Hacking The Midterm Elections: Lessons Beyond the Voting Machine

By Mark Stone, Contributor

A 2017 report from the Office of the Director of National Intelligence established that a foreign power — Russia — attempted to interfere with the 2016 U.S. election.

Today there is further evidence that hackers are again setting out to undermine upcoming midterm elections. In fact, Bloomberg reported in August 2018 that at least three candidates had already been victims of phishing attacks that resemble those of 2016.

The question for government officials and their constituents is, how difficult is it to hack an election? For those of us at home, it’s often unclear whether political hacking in 2018 is a grand-scale undertaking or as simple and vulnerable as one 17 year-old — with next to no professional hacking skills — makes it seem.

“It took me around ten minutes to crash a simulation of the upcoming midterm elections,” River O’Connor, the teen in question, wrote in a Politico post. “Once I accessed the shockingly simple and vulnerable set of tables that make up the state election board’s database, I was able to shut down the public-facing website that would tally the votes, throwing their count into confusion.”

It Takes A Village

The mock election hacking event was part of DEF CON, a famous hacker convention in Las Vegas where hackers, the business community, and federal government employees convene to share tricks and ideas.

At the Voting Village area, mockups of the 13 presidential battleground state websites were built around test voting machines that students were instructed to hack. “We put students in this room where they were taught how to hack and let them hack into the machines,” said Jake Braun, CEO of Cambridge Global Advisors and co-founder of the Voting Village.

There, students learned to do what is called a SQL injection attack — the same technique that the Senate Intelligence Committee reported as the biggest danger to election reporting sites. Braun said that many of the students taking part in the exercise were able to do damage soon after getting started. Equipped with the right information to perform the attack, students like O’Connor could change candidates’ names to something like “Bob The Builder” and allocate one billion votes to them.

“In two minutes, with a pen, she was able to take the thing apart — take the machine over and do whatever she wanted.”

-Jake Braun, CEO of Cambridge Global Advisors and co-founder of the Voting Village

The concern is this: If O’Connor was able to hack a mock election database and do severe damage within ten minutes, just imagine what a skilled hacker could do. “We were trying to make a very serious point, which is that this is something the Russians have actually done already,” Braun said. “We need to raise the alarm bells.”

Perhaps more alarming was that students learned there was no technical hacking required to compromise some voting machines. Braun pointed out that there is a Twitter video whereby CEO of SocialProof Security and DEF CON attendee Rachel Tobac demonstrates how simple it is to disrupt a voting machine.

“In two minutes, with a pen, she was able to take the thing apart — take the machine over and do whatever she wanted,” said Braun. According to Braun, the ballot station Tobac hacked is the same popular electronic voting machine used in 18 states.

As a former director of White House and Public Liaison for the Department of Homeland Security, Braun knows it takes an average of six minutes to vote. “If it takes only two minutes to hack this machine,” he warned, “it could potentially be compromised by a voter or even a poll worker during voting downtime.”

A Few Key Takeaways from DEF CON

After its second year running the Voter Village, DEF CON released a report detailing its findings. The report offers election officials a crisis communication plan to implement before a website is hacked.“They could actually train between now and the midterms and get a plan in place, so that if their websites were hacked, they would have a better response,” Braun said.

Despite a lack of funding for fraud protection and minimal prevention systems in place, Braun asserted that elections are not all doom and gloom. He is optimistic that lessons learned at DEF CON can aid election administrators and help the U.S. government better mitigate threats to our elections.

In addition, Braun maintains that findings from DEF CON can also help the private sector understand and protect against today’s biggest security concerns. Here is a brief look:

1) We must prepare for a collision of rights. Braun wants IT leaders to understand that human rights and free and fair citizenry are colliding with the fourth industrial revolution. By connecting our assets to the internet, he stated, there is a direct impact on human rights, particularly privacy.

“If [your connected systems or data] touch a Personally Identifiable Information (PII) in your firm, that’s perceived as something that people need to survive; it affects you,” he said. “Your company is likely going to face this challenge. If you can prepare for what that looks like for when [things] hit the fan, it will save you a lot of headaches down the road.”

2) Basic cybersecurity is like personal hygiene: It’s something you have to do every day. Braun was adamant that top-notch security has to become habitual, a rudimentary daily occurrence. He recommends explicitly implementing the top critical cybersecurity controls recommended by the Center for Internet Security. “It’s like keeping the lights on in your house, so the bad guys go to the neighbor’s and not to yours,” he said.

3) It’s time for HR to get creative. According to Braun, it’s important for business leaders to get creative in how HR acquires, recruits, and retains cybersecurity experts within the organization. The talented professionals, he said, are expensive but necessary.

“Maybe get free advice from hackers at a conference, but you need to deal with this [as a] human resource issue,” he concluded. “It’s front and center in the election security debate and for anyone who is in charge of security for their company.”

It’s Not as Hard as You Think

The DEF CON mock election hacking event is a cautionary tale: Hacking isn’t as hard as we’d like to think. Foreign adversaries have much more hacking power than the students at the Voting Village, and yet the more we know about our systems and processes, the easier it is to turn things around.

Moreover, a burgeoning civic curiosity amongst Voting Village students is promising. “We’re very happy to get these kids interested in politics,” Braun said. Hopefully, it can herald more positive change.