of action; government employees were unable to communicate with each other on email; and newspapers and broadcasters suddenly found they couldn't deliver the news.”
This was the wake-up call the tiny nation needed to become a leading provider of electronic services, many of which, including voting, are built using blockchain technology. Although 99 percent of public services are available online, only 30 percent of their citizens use i-Voting.
The Nasdaq project found that “there is still a preferred preference by investors to attend and cast their vote in person at the AGM.” The same might hold true at the actual ballot box, where many voters may elect to actually show up and cast their ballot the old-fashioned way.
Although not a single vote in the 2016 was found to have been altered by a foreign power, it’s the perception that matters. The reality isn’t as bad as the media sometimes makes it out to be. What’s more, there are solutions to the existing problems at hand. The only thing we have to fear is the perception of fear.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.