How to Hack an Election: An Intelligence Analysis

When I was an intern at a community mental health center in Manhattan Beach, California, my clinical supervisor who focused more on me than on my clients observed, “Eric, you can’t get rid of something you don’t admit to having in the first place.”

Although my supervisor was referring to my unconscious perceptions, attitudes and needs that could get in the way of being a good therapist, many years of working in areas beyond mental health—both in industry and the U.S. intelligence community—have taught me the wisdom of my supervisor’s observation and its applicability to almost all realms of life.

Nowhere is the caution to be aware of one’s hidden biases more relevant—and important—than in dealing with the possibility of foreign interference in our election systems. As the 2018 midterm elections approach, the question of foreign tampering with our democracy takes on great urgency.

After the last presidential election, I heard one expert after another reassure voters that the Russians could not have hacked voting machines or state vote tallying systems on a scale large enough to tip the presidential election.

For instance, CNN online published a story quoting Dr. Nicholas Weaver, of the International Computer Science Institute at the University of California, Berkeley.

Nobody is going to be able to change the outcome of the presidential vote by hacking voting machines. The system is too distributed, too decentralized, too many implementations for any individual actor or group to make substantial change."

And a commissioner of the Voting Assistance Commission, Tom Hicks, told Time

“The truth is, the voting process is the most secure it’s ever been.”

As much as we’d all like to believe such confident pronouncements, my experience in the intelligence world, where I served as Associate Director of National Intelligence, has lead me to one inescapable conclusion—the optimistic “experts” are probably wrong, and all of us should acknowledge that our unconscious (or not-so-unconscious) need to believe that our democracy can’t be subverted by foreigners, blinds us to powerful evidence to the contrary. And, after embracing this scary possibility, we should do a lot more to secure our voting systems than we are doing now.

What is the evidence is there that our voting system is vulnerable to Russian tampering?

The case for Russian tampering with the vote

Let me start by explaining the way intelligence professionals would approach the question of whether the Russians, or other skilled actors, could change the outcome of a U.S. election by tampering with voting. Then I’ll show why intelligence-style analysis leads to uncomfortable conclusions

In making assessments about a state actor, such as the Russians, intelligence analysts ask two questions: what are the intentions of this actor and what are their capabilities?

If either intent or capability is lacking, then a particular outcome—say a nuclear strike on America—is unlikely. For instance, we know that North Korea is capable of detonating nuclear weapons on U.S. soil, (forget missiles, they need only wrap a nuke in a bale of marijuana and smuggle across our porous borders). But so far, at least, most of us think North Korea lacks the motivation to do so, if for no other reason, than attacking America would be national suicide.

Conversely, actors such as ISIS and Al Qaeda probably have the motivation to nuke America, but, so far at least, not the capability.

Where problems arise is when a particular actor on the world stage has both the intention and the capability to do us harm. Moreover, the greater the intent, or the greater the capability, the more likely an actor is to pursue a particular course of action.

So, do the Russians intend to elect American candidates they prefer over those that we, the voters, prefer?

In a word, yes. In a rare display of unanimity, last year the U.S. Intelligence Community assessed that Putin, acting through his intelligence services, had indeed tried to tip the presidential election. One of the Russian Intelligence’s scariest accomplishments was to break into voter databases in 21 states (up to 50 states if you believe some sources). This success alone could have influenced the election by dictating who could and could not vote. In one target of Russian hacking, North Carolina for instance, some legitimate voters (in a “blue” precinct, as it turns out,) could not vote because the e-poll registration system used to allow voters to vote erroneously asserted that some legitimate voters weren’t registered.

Ok, but exactly how motivated are the Russians to mess with our elections? Was this a one-time provocation, an experiment as it were, to see how far they can push us or was it closer to the other end of the motivational spectrum, a do-or-die policy?

I believe Kremlin leadership sees meddling in elections of Western democracies as an enduring, vital strategy for keeping Russia safe and their regime alive. Furthermore, Putin’s motivation to hack our voting system is, and will continue to be, extremely high.

In the West, we tend to forget that to the Russians, the “West” equates to aggressors such as Napoleon and Hitler. And such existential threats are not “old history” to the Russians. Imagine, for example, how Americans would feel if the Russians had recently succeeded in luring three states, say California, Oregon, and Washington to secede from the U.S. then join a Russian military alliance? Compounding that problem, further imagine that former allies Britain, France and Germany flipped over and aligned with Russia?

Well, that is exactly what happened from Russia’s point of view when former Russian republics, Latvia, Lithuania and Estonia left the Soviet Union and became members of the Western military alliance, NATO, joining former Soviet allies Poland, Czechoslovakia, Bulgaria, and Hungary.

If you were Russia, how would you cope with such a catastrophic, existentially threatening reversal of fortune when you only had one dollar to spend for every 13 of your adversaries (Russians defense budget is about $70B against NATO countries’ $918B)?

You’d cope by using every non-military tool at your disposal to weaken and divide your adversaries, to keep them occupied fighting themselves so they would be unable, and unwilling to fight you.

Recently, some Russian strategic thinkers have asserted in open military publications, that non-military “active measures”, such as cyber operations, are capable of achieving “strategic tasks” such as eliminating the NATO threat, without military action.

Election of isolationist, divisive leaders in Western democracies would be an excellent way to succeed at such a “strategic task.” Inflaming internal divides with polemic Facebook and social media posts—something the Russians have continued doing since 2016 election— would be another.

Bottom line, the Russians don't tamper with our elections and our politics because they want to do it, they do it because they firmly believe that they need to do it to survive.

One more thing. You might be wondering whether, despite their motivation to subvert our national elections, Russian leadership might still hesitate to alter vote tallies out of fear of getting caught. Whereas the U.S. Congress responded to voter registration hacks and email leaks from the Clinton campaign with sanctions—a mere slap on the wrist—the U.S. just might view outright alteration of vote counts an act of war and respond accordingly.

Sadly, I think the Kremlin views getting caught as more of a good thing, than a bad thing, because the net result would be favorable to Russia. Based on the way we responded to Russian behavior in 2016, Putin knows that a sizable portion of America—members of whichever major party the Kremlin favored—would, by and large, accept the inevitable Russian denials about vote tampering because we all believe what we want to believe, particularly when believing Russia committed an act of war could lead to armed conflict with a superpower. Thus a bitter, protracted and ultimately unproductive fight would ensue in the Congress, the press and at dinner parties and family gatherings everywhere. Sound familiar?

In other words, if Russia were caught changing vote counts, America would be even more divided than today: exactly what the Kremlin wants. And the national will to respond to Russia’s provocation as an act of war simply wouldn’t be there.

Russia wins if they don’t get caught and Russia wins if they do get caught; what’s not to like?

What about capabilities?

First, the Russians have arguably the most capable and effective intelligence services in the world, with demonstrated prowess in cyber operations (witness the devastating cyber attacks on their former republics, Georgia, Estonia and others). Russian computer programmers and hackers are considered the best in the world, as lacking the resources to build or buy high-speed computers, Soviet programmers had to learn the art of writing extremely efficient, “lean” code.

Second, contrary to expert opinion, our voting systems are extremely vulnerable to attacks by sophisticated nation-state actors such as the Russians. These systems are built with unsafe, outdated technology and (see below), trivial to break into. And bear in mind, the Russians don’t have to invade all of our voting machines and election support systems, just 25-50 “swing” counties in “swing states” such as Florida, Pennsylvania, and Ohio in a close election like 2000 or 2016.

Yes, attacking individual scattered voting systems all of over the U.S. might be a lot of work, but when you compare that effort to Russia’s recent $2.2 billion military investment in saving Bashar Assad of Syria in order to establish a strategic beach-head in the Middle East, going after 25 plus “swing” voting precincts in America does not seem so implausible. And remember, to the Russians, weakening America is at least as important as saving Bashar Assad.

Here are just a few of the ways voting system hardware and software can be compromised

Supply chain attacks.

Voting systems are basically off the shelf computer hardware, software and memory systems. Every one of these components has to be manufactured (or coded), stored somewhere and shipped from Point A to Point B. The same is true of complete systems, such as voting machines themselves. All that an intelligence service has to do is to gain access to one of these components by breaking into a facility, intercepting a shipment, or intercepting and internet file transfer, then infecting a voting machine’s hardware, software or memory components. It doesn’t matter whether a malicious actor modifies a CPU, a graphics chip, a BIOS, a memory chip or a device controller, if that actor succeeds with just one component, they can “own” the entire voting system. Even if the completed voting machines themselves are locked away in continuously monitored, hard-to-access locations (an extremely dubious assertion), how secure are the manufacture, storage and shipping of every chip, piece of software, and memory device that comprise that voting machine?

Not very.

Remember, these components are almost all mass-produced to go into hundreds of millions of garden-variety laptops, home computers and mobile devices, not highly sensitive voting machines.

Insider threats

A tried and true way to compromise any computer-based system is to bribe, blackmail, seduce or convince someone who has privileged access to do your bidding, or to infiltrate one of your operatives into a system to gain privileged access.

How well vetted and monitored are election volunteers and election judges in every precinct in America, who can insert malware, tamper with paper ballots, alter voting rolls, or clandestinely connect a voting system to an outside network?

Last year at the DEFCON hacking conference, 25 voting machines representative of those now in use across America were set up in a “Voting Village” where any conference attendee could attempt to hack one or all of the machines.

Here is an excerpt of the DEFCON report on the experiment.

By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermined confidentiality, integrity, and availability of these systems.

Many of the compromises took just a few seconds by simply inserting a memory stick carrying malware in a voting machine. So it would be trivial for a malicious insider—or someone who broke into a facility where voting machines are stored—to change voting results in targeted machines.

Yes, some electronic voting machines protect against such fraud by printing out a paper copy for each voter showing the choices that voter electronically selected on a touch screen, so that each voter can certify that their electronic vote was captured correctly, and to support audits in case of a recount or fraud investigation. Sounds foolproof, right?

But what if a malicious insider, immediately after the election substitutes “fake” printouts from such voting machines for the real ones to match “fake” election results stored electronically in malware-infected machines? Any audit would show that the paper record exactly matches the electronic record.

Malicious insiders could similarly optically scan-in “fake” paper ballots, where paper-only voting systems are used. Or, if this were too difficult because of monitoring, an insider could substitute “fake” paper ballots for real ones, where the paper ballots are stored, so that any subsequent audit of paper ballots would yield the desired results.

Hacking

Digital voting machines, or vote counting machines such as paper ballot scanners, as a rule, are not connected to computer networks. Voting results are added up in each machine, written to a thumb drive, smart card or other non-volatile memory devices, then sent to a centralized vote-tallying center in each county. Thus, in theory, voting systems should be immune to outside hacking.

Unfortunately, the same cannot be said of all of the components that make up a digital voting system. Take, for example, a thumb drive that transfers votes out of a machine. Was this thumb drive, or the chips inside of it, ever in its entire lifetime attached to a computer that was connected to an outside network? If the answer is “yes” that thumb drive, and everything it later connected to, could be infected with malware inserted by outside hackers at some point in the thumb drive’s life cycle.

A combined insider threat/outside hacking attack is another way outside hackers could do harm to a voting machine or vote tallying system, if an insider should surreptitiously connect a voting machine to a computer network through something as simple as a 4G cell phone.

How likely is the threat and what should we do about it?

Adding up what we know about Russian intentions and capabilities, and factoring in the vulnerabilities just listed, I believe that it was entirely possible votes in the 2016 election were tampered with, and that attempts could be made to compromise future elections.

Here are just a few of the many things we need to do to make our voting system more tamper resistant.

• Build all voting machines from secure components manufactured and coded in highly secure, U.S. facilities. Voting machines are relatively low tech, so we can actually do this with U.S. chip manufacturing foundries.
• Build, install and operate multiple, independent “watch-dog” systems that continuously monitor storage, shipping and operation of voting equipment and voting materials.
• Conduct ongoing “penetration tests” by skilled professionals to attack and test vulnerabilities in our voting systems. However secure we make these systems today, tomorrow hostile actors will think of new ways to compromise our voting processes.

But the most important step we need to take to protect our voting system lies in the realm of psychology, not technology.

We must acknowledge and embrace the painful truth that the foundation of our democracy, free and fair elections, is under siege by an extremely motivated and skilled adversary.

We cannot take refuge in the belief that no sane actor would take on the task of attacking even 25 of our highly decentralized voting system: adversaries such as the Russians know we believe that such an attack is “impossible” and that we will therefore not take aggressive steps to stop them.

The Russians, who are keen students of history, know very well that a country’s dogged belief in impossibilities can accelerate its downfall. France knew it was impossible for the Germans to breach their Maginot line in World War II (The Germans’, with a vastly smaller army than the French, simply went around the “impregnable” Maginot line). The Germans, in turn, wrongly thought it was impossible to break their “Enigma” communication codes in that same war. Saddam Hussein thought a U.S. invasion of Iraq in 2003 was impossible because, why would any country in their right mind contemplate such a thing? And in the 1980’s, U.S. counterintelligence experts thought it was impossible for the Russians to bug our new embassy in ways that we could not detect and counter (turns out the “backward” Russians did exactly that).

In sum, the Russians are not the problem, we, by clinging to self-serving beliefs in what is impossible, or politically inconvenient, are the problem.

Discover more about the way our brains make us see what we want to see and to discount bad news in my new book Brain Safari: 5-Minute Experiments to Explore the Space Between Your Ears