The hackers settled in, arranged their laptops on a small table and got right to work. The clock was ticking. They began by carefully combing through the online voting system’s code, rapping at their keyboards and exchanging a pitter-patter of techie jargon.
They toggled between screens. One displayed the unblemished interface that prospective voters would see. The other was black, threaded with lines of code: a sketch of their half-drafted attack.
The first few hours were full of dead ends: a rejected ballot; an unexpected security fix, made in real time by election officials to thwart their efforts. Had they been found out? Suddenly, one of the four hackers paused midscroll. He’d found a seemingly trivial mistake, the code equivalent of an unlocked window.
“Let’s steal things! Yes, let’s steal,” one of them said, tugging at his mop of dark hair. “Let’s get their ballot public key – GPG export or Base64 out to a file.”
This was not a war room in Russia, where hackers allegedly have worked to infiltrate email servers to disrupt this year’s election. It was the office of Alex Halderman, a computer science professor at the University of Michigan. The hackers were graduate students, proving a point about Washington, D.C.’s fledgling voting system: that internet voting is vulnerable, a hunk of cybersecurity Swiss cheese. It was Sept. 29, 2010, just a few weeks before the city’s system was to be launched.
Halderman, who has a mild demeanor and a slowpoke drawl, reminded his students of the weight of their task: “Remember how serious this is,” he said as they began to launch their attack. “This is the future of democracy these guys are jeopardizing.”
Yet, when America turns out to vote on Election Day, more than 30 states will allow some form of internet voting, relying on technology eerily similar to what these students so deftly hacked. Despite years of urgent warnings from computer scientists and condemnation from the federal government, thousands of votes will stream in through insecure portals.
Perhaps most alarmingly, of the 11 swing states in play in this year’s presidential election, five – Colorado, Florida, Iowa, Nevada and North Carolina – allow military and overseas residents to cast ballots online. These electoral battlegrounds expect to receive thousands of ballots that cybersecurity experts warn are insecure and susceptible to tampering. And together, they amount to 65 electoral votes.
Those experts fear it could throw the results of the presidential election into doubt.
As his poll numbers cratered in early October, Republican presidential nominee Donald Trump doubled down on his allegations that the U.S. election system and the media unfairly favor his rival, Democratic nominee Hillary Clinton.
“The election is absolutely being rigged by the dishonest and distorted media pushing Crooked Hillary – but also at many polling places – SAD,” he tweeted Oct. 16, echoing the sentiment the next day at a campaign stop in Wisconsin.
The election is absolutely being rigged by the dishonest and distorted media pushing Crooked Hillary – but also at many polling places – SAD
— Donald J. Trump (@realDonaldTrump) October 16, 2016
Speaking in the White House Rose Garden that week, President Barack Obama told Trump to “stop whining and go try to make his case to get votes. … There is no serious person out there who would suggest somehow that you could even rig America’s elections.”
That’s mostly true when it comes to America’s voting machines, spread out across more than 9,000 jurisdictions. The Department of Homeland Security recommends they never be connected to the internet – the better to shield them from a widespread attack. Without connectivity, experts say a large-scale assault would be an almost impossible undertaking.
“To manipulate election results on a state or national scale would require a conspiracy of literally hundreds of thousands and for that massive conspiracy to go undetected,” David Becker, executive director of the nonprofit Center for Election Innovation & Research, said at a House hearing in September.
But tampering with votes cast over the internet doesn’t require such coordination. It just calls for expertise, good aim and a hunch about the right spots to look.
As Halderman’s University of Michigan team demonstrated in 2010, it’s possible for a few hackers to quickly manipulate online voting systems. In fact, his students commandeered D.C.’s pilot program, after discovering a software designer had used double quotation marks instead of single ones when writing the program’s code. Into that tiny fissure, they crowbarred a command of their own.
THE TRUTH WILL NOT REVEAL ITSELF
The rest was gravy: They monitored voters’ selections in real time and stole a wealth of data. They gained access to the D.C. election office’s security cameras and spied on officials there.
After encountering other attack attempts from computers in China and Iran, the team locked those users out of the system. Finally, they diverted votes to made-up candidates. It took less than a day, and video documenting the effort shows they had time to spare: They joked around, cracked their knuckles, ordered pizza.
The student hackers also left a calling card: Fifteen seconds after a vote was cast, users’ computers autoplayed the University of Michigan fight song.
“This is on the real site,” Halderman said, as he gave their work a test drive on his laptop. “Our first test of our system for stealing votes and compromising voter privacy to demonstrate the threat of digital voting over the internet. Will it work?”
He submitted a ballot and waited. Five seconds. Ten. Fifteen seconds in, the computer’s tinny speakers blared. The team members knew all the words. They sang along.
“Hail! to the victors valiant
Hail! to the conqu’ring heroes
Hail! Hail! to Michigan
the leaders and best!”
City election officials discovered their system had been hijacked only after a consultant testing it emailed its developers a day after the hack to complain. He didn’t recognize the fight song.
A delayed response is precisely what worries Bruce McConnell, a former deputy undersecretary for cybersecurity at the Department of Homeland Security. Detecting a hack, he said, is a job for high-level security experts, not election officials. And in many cases in which programmers or security firms do identify an attack, it’s too late.
“You don’t know whether your system has been compromised,” McConnell said. “This is the case in cybersecurity attacks all the time. Many attacks are not found on corporate computers for 120, 180 days, even longer.”
That’s a crippling delay to endure when you’re deciding on the leader of the free world – and one on which foreign hackers just might be banking.
“You may not know until months after the election, if at all, that the results have been changed, modified or corrupted in some way,” he added. “And so you lose confidence in the validity of the results.”
In the current election, this could play out in a number of ways more complex than that outlined by Trump – including, some suggest, continued interference from abroad.
Indeed, the Obama administration already has accused Russia of compromising “e-mails from US persons and institutions, including from US political organizations.”
“We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities,” Homeland Security Secretary Jeh Johnson and James Clapper, the director of national intelligence, said in a statement Oct. 7.
And earlier this week, a coalition of researchers uncovered what appeared to be a “sustained relationship” between a Trump Organization server and one that belonged to a Russian bank.
If true, could they wreak even more havoc on the actual election?
Russian hackers “certainly do have the motive, means and opportunity” to launch an assault that would cast doubt on the election, said Herbert Lin, a senior research scholar for cybersecurity and policy at Stanford University. “And they certainly have a preferred candidate. I mean, there’s just no question about that.”
Cybersecurity worries about internet voting are essentially as old as internet voting itself. Long before the Obama administration first accused Russia of attempting to hack America’s elections, computer scientists were churning out warnings that largely went unheeded.
A report sponsored by the National Science Foundation, done at the request of then-President Bill Clinton, examined the feasibility of internet voting for national elections. Its authors completed the report in 2001 and concluded: “Remote Internet voting systems pose significant risk to the integrity of the voting process, and should not be fielded for use in public elections until substantial technical and social science issues are addressed.”
Criticisms only sharpened as the years wore on. In 2004, a group of experts assessed the Secure Electronic Registration and Voting Experiment, or SERVE, a system designed for the Department of Defense to help America’s military and overseas voters cast ballots online. SERVE sought to count millions of votes cast from around the world; it was to be deployed for that year’s primary and general elections. But after a close inspection, the experts issued a blistering takedown.
“We must consider the obvious fact that a U.S. general election offers one of the most tempting targets for cyber-attack in the history of the Internet,” they wrote.
Listen to the show
Citing serious security vulnerabilities, they recommended “shutting down the development of SERVE immediately and not attempting anything like it in the future until both the Internet and the world’s home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear.”
If that wording sounds scary, it’s because the potential problems with internet voting are, too. Hackers could intercept and change ballots cast online, flood election offices’ servers with distributed denial of service attacks, create counterfeit election websites and much more. In fact, many experts claim it’s impossible to ensure the integrity of any internet voting system without first verifying that every single voter’s home computer is free of malware.
“There is no version of internet voting currently available that is safe, period,” said Barbara Simons, a co-author of the SERVE report and a member of the board of advisers to the federal Election Assistance Commission. “The fact of the matter is that people who know the most about how these things work are the ones who are most opposed. And that should give people pause.”
It certainly alarmed Deputy Secretary of Defense Paul Wolfowitz. In January 2004, nine days after the SERVE report was published, he issued orders to terminate the program immediately.
An “inability to ensure legitimacy of votes,” he wrote in a memo to his undersecretary, would bring “into doubt the integrity of the election results.”
Internet voting, as a concept, could’ve ended there. Instead, dozens of states have embraced the technology.
In March, Utah’s Republican Party deployed an online voting system for its presidential primary, ignoring a report from the state’s lieutenant governor that warned of inherent security risks. Washington state is considering a measure that would count ballots submitted online by anyone in the state.
And in Alaska, where voters are far-flung and sometimes lack easy access to polling locations, all residents may submit their votes through a web portal – but not before a perplexing, Orwellian warning: “When returning the ballot through the secure online voting solution, your (sic) are voluntarily waving (sic) your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”
Skeptics of internet voting joke about this typo-laden warning: You are, they say, in fact “waving” goodbye to your secret ballot.
Alabama ruled out internet voting for the presidential election after its system faced an attack.
“The consequences are high here,” said Bruce McConnell, the former cybersecurity undersecretary. “There is a lot of possible gain for countries, particularly state actors, to change or modify election results.”
Consider Colorado, which went twice for Republican George W. Bush before going twice for Democrat Obama. It will receive 8,500 votes over the internet this month, according to estimates from the secretary of state’s office. And although officials are confident in the safeguards currently in place – voters have to print out their ballot, sign it, scan it and upload it – they stop short of guaranteeing that the system is unhackable.
Instead, the state’s affidavit for military and overseas voters begins with a warning: “Mail is the most secure method of transmitting your voted ballot.”
Dwight Shellman, a manager in Colorado’s elections division, acknowledges that the technology presents a compromise. “The need to enable military and overseas voters to participate meaningfully in the election outweighs the security concerns of electronic return,” he said.
But that’s a troubling calculus – especially considering that Florida, which was decided in 2000 by 537 votes, swung the entire presidential election.
Even though the federal government has commissioned (and heeded) nearly two decades of warnings about internet voting, the decision to adopt the practice ultimately falls to states. And they don’t always get a balanced picture of the risks.
In January 2015, a House State Government Committee meeting convened in Olympia, Washington. The state already allowed military and overseas voters to cast ballots online; it was considering a bill to expand the privilege.
Secretary of State Kim Wyman spoke first. She explained that although she was neutral on the proposed bill, she had concerns about the security of ballots being transmitted over the internet.
“The use of this technology to vote and return ballots electronically is still relatively new if you look in the world of elections,” she said. “We haven’t had time to think through what the possible things we’re gonna need to defend in the heat of a close election.”
Hers were the only concerns raised at the meeting.
Shortly after she spoke, a Department of Defense employee began his testimony. Mark San Souci, a regional liaison for military families, thanked the lawmakers for “the opportunity to speak in favor of this legislation.” He’d consulted with several auditors “who feel like this would increase efficiencies in their office,” adding that a constituency of disabled veterans “would benefit from this change to the law.”
The testimony was measured, unremarkable – except for one fact: The Department of Defense, for whom San Souci was a spokesman, scrapped its own internet voting program in 2004, when Wolfowitz issued his memo. Meanwhile, the department’s Federal Voting Assistance Program, which helps educate military and overseas voters, currently refuses grant money to any state that intends to use such funding for internet voting in a real election.
Shortly after San Souci made his remarks, a representative from Everyone Counts, a California-based elections software company, sat down behind the microphone and affirmed his support for the bill, saying it would increase access and turnout. After introducing himself as a former elections official in Oregon, Donald DeFord urged Washington to expand its program, claiming that Oregon had successfully “made our accessible online ballot delivery and return system available to any voter who was not able to use a paper ballot” – even though it hadn’t.
There were no cybersecurity experts present to raise red flags.
The Washington state bill still is pending, but the way lawmakers considered it is instructive: The future of America’s voting technology – in some ways, our democracy – is playing out quietly across the country.
Sometimes, though, the meetings get interesting; the bombshells are impossible to overlook.
On an October morning in 2010, Mary Cheh, a Washington, D.C., councilwoman, called to order a public forum to discuss the city’s readiness for the upcoming general election. It began, as many council meetings do, with a thrum of dull decorum: Cheh sat alone at a long wooden table, flanked by empty chairs. She made a few brief introductory remarks, then began calling on scheduled speakers.
Silence. Several had failed to show up.
An hour in, a timid-looking man with a high forehead and rimless glasses introduced himself. Alex Halderman, the computer science professor from the University of Michigan, had traveled to D.C. to testify about the unusual pilot program the city’s Board of Elections recently had initiated. It was a first-of-its-kind opportunity to open up internet voting for public testing – a chance to pop the hood and attempt to poke holes.
Halderman and his team of grad students had accepted the challenge eagerly. As he settled into his seat, a voting rights advocate he’d arrived with requested that Halderman be allowed more than the five minutes traditionally set aside for speakers.
His findings, she said, were significant.
Cheh, looking slightly perplexed, obliged. “Just remember,” she warned Halderman, “I have to have things simple to be able to understand it.”
Halderman didn’t mince words. “Within 36 hours of the system going live,” he began, “my team had found and exploited a vulnerability that gave us essentially total control of the voting system software.”
Halderman told them about the fight song – his students’ idea – and he chuckled about the new candidate names they subbed in: “Mostly, they were evil science fiction robots,” he said.
He passed around screenshots of the election officials they had spied on from afar.
Cheh was momentarily speechless. She stared at Halderman. This was, after all, the system the city was planning to use in its actual election; real voting was to start in three days.
“You’re a funny bunch over there,” she said.
“Well, we’re a pretty serious bunch, too,” Halderman replied.
Election officials aborted the system. But today, D.C. is among the jurisdictions that allow military and overseas residents to cast ballots online.
This story was edited by Andrew Donohue and Amy Pyle and copy edited by Nadia Wynter and Nikki Frick.
Byard Duncan can be reached at email@example.com. Follow him on Twitter: @ByardDuncan.