FT explainer: can the US election be hacked?

State electoral officials in the US are scrambling to secure their computer systems after the revelation that two states were hacked in July. The FBI said voter registration databases in Illinois and Arizona were infiltrated by foreign actors. Just how vulnerable is the election to cyber attack?

What happened? 

In the Illinois case, data on up to 200,000 voters was taken. Given the alleged Russian hack of the Democratic National Committee, US authorities are investigating a Russian link to this cyber attack, although a US official said they had not concluded there was Russian involvement. Officials also say that criminals might be just as interested in the data as a group or government trying to manipulate an election.

Is it all the fault of Bush v Gore? 

Remember “hanging chads”? After the debacle of the 2000 election, many states invested in new computerised voting machines. And since then, security researchers have demonstrated on a regular basis that almost all of those machines are vulnerable to cyber attack. Hackers could potentially change voter rolls — the potential threat raised by the Illinois and Arizona incidents. They could also manipulate the voting machines themselves, altering people’s intentions, or they could hack the computers used to compile election results.

The situation is made more complicated by the byzantine framework for administering elections. Not only does each state make its own rules, but in many cases counties and cities make their own decisions about what technology and protocols to use. 

The biggest vulnerability, according to researchers, are so-called direct-recording voting machines (DRE), which are touch screen computers that leave no paper trail. If they were hacked, it would be very hard for election officials to ever find out what really happened. Andrew Appel, a computer scientist and expert on voting machine technology, calls the DRE machines a “fatally flawed technology”. Only six states use these types of machines for voting. Unfortunately, they include parts of Pennsylvania — which will be one of the key states this year if the election is close.

What is the answer? 

Some officials have proposed that voting could eventually move online — and cryptographers have been working on developing systems that might guarantee voter security. But this seems to be some way off. In 2010, Washington DC announced a pilot system for online voting and encouraged computer scientists to hack it. Within days, grad students at the University of Michigan had infiltrated the system — installing cameras to watch the movements of election workers, changing the result of one race and embedding the university’s anthem on to the board of elections website.

The solution, according to researchers, is to always have parallel paper records so that officials can conduct spot audits to check the results. In the case of voting, that means using machines to count paper ballots in order to save time — but having people count small samples of the ballots to confirm the figures. More than half of states do this in some shape or form. 

That is the good news — there are plenty of ways that state election officials can double-check to make sure the results are correct and catch any problems. The bad news is that a hacker does not necessarily need to manipulate voter rolls or vote counts in order to have an impact. Simply by creating uncertainty over the process, a cyber attack could undermine the integrity of an election — especially when at least one of the candidates is already telling supporters that the results will be “rigged”.