Protecting Elections from21st Century Threats

Would Futurama’s wise-cracking robot Bender be a better DC mayor than Vincent Gray? That might well have been the outcome if the District had gone forward with its internet voting pilot last fall. When the election board invited hackers to test the system, computer scientists from the University of Michigan were easily able to change the votes to elect evil science fiction robots. Election reform advocates from across the U.S. gathered last month in Chicago to discuss this and other high-tech threats to elections at the annual conference of the Election Verification Network (EVN).

Keynote speaker Rev. Jesse Jackson said the civil rights struggle that brought about the Voting Rights Act of 1965 continues today, with those hard-won rights now imperiled by new threats including the voter ID laws currently sweeping state legislatures. He pointed out that the right to vote does not necessarily include the right to have your vote counted fairly and accurately.




EVN seeks to safeguard American elections by pooling the expertise of state, local, and national election officials, advocacy organizations, election law and computer security experts, and others. The invitation-only think tank began in 2004 after computer scientists raised concerns about the dangers posed by high-tech voting equipment and has helped influence several states to reconsider the risks of paperless electronic voting.

Internet voting poses new hazards

Now computer scientists are warning of an even more serious threat to our elections: voting via the internet. Last year Congress passed the Military and Overseas Voter Empowerment (MOVE) Act to make it easier for Americans overseas to vote. The Act requires states to use the internet to speed up the delivery of absentee ballots to voters, but stops short of mandating the online casting of ballots. However, several states and the District of Columbia decided to experiment with internet voting pilot projects last fall.

Computer security experts advised DC's Board of Elections and Ethics to take the basic precaution of a hacking test before going live with their pilot. The Board agreed and, with just a few days' notice, spread the word among computer security experts to "bring it on." University of Michigan Computer Science professor Dr. Alex Halderman and his graduate students decided to take up the challenge.

Within 36 hours they had penetrated the system and soon gained control of the building's security cameras. They intercepted voted ballots, compromising the privacy of the voters, and replaced them with ballots containing write-in votes for "evil sci-fi robots." They also left a calling card: 15 seconds after a ballot had been submitted, the page was programmed to play the University of Michigan fight song (be sure to wait 15 seconds!).

In an interview at the EVN conference, Dr. Halderman explained how DC's election officials discovered the hack:

Determining election outcomes from overseas

While Halderman's team was inside the election board's computers, they found other attackers already there. These "botnets" are automated software that constantly roam the internet searching for unsecured computers. The botnets Halderman's team discovered were from Iran and China and probably were not specifically targeting the DC election system but attacked it just because it was easy to get into. He offered this chilling observation:

May the best hacker win!

Halderman and his students made changes to increase the security of DC's network against future attacks, but he and other prominent computer scientists warn that it is impossible to secure internet voting against the nearly infinite range of potential threats. Recent attacks on computer security firms illustrate that clearly.

However, these warnings are falling on deaf ears as many states forge ahead with internet voting plans. DC canceled its 2010 pilot but Georgia, Colorado, Arizona, and West Virginia went forward with their internet voting pilots last fall. DC's election officials are undaunted and plan to try again, and many other states are likely to do so in the 2012 elections.