News of Russian cyberattacks on the 2016 U.S. presidential election process was eye-opening for most Americans. The brazen theft of voter information, the hack of the Democratic National Committee’s emails and their transfer to WikiLeaks, and disinformation and misinformation campaigns on Facebook and Twitter highlighted the vulnerability of the U.S. election process.
Four years later in 2020, the country held what experts consider to be the safest election in years, even facing a pandemic and with a significant increase in mail-in and online voting.
What happened in those four years, and what must election officials do to protect the country’s voting systems from ever-evolving cyberthreats?
Top Election Cybersecurity Threats
To understand election cybersecurity threats, it’s helpful to understand that all parts of the election process, including voter registrations, ballot creation, voting machines, and vote counts, must be protected. A malicious actor doesn’t have to erase or alter votes to wreak havoc on an election. Simply creating confusion and sowing distrust are disruptive enough.
The following are some areas of vulnerability:
Voter Registration Rolls
In 2016, Russian hackers used malware to infiltrate voter rolls in 21 states, stealing voters’ personal information. They also hacked a voter registration software vendor’s files, highlighting the vulnerability of industry and government data.
After election officials design and build the ballot for each district, the ballots are copied onto individual voting machines. Election officials who use USB flash drives to copy ballots could inadvertently spread bad code to each machine. Ballot building requires a chain of custody and strong procedures to ensure election security.
Voting Booth Technology
Voting technology falls into three categories:
- Optical scan paper ballot systems. Voters fill in a paper ballot that is scanned and tabulated.
- Direct recording electronic systems. Voters select their choices via a touch screen or dial, and the choices are stored on a hard drive. They may also print out a paper trail.
- Electronic ballot-marking devices and systems. Voters make an electronic selection, and the device tabulates the vote. This is older technology, and may not include a hard drive to store the votes or print out a paper ballot as a backup.
Voting technology is vulnerable to human error as well as hacking. Aging equipment and out-of-date software have caused glitches, and leave voting systems vulnerable to attacks. Untested code also causes issues, as was seen in the 2020 Iowa caucuses, when a tabulation app failed.
Official Election Websites
Official election result websites may also be vulnerable to hacking. Hackers can take over, deface or shut down official sites. While that doesn’t change election results, it does sow doubt and create confusion.
Misinformation and Disinformation Campaigns
In the 2016 election, Russian operatives used fake social media accounts to influence voters. They created and linked to false news stories that were amplified by algorithms to reach millions of people, who also shared these links.
Election Cybersecurity Solutions
Government election officials have been tasked with protecting U.S. election systems from cyber and other attacks since the Help America Vote Act (HAVA) was passed in 2002. HAVA was enacted to overhaul an aging voting system and ensure that voting technology met specific standards. Under HAVA, the U.S. Election Assistance Commission (EAC) was founded to provide resources for election officials, including protections against cybersecurity breaches. Some of these methods include:
When computer voting systems were first put in place, they usually didn’t include a paper printout. This made it impossible to audit results in the case of equipment failure. Some election districts still lack a paper backup, risking the integrity of their election results. In 2021 the EAC adopted national guidelines promoting paper ballots, although states can choose not to follow those guidelines. In the 2020 election, some 10 million voters voted on machines that lacked a paper ballot backup.
Update and Maintain Voting Hardware and Software
Outdated technology leaves elections open to cyberattacks. Election officials can limit this threat by replacing old machines, updating software to the latest version and routinely testing voting technology to make sure it’s operating properly.
Conduct Routine Election Audits
Making audits part of the election process can help build trust in election results. Election officials can start with a risk-limiting audit, in which a handful of ballots are audited by hand, and if discrepancies are found, the audit can be expanded.
Secure Voter Registration Data
As seen in 2016, voter registration data can be compromised. Although officials state that no votes were changed in that election, cybersecurity experts say it’s possible in the future. Securing voter data and electronic poll books is an essential step in protecting against cyberattacks and safeguarding personal data. The EAC provides guidelines for protecting data from cyber and physical tampering.
Critical Infrastructure Status
The Department of Homeland Security (DHS) now considers election systems to be part of the critical infrastructure of the U.S., like transportation, food and water, and financial services, among other sectors. This gives state and local election officials priority when requesting assistance from the federal government. Taking advantage of this status provides officials with additional support to protect their elections.
What Does the Future Hold for Election Cybersecurity?
Although the 2016 Russian cyberattacks were a rude awakening, they galvanized officials across the country to make changes to preserve the integrity of election results. Many districts updated their technology, replacing outdated machines and adding paper ballot capabilities.
But officials and cybersecurity experts warn that the threat remains high. For example, DHS remains concerned about potential ransomware attacks that could cripple an election. Election officials who commit to the best practices proposed by cybersecurity experts and government agencies, such as the EAC and the Cybersecurity and Infrastructure Security Agency (CISA), will be best positioned to protect their election systems while continuing to make them safe, fair and accessible for all eligible voters.
Unlock Your Potential with a Master’s in Cybersecurity
With the safety of the U.S.’s critical infrastructure at stake, the need for cybersecurity experts is greater than ever. Find out how you can take your computer science or related degree to the next level with the University of Nevada, Reno’s Master of Science in Cybersecurity program. With courses including Cryptography and Blockchain, Digital Forensics, and Mobile Computing Security and Privacy, a master’s in cybersecurity can prepare you for a challenging and rewarding career.