Could Decision 2012 be hacked?

Like most else in the modern world, elections increasingly rely on technology. However, with that reliance comes a growing risk: cyber threats.

In other countries, including Russia and Mexico, elections have served as a target for malicious cyber activity. As the U.S. heads into its heated general elections on Nov. 6, cyber threats are a very real concern, experts say.

“We work with computers all the time, we love computers… but as a result we have to understand the potential threat here. There are people who, when we raise the issue, say there’s no instance [malicious cyber activity] has happened, but how do we know?” said Eugene Spafford, chair of the public policy council at the U.S. Association of Computational Mechanics and professor of computer sciences at Purdue University. “There are many incidents of malicious software and activity out there, and they can get into any system that’s not properly secured.”

Many steps in the election process – including registration and vote tallying and reporting – now require the use of networked capabilities. Even actual voting is often done on an electronic screen, and all of the steps are carried out on a computer platform such as Windows. That means each of the steps is susceptible to being compromised, Spafford said.

With any use of computers in the elections process, there are the potential problems of accidents and of malice, he noted.

“Accident is where some flaw in the software or hardware causes votes to be lost, switched or added in such a way that it changes results of election. Software can be flawed…or hardware can fail,” Spafford said. “If we take it a step further and add in malicious behavior, it’s possible for someone along the way at various levels to insert malicious code that has been designed to alter results surreptitiously and in a way that isn’t easily detected.”

The problems have been on the rise in recent years and in elections around the world. Whether internal concerns or outside threats – such as distributed denial of service attacks that block access to critical websites and networks – the potential for a U.S. attack on Election Day is very real.

“Elections have become a very common framework for attacks for purposes of destruction, gaining notoriety and favoring one party over the next. We have seen a series of attacks across the world, whether federal, local or regional,” said Carlos Morales, vice president of global sales engineering and operations at Arbor Networks.

Morales noted that DDOS attacks have affected voter registration in Canada, voting booth video monitoring and other election aspects in Russia, and the Mexican Federal Electoral Institute. He also said it is likely that somewhere in the U.S. will experience a cyber attack amid the elections.

“This is something that has become quite prominent. It’s a pretty consistent scheme that has led to where we are today: It can happen at any time, especially events with a lot of public scrutiny and in public view. These are prime targets,” Morales said. “It hurts that a lot of municipalities are basically on their own to develop [security] practices – they are not afforded budgets or given best practices. There will be a lot of variability in available defenses.”

It is especially worrisome in places like New Jersey, where storm damage from Hurricane Sandy has damaged infrastructure and, in a number of ways, will make voting difficult on Nov. 6, just a week after the storm hit. In wake of the storm, the state will allow voting by e-mail, and that opens the door to a range of concerns about integrity in the elections process.

“The opportunities for fraud are so much greater. This could definitely be used as means to disrupt the elections,” Morales said of the situation in New Jersey. The two biggest concerns will be ensuring that e-mailed votes get where they need to be in time for the election – which could theoretically be made difficult by a problem like a DDOS attack – and that identities are validated, which will be difficult to do by e-mail, Morales said.

While New Jersey’s post-Sandy Election Day presents unique challenges, there are ongoing problems that need to be addressed in elections cybersecurity, an area that will only continue to grow as an area of concern going forward.

“There are best practices…and if they were set as standards that states were required to meet, it would help prevent most of these problems and still allow companies to innovate in the space. There has been legislation introduced in past to do precisely this but it’s never really made much progress – it’s not a priority and not enough people understand the difficulties,” Spafford said. “The worst case doesn’t happen often, but when it does it’s really bad, so it’s important for day-to-day protections to prevent really bad from happening. It’s like what we do with anti-virus and backups.”