Cybersecurity expert: One battleground state most vulnerable to voting hacks

Republican Donald Trump greets Democrat Hillary Clinton prior to their first presidential debate at Hofstra University in Hempstead, New York, September 26, 2016. 

Mike Segar/Reuters

Last Updated Sep 29, 2016 2:15 PM EDT

The battleground state of Pennsylvania might as well have a target on its back as Election Day nears, the cybersecurity company Carbon Black warned in a new report released Thursday.

“If I was a 400-pound hacker, I would target Pennsylvania,” Carbon Black chief security strategist Ben Johnson told CBS News, a reference to Donald Trump’s comment in Monday’s debate that the hacker behind the Democratic National Committee email leak could be someone “sitting on their bed that weighs 400 pounds.” 

U.S. intelligence officials actually believe Russia was behind that breach and a number of recent intrusions into state voter databases.

What makes Pennsylvania such a vulnerable target for hackers seeking to influence the election?

Across the state, most Pennsylvania counties use particularly high-risk electronic voting machines that leave behind zero paper trails, which could be useful to audit the integrity of votes cast. In addition, many of these machines — called “direct-recording electronic” machines — are running on severely outdated operating systems like Windows XP, which has not been patched by Microsoft since 2014, Carbon Black said in its report. In general, these complex machines are a headache compared to so-called fixed-function devices that perform just one task and are thus harder to hack. 

Politically, Pennsylvania has extraordinary value with 20 electoral votes and polls showing a narrowing race between Hillary Clinton and Donald Trump. 

According to Carbon Black, Pennsylvania is an easier target than other battleground states like Ohio and Florida. Ohio conducts post-election audits and has a manual recount provision that kicks in for tight races. Florida also has required audits. 

The general lack of a paper trail throughout Pennsylvania is a recipe for disaster, Johnson said. Before he co-founded Carbon Black, Johnson was a National Security Agency (NSA) engineer and defense contractor during the Iraq and Afghanistan wars. 

“If you buy something in the store with a credit card, you get a receipt. But if you cast your vote for president of the United States, you get nothing,” Johnson said. 

According to the Brennan Center for Justice, more than 40 states are using voting machines that are at least ten years old. Across the country, the disjointed patchwork of different ballots, different electronic voting machines, and different polling station standards creates a perfect storm for targeted hacking, particularly in battleground states. 

With just over a month till Election Day, there’s no time to redesign the voting process nationwide. But it’s imperative to minimize risk in the system we already have, Johnson said. 

At the very least, he suggested election officials should:

  • Keep individuals from having prolonged access to the physical voting machines; 
  • Turn off any communications capacities, like Wi-Fi or Bluetooth, on the machines;
  • Make sure no other devices are plugged into the machines;
  • And train polling station workers, typically volunteers unfamiliar with cybersecurity, on the importance of enforcing these measures. 

In the U.S., states select and operate their own voting systems, adhering to federal standards— but beyond those standards, the federal government cannot dictate how states run their voting systems. 

That oversight could conceivably change. Earlier this month, Rep. Hank Johnson, D-Ga., introduced legislation that would designate voting systems as “critical infrastructure” — a move that would heighten the federal government’s security obligations towards voting systems nationwide. It would also limit the purchase of new voting systems that do not provide adequate paper trails for verification. 

But for now, the federal government’s power is limited to pushing individual states to “wake up” to the imminent threat of voting system hacks, Johnson said.

“You kind of need a federal, Congressional discussion. You need that kind of energy and influence. But it’s really up to the states to opt into something like that,” he said of the possibility of an overhaul.

Fears of hackers tampering with Election Day have mounted for months, especially during a campaign season in which the Democratic National Committee’s internal email communications were leaked to the public and Donald Trump invited a foreign actor, Russia, to hack into his rival’s emails (jokingly, he later said). 

In August, the FBI found evidence that hackers broke into Arizona and Illinois’ state election databases. And this week, law enforcement officials told CBS News the intrusions may have been more widespread, with about 10 states’ systems probed or breached.

Experts said the ultimate goal of these hackers is not necessarily to change the outcome of the election, but to de-legitimize it by sowing doubt, uncertainty and suspicion through a series of cyberattacks.

Last month, Senate Minority Leader Harry Reid asked the FBI to be more aggressive in examining the possibility that Russia could try to “falsify official election results.” 

There is no indication that any previous U.S. election has been tampered with.

But the fear of Election Day hacks this time around has already had a chilling effect on the electorate. More than half of U.S. voters (56 percent) are concerned that this year’s election will be affected by a cyberattack, and more than one-third of U.S. voters (36 percent) feel their voting information is insecure, according to the survey by Carbon Black, which polled 700 registered voters ranging in age from 18-54.

Among the voters who believed their voting information is not secure, one in five said they would consider not voting in this year’s election given their concerns — a “surprising and depressing” reality that America must grapple with, Johnson said.

“We fundamentally say, ‘Go vote. Don’t let this get you down.’ But we need to understand the risk,” Johnson said. 

He likened this moment in U.S. politics to an addict’s first Alcoholics Anonymous meeting: the first step in a long process is acknowledging that a problem exists, he said. The next is probing the weaknesses in the system with the same vigor that, chances are, America’s adversaries are doing at this very moment. 

What’s Johnson’s personal plan for Nov. 8? The former NSA engineer said he’s somewhat comforted by the state he’s registered in.

“I’m in Illinois, and most of Illinois gets a paper receipt,” he said.

  • Shanika Gunaratna On Twitter»

    Shanika Gunaratna covers science and technology for CBSNews.com