Campaign 2018: Election Hacking is a weekly series from CBS News & CNET about the cyber-threats and vulnerabilities of the 2018 midterm election.
Computer systems around the world are vulnerable to cyberattacks. This includes voting machines, email networks, social media, and critical infrastructure that cities rely on to provide basic services. Yet none of these cyber-threats is as dangerous to the electoral process as the cumulative fear and uncertainty that hacking could change the outcome of elections.
For the CBS News series Campaign 2018: Election Hacking we spoke with more than two dozen experts, including current and former hackers, election security experts, former law enforcement agents, state election officials, former White House cyber-defense experts, and executives at the world's largest tech firms.
Are they worried? Yes. They're paid to worry.
But they're also confident that come Tuesday, Election Day, their vote will be counted.
There is one threat that each expert worries about more than any specific vulnerability: The fear that hacking will undermine citizens' faith and confidence in election results. Whichever party wins control of Congress, imagine the consequences if half the country believes it was rigged?
On Monday, Department of Homeland Christopher Under Secretary Scott Krebs told CBS This Morning, "We haven't seen certainly any compromises or any sort of access to election equipment across the United States at this point. But our planning factor is looking back at 2016 [to] see what the Russians conducted in terms of spearfishing campaigns And working to make sure those kinds of events don't happen again."
Every electronic voting machine is, essentially, a computer. All computers can be hacked, and the risks are abundant. The spectrum of hackers capable of attacking voting machines and voting systems is diverse, ranging from nation-states to hactivist groups. More worrying, these voting computers can be connected to voter registration databases, exposing critical data to manipulation.
But Cris Thomas, a security researcher for IBM Security, is confident that his vote and the majority of Americans' votes will be counted accurately. Most states and electoral districts still use distinct voting processes and a diverse array of systems. That very diversity, says Thomas, strengthens the outcome of the overall vote. "The resiliency of the electoral process will help ensure that citizens will have their votes counted and the right backups are in place to ensure it," Thomas says.
Theresa Payton, former White House chief information officer, agrees that voting systems are vulnerable but not defenseless. "I have a high level of confidence that my vote will be accurately counted," says Payton. "The Board of Elections in each State have worked hard to assess their local processes, train their voting poll officials … to better understand the threats targeting the voting process."
Political campaigns are ripe for hacking because they have an abundance of sensitive data, and are often underfunded with little budget for proper cyber-defense.
"What [Russian hackers] did in 2016 wasn't really all that sophisticated," says former hacker turned cybersecurity expert Kevin Mitnick. In 2016 a number of Clinton campaign staffers, including chairman John Podesta, fell for phishing emails sent by Russian hackers. Campaigns are still vulnerable to similar attacks, but technology firms like Google and Microsoft are actively collaborating with campaigns to increase security on email accounts and cloud data.
"A majority of what Google does to protect you is happening behind the scenes. A password manager, two-factor authentication definitely help, but even if you don't, we're able to prevent suspicious activity more than 99% of the time," says Google's Mark Risher.
Social media influence campaigns — the dissemination of online propaganda designed to sway voter opinion — are perhaps the most concerning "cognitive hacks" targeting elections because there's no clear solution to preventing them. Most large social platforms, including Facebook, Twitter, and Google, have detected influence campaign content ahead of the 2018 midterms. The companies have been making efforts to crack down on such content, but they're playing catch-up as bad actors continue to test the limits.
Leo Taddeo, a former FBI cyber specialist, is concerned that misinformation and the fear of hacking could prevent voters from going to the polls in the first place.
"I'm confident my vote will be counted accurately," Taddeo says. "It would be very hard for a malicious attack to impact the voting infrastructure. I am more concerned with attempts to keep people from the polls through misinformation. For example, a 'fake news' report about the polls closing early."
It is possible that on Election Day there could be voting process irregularities. But regardless of what actually happens, we're likely to see a stream of stories about hacked machines, database manipulation, and social media posts from trolls — and that could be the greatest threat. The endgame of election hacking, says Payton, is to undermine our faith and confidence in the electoral process. "Everyone should get out and vote and if you see something that seems suspect to you during the process, vote and report the issue. But if you don't vote, the bad guys win."
- Hackers, trolls and the fight over your vote in the 2018 midterm elections (CNET)
- Russian election hacking hits a bump, but it's still going on (CNET)
- Midterm elections, social media and hacking: What you need to know (CNET)
- Election security Q&A: Why do hackers target elections? (CBS News)
- Election hacking: The myths vs. realities (TechRepublic)