Are American and European Voting Systems Subject to Russian Hacking? (By SecGate)

Voting systems in almost all major nations are not on the internet, either due to hacking concerns or by tradition. Yet there have been major news stories around the world of Russian meddling in elections all over Europe and the United States. The Russians have been able to infiltrate email systems and steal documents from candidates and political parties, but there is no evidence to suggest that they have actually hacked any voting machines, mainly because none of those are connected to the internet.

So let’s look at some of the major election systems in the West and analyse what happened in recent elections and how officials have reacted.

THE US ELECTION

President Trump is under investigation by Congress and the FBI for alleged ties between Trump’s campaign and Russia. And, in an episode reminiscent of President Richard Nixon (who, threatened with impeachment, resigned from office), President Trump fired the director of the FBI, who was leading the investigation. Politicians from both sides of the political divide are talking about seeking Trump’s impeachment for obstruction of justice, and criminal indictment of other Trump government officials.

In the recent US election, it is clear that hackers were not able to attack actual voting machines. Instead, they leaked embarrassing emails from Hillary Clinton’s campaign to WikiLeaks. They also attacked the Republican Party but did not leak any stolen data, leading to charges that Russia wanted Trump to win.

In America, elections for president are conducted in all 50 states. So, there are 50 systems and not one central system to attack. None of these systems are connected to the internet because of exactly these concerns over hacking. Instead, they use electronic systems backed up by paper ballots. Election officials gather up the ballot boxes and electronic records and deliver them to headquarters where the votes are tallied. They do this in each of the 3,000+ counties in the US.

However, Americans overseas and military are able to submit a signed and scanned ballot to the county election board by email. But even this process does not seem subject to mass hacking, as so many emails would have to be faked. The only element in an election that is online is the registration system for an absentee ballot to be sent to the voter; and each state has its own website.

In the American land of technology, there have been some efforts to allow online voting, with people arguing that using paper-based systems is antiquated. But any trials for a new system were quickly shut down. In one notorious example, the District of Columbia tested an online voting system. Hackers were able to penetrate it within hours. So election officials took it down and never talked about it again.

THE FRENCH ELECTION

The French election is over. Those who oppose Marine Le Pen and her nationalist policies are breathing a sigh of relief. But it could have gone the other way as internal documents and emails from the winning candidate, Emmanuel Macron, were released by hackers online just before the second round of voting commenced, within the period where the law prohibits the candidates, or any media, from commenting on events. So, Macron was unable to defend himself against any fallout from what was released about him and his campaign. The French media was also not allowed to report on it, and foreign media did not put too many resources into that story either.

Since 2003, France has allowed French citizens overseas to vote electronically. But in 2017 that system was cut off – due to fears of hacking. Overseas electronic voting did not include the French foreign territories, like Saint-Pierre-et-Miquelon, French Guiana, Martinique, and French Polynesia, some of which voted on Saturday instead of on Sunday, because of the time difference.

UPCOMING ELECTION IN GERMANY

In Germany, persons abroad and at home can vote by mail (Briefwahl). Everyone else takes their passport or identity card to the polls. Voting always takes place on Sunday, from 8 am to 6 pm. Voters enter a private booth to cast their vote. There is no online voting in Germany either.

Last year Germany launched an investigation into allegations that the Russians had been meddling in election campaigns. Germany’s next elections are to be held in September 2017. The investigators concluded that no, there had been no meddling. Chancellor Merkel has ordered a new investigation where a ‘psychological operations group’ run by the BND (Germany’s foreign intelligence service) and the BfV (Germany’s domestic security agency), will look at Russian news agencies’ coverage in Germany. Obviously, one of their targets is RT, the Russian news channel that broadcasts in Arabic, French, German, and Spanish. But one could argue they are no more partisan in their coverage of the news than Qatar-based Al Jazeera or America’s Fox News.

THE DUTCH ELECTION

As in France, in the Netherlands there was much anticipation in the recent election as to whether the nationalist right-wing candidate Geert Wilders would win, contributing to a possible further fragmentation of the EU and restrictions on Muslim immigration. Wilders won 13% of the vote, but the VVD party leader won with a clear 21% of the vote.

NL Times said that the Dutch elections were not strategically important to the Russians, but according to Ronald Prins, co-founder of the security firm Fox-IT in the Netherlands, “[the] Dutch elections are good practice for them.” The newspaper claimed that foreign groups, including Russians, had attempted to hack 100 government employee email accounts, but they cited no other hacking activity beyond that. It was the Americans who alerted the Dutch to the risk of Russian meddling, however, the Americans did not publicly reveal any further information either. The Dutch reviewed the security of their election software and decided it was not secure, so the Ministry of Home Affairs said votes would be counted by hand.

As to any Russian ties, analysts said that, unlike President Trump, candidate Geert Wilders is not likely to show any admiration of anything Russian, especially since the Russians are alleged to have shot down flight MH-17 over Ukraine.

THE UK ELECTION

The UK is the next major Western nation to hold elections, with parliamentary voting taking place in June.

John Penrose MP said, in reply to an inquiry from The Institute for Digital Democracy, a UK institute that lobbies for online voting, “[at] present, we have a full programme of constitutional reforms and do not have any plans to introduce electronic voting for statutory elections, either using electronic voting in polling booths or remotely via the internet.”

The British can vote in person, by mail, or by proxy, in case they are, for example, disabled.

So, what can the British do to make their systems safer in the short period of time left before the elections? Perhaps nothing. But there seems to be no need other than shoring up defences in the actual offices where votes are counted to guarantee the security of elections from direct foreign meddling.

In the UK, as in most countries, everything with regard to elections is regulated, from advertisements and national media coverage of parties, funding, and so on. But social media remains unregulated, allowing potential adversaries such as Russia, hacktivists, and others, to shape a narrative and influence voting behaviour online. Yet, no one has yet successfully called for regulations on say Facebook. Brazil tried: A Google executive was arrested after YouTube refused to take down certain damaging content. Brazil’s strict rules do not allow campaigning within a certain period of the election. But those rules were written during the television-only days and hardly seem relevant or enforceable today.

So one can conclude, by looking at events in America and elsewhere, that Russian campaign spying is more of the John le Carre, men-in-suits, type than APT28 when it comes to getting close to campaign officials and candidates. Yes, email systems are vulnerable to hacking. There is probably nothing anyone can do about that. In fact, it seems that any system can be hacked, given enough effort.

One system that might well be meddled with is the system by which election officials transmit results from the local to the national level. In the US, because the country has 4 time zones, the TV and newspapers wait until the polls close in each state before projecting the winner based on exit polls. Years ago, that practice was said to discourage people in California and other western states from even showing up to vote, once it became clear their candidate had lost. So, this practice has since been stopped.

It is conceivable that Russia could hack some of these reporting systems and thus, for a brief period of time, sow sufficient confusion in the media and among voters to gain a few minutes or hours of turmoil that could have some impact. But the paperbacked and decentralized nature of the American system would have the many election officials around the country rush to repair any damage by phoning the media and updating their websites. However, as the US election is often won or lost by very small margins, since the winner is decided state-by-state, even a small shift in the numbers could have an impact. Just ask Al Gore and Hillary Clinton. When Bush ran against Gore the election was only decided days later when the US Supreme Court stepped in. The state of Florida was ridiculed when TV coverage showed election officials holding up paper ballots one at a time to the light to try to see which hole had been punched in the ballot. The state has since moved to electronic voting in the polls, but not online.

There is almost zero chance that hackers could influence an election by hacking voting machines, since they are not connected to the internet. Even if they tampered with the actual machines in local elections, local officials would simply refrain from announcing their results for a few days while they recounted the paper ballots. So, it is fair to say the system is safe from hacking. It does, however, remain vulnerable to traditional spying and propaganda. But that kind of spycraft has existed for millennia, and is not going to change.

This article originally appeared in Cyber World, published by Secgate.