Supreme Court Nullifies Presidential Election Due to Hacking Allegations and Other Irregularities

Posted by Michael TitensThat was the headline from Nairobi, Kenya last week. The candidates will face off again within 60 days. Despite reports from US and European observers that the election itself was conducted properly, the opposition cited irregularities in the vote counting and reporting process, and alleged that the results were hacked into and manipulated.   Things are not so severe in the US, but hackers have been active here, too. Last year, we wrote about various cyber threats to the integrity of our presidential election, including voting machine vulnerabilities and hacks of voter registry data.  Here are some updates:Voting Machines. Experts correctly point out that voting machines are rarely connected to the Internet and that our decentralized and diverse voting system inhibits any efforts to alter election results. However, vulnerabilities still exist. Organizers of this summer’s DefCon hacking conference in Las Vegas purchased used voting machines on eBay and set up a “Voting Village” where hackers could try to hack the machines. Within hours (and in some cases just a few minutes), every machine was hacked. One machine still had voter information on more than 600,000 Tennessee voters (ideally, decommissioned voting machines should be wiped clean of all data before being sold).  These exploits do not prove that election results can be changed, but they do emphasize the importance of taking protective measures. At a Congressional hearing in June, experts recommended that outdated machines be retired, that data stored on machines be encrypted and protected, and that states use voting machines that produce a paper trail for verification. Of course, cybersecurity experts made these same recommendations in 2016 and pointed out that vote tallying and reporting functions are also susceptible to attack. According to a Minneapolis Star Tribune article, the federal government shut down the experts’ push for last-minute changes before the 2016 Presidential election. Let’s hope more is done before the 2018 midterm elections. Voter Information.  Voter registres and related databases are attractive targets for hackers.  They contain not only names, addresses, and birth dates, but often voting history and party affiliation for millions of citizens.  Safeguarding that information continues to be a challenge.According to a report on Gizmodo.com, “a leading US voting machine supplier confirmed [last month] that it had exposed the personal information of more than 1.8 million Illinois residents,” including driver’s license numbers and partial Social Security numbers. Apparently, the information was in a cloud-based database that was publicly available, no password required. When the problem was reported to the company, it took corrective action  (i.e., set up a password). The FBI is investigating whether anyone may have accessed and downloaded the information while it was available.That incident is dwarfed by the database left exposed by Deep Root Analytics, a marketing firm that provides services to the Republican National Committee. The exposed database contains information on 198 million US citizens, including addresses, birth dates, and phone numbers, along with other information regarding voter preferences on a variety of issues. The database was exposed for nearly two weeks before the vendor set up a password and took other protective action.  Should we be alarmed by these incidents and others like them? While we know that personal information was left unprotected, we don’t know whether anyone accessed it. Also, much of the information was already publicly available. So perhaps the most alarming aspect is that sophisticated entities failed to take the most rudimentary steps to protect personal information they knew to be valuable. Designing hack-proof systems is hard; ensuring that data is encrypted and password protected is not.  To avoid an outcome like the one in Kenya, election authorities should redouble their efforts to implement more secure voter information, voting, vote counting, and vote reporting systems for every election.