There is no evidence, despite partisan claims to the contrary, that mail-in ballots are rife with voting fraud but there are parts of the election system that security researchers say are at far greater risk for malicious activity.
National elections like the one in November, when Americans will decide whether Donald Trump or Joe Biden will lead the country for the next four years, are really thousands of smaller elections administered by state and county governments. And each of those governments has its own procedures for ensuring ballot and information security, and for purchasing, maintaining and testing the equipment that it uses to conduct its election.
For instance, even though more than 30 states allow overseas voters to cast their ballots by email, fax or through other electronic means, there are no standards for even basic security measures like encryption.
Encryption? We dont do that, Cochise County, Ariz., Recorder David Stevens told Arizona Mirror about the ballots his office accepts by email. We probably should.
The Cochise County Recorders Office accepts only federal ballots not those with state or local contests via email, Stevens said, and only in specific circumstances, such as voters who are in the military and stationed overseas.
Most overseas and military voters use a secure online portal provided by the Secretary of State, though some counties told the Mirror that they still accept ballots via fax or email.
Lax or nonexistent security on those systems, as well as the physical machines used to cast or count ballots, open the door to election hacking.
Hackers and security researchers at the annual DEFCON conference have in recent years made a point of looking at how secure or insecure the nations voting infrastructure is, known as the DEFCON Voting Village.
This year, instead of the hands-on hacking of election machines that have grabbed headlines in years past, the Voting Village focused on in-depth discussions about the integrity and security of our election infrastructure. Among the topics of discussion were the vulnerabilities to election systems presented by fax machines, email voting and more.
Hack the vote
Earlier this month, a Russian newspaper reported that the personal information of 7.5 million Michiganders was posted on a Russian hacker site. It appeared to show the their voter identification number and polling places. The paper claimed the site had been hacked in an attempt to solicit money from the U.S. government.
But Michigans Department of Statedenied that this was a data breach of any sort, as the information being posted is already publicly available.
Public voter information in Michigan and elsewhere is accessible to anyone through a FOIA [Freedom of Information Act] request. Our system has not been hacked, secretary of State spokesperson Jake Rollow told Michigan Advance in an email.
That focus on infosec was a big part of DEFCON talk this year by Forrest Senti, director of government and business affairs for the National Cybersecurity Center, and Caleb Gardner, a fellow with Secure the Vote.
The talk focused on how certain fax machines that are used to accept ballots can present a vulnerability to election offices, with election officials frequently unaware of the security issues stemming from a fax number that is often posted online.
Without proper security, all a hacker would need is the phone number to take over an election officials fax machine, allowing them to search other computers that are on the same network or install a malicious program to steal documents.
Even if you dont get any ballots through a fax machine, it still represents a vulnerability, Senti said to the Mirror.
Thirty-one states and the District of Columbia allow voters to return ballots by email and fax, according to the National Conference of State Legislatures. In Maryland, when voters receive an emailed ballot and return it by email, it is printed out by elections officials and counted by hand.
In the 2016 election, 455 ballots were cast by overseas voters in Cochise County, according to data by the United States Election Assistance Commission. That includes votes cast via the countys un-encrypted email system, faxed or through an online portal run by the Arizona Secretary of States Office.
In 2018, some 29,000 ballots were cast across the country by voters overseas using some form of online portal, email or fax, according to the data.
While Senti and others say this number is not statistically significant, the shortcomings pose an outsized risk.
The greater fear is that the ballots themselves could be compromised.
In the DEFCON Voting Villages 2019 report, hackers and researchers found that voting machines had a number of vulnerabilities. Some had security features turned off when they were shipped, some had voter data easily accessible, some had no passwords set and one even had an unencrypted hard drive.
Several states across the country use those machines.
The ES&S Automark is used in many states to help voters with disabilities mark their ballots. The machines have been in use for years, and the Voting Village found some concerning vulnerabilities.
Immediate root access to the device was available simply by hitting the Windows key on the keyboard, the report states. A user who gains root access on the device can see and potentially change any files or other systems.
The ES&S Automark obtained by the Voting Village was using software from 2007 and appeared to have last been used in a 2018 special election. The PIN code to replace the firmware on the entire device was listed as 1111.
But there are no national guidelines for how election officials conduct these sorts of audits or tests on electronic voting devices; instead, it is up to each jurisdiction to develop its own methods of checking the devices.
For example, in Colorado, election officials roll a series of 10-sided die on a webcast in order to generate a random number that determines which machine-tallied election results will be checked for discrepancies.
These jurisdictions have a lot of autonomy in what they do, Mattie Gullixson, program manager for Secure the Vote, said.
Some of the jurisdictions may also not have the manpower needed to institute the changes required to ensure safe election procedures.
Its estimated that a nationwide vote by mail effort could cost up to $1.4 billion, compared to $272 million for in-person voting. Localities could get monies from the Help America Vote Act or the CARES Act to offset costs associated with voting this election cycle, but election hacking and its interplay with COVID-19 will present an acute financial impact, according to Gullixson and Senti.
And hacking isnt limited to computer systems: Disinformation from foreign actors is commonly referred to as social hacking for its manipulation of social behavior.
How do you (fight) against messages that say, because of COVID, this voting center has been shut down? Gullixson said. Those levels of mis- or disinformation could be one of the stronger negative drivers in people voting this year.
Gullilxsons background is in election administration and shortly after the 2016 election, she said that mis- or disinformation led many voters to call the elections office confused, asking questions that were fueled by disinformation circulating on social media.
The FBI and the Cybersecurity and Infrastructure Security Agency has already issued an alert urging Americans to be on the lookout for new websites or changes to existing websites made by foreign or malicious actors with the intention of spreading such misinformation.
Information warfare has been around as long as warfare has been around, Gullixson said.
In fact, in 1985, the Russians started a disinformation campaign dubbed Operation INFEKTION that aimed to make the world believe the United States had created AIDS, a conspiracy theory that is still active today.
So far in 2020, Russian, Chinese and Iranian hackers have been caught by Microsoft in attempts to target both the campaigns of Trump and Biden.
China has also been caught by Facebook using fake accounts to speak on election matters. And just this month, Facebook and Twitter removed dozens of Russian accounts aimed at dissuading left-leaning voters from voting for Biden.
So how does one combat this type of warfare?
It starts with voters.
There are growing efforts to try to tackle that but it starts with the voter realizing they could be manipulated in that way, Gullixson said.
The FBI has shared similar advice, saying that voters should make sure to get their election information from their state and county officials instead of Facebook pages, as they could very well be hacked or fake pages.
Despite what may seem like a lot of doom and gloom, Gullixson and her colleagues are hopeful that the attention these issues have been getting will help shape policy around voting for the next 15 years for the better.
We just have to make sure we can get through it unscathed, she said.
Jerod-MacDonald-Evoy is a reporter at the Arizona Mirror. Michigan Advance reporter Laina G. Stebbins, Maine Beacon reporter Evan Popp and Colorado Newsline reporter Chase Woodruff contributed to this report.
- WhatsApp boosts end-to-end encryption - BusinessTech - September 17th, 2021
- WhatsApp to offer encryption on cloud backups: Heres all you need to know - India Today - September 17th, 2021
- London's Top Cop Says 'Big Tech,' Encryption Are Letting The Terrorists Win - Techdirt - September 17th, 2021
- Zoom unveils new security features including end-to-end encryption for Zoom Phone, verified identities and... - ZDNet - September 15th, 2021
- Insights on the Hardware Encryption Global Market to 2026 - by Algorithm & Standard, Architecture, Product, Application and Region - PRNewswire - September 15th, 2021
- Light Start: WhatsApp rolls out backup encryption, LG is more attractive, Google goes dark and iPhones only laak gud vaabs Stuff - Stuff Magazines - September 15th, 2021
- Revenant REvil. WhatsApp offers encryption. Hortum spyware in Turkey. Update on the UN data breach. Healthcare breaches disclosed. - The CyberWire - September 15th, 2021
- How a glitch in the Matrix led to apps potentially exposing encrypted chats - The Register - September 15th, 2021
- Secure cloud storage: which are the most secure providers? - ITProPortal - September 15th, 2021
- WhatsApp is finally allowing users to encrypt chat backups uploaded to iCloud and Google Drive - Buzz.ie - September 15th, 2021
- WhatsApp is adding encrypted backups - The Verge - September 11th, 2021
- What Is Fully Homomorphic Encryption (FHE)? - CIO Insight - September 11th, 2021
- WhatsApp end-to-end encrypted messages arent that private after all - Ars Technica - September 11th, 2021
- UK government backs Apple, and wants to scan encrypted messages for CSAM - 9to5Mac - September 11th, 2021
- VPN and Email Encryption Provider, WiTopia, Inc., Is Now Raising Capital Via StartEngine - PRNewswire - September 11th, 2021
- Future in the cloud for encryption - Capacity Media - September 8th, 2021
- WhatsApps Claims Of End-To-End Encryption Might Be Entirely True - Ubergizmo - September 8th, 2021
- Debunking Wi-Fi Security Myths: Wi-Fi Encryption Is Weak - TechSpective - September 8th, 2021
- WhatsApp Flaw Casts Doubt on End-to-End Encryption - Security Boulevard - September 8th, 2021
- Bluefin Receives U.S. Patent on Systems for Vaultless Tokenization and Encryption - WFMZ Allentown - September 8th, 2021
- Priti Patel backs ad campaign that criticises Facebook's stance on end-to-end encryption - Graham Cluley Security News - September 8th, 2021
- EXCLUSIVE: What's in the new zero-trust strategy - Politico - September 8th, 2021
- 3 ways to protect yourself from cyberattacks in the midst of an IT security skill shortage - Help Net Security - September 8th, 2021
- Apple Has Betrayed Its Privacy Legacy and Will Undermine End-to-end Encryption Everywhere - Privacy News Online - September 8th, 2021
- IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features - The Register - September 8th, 2021
- The adoption of multi-cloud drives the need for better data protection and management of encryption keys an... - Security Boulevard - August 26th, 2021
- Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software? - Analytics Insight - August 26th, 2021
- Why you should encrypt your data on your computer and how to do it - The Star Online - August 26th, 2021
- Video end-to-end encryption on Ring to be available worldwide - ITP.net - August 26th, 2021
- What is a Vocoder? How an audio encryption device used in WW2 became the sound of electro and modern pop - Mixdown - August 26th, 2021
- Privacera partners with StreamSets to strengthen data security for ETL processing in the cloud - Help Net Security - August 26th, 2021
- R400m cocaine-in-a-boat accused used encryption app to communicate - TimesLIVE - August 26th, 2021
- Evervaults encryption as a service is now open access - TechCrunch - August 24th, 2021
- How to Encrypt Your Own Windows and Mac Devices (and Why You Need To) - Lifehacker - August 24th, 2021
- Why encryption is the key to digital fitness, according to Thales - iTnews - August 24th, 2021
- How to check each of your WhatsApp chats are ACTUALLY private right now and not being intercepted by h... - The Sun - August 24th, 2021
- WebCam: How Australia paved the way for Apple's encryption backflip - Crikey - August 24th, 2021
- Staggering 400% rise in child sexual abuse images detected by Facebook as fears over encryption plans g... - The Sun - August 24th, 2021
- Hardware-based Full Disk Encryption Market 2021 and Analysis to 2027 Micron Technology Inc, Seagate Technology PLC, Toshiba, Intel - The Market... - August 24th, 2021
- WhatsApp could soon have an iPad app for the first time - Engadget - August 24th, 2021
- Facebook is bringing end-to-end encryption to Messenger calls and Instagram DMs - TechCrunch - August 14th, 2021
- Apple opens the encryption Pandora's box - Axios - August 14th, 2021
- How to encrypt your computer (and why you should) - Mashable - August 14th, 2021
- Protects User Privacy With Encryption and Authentication - Security Magazine - August 14th, 2021
- An Overview of Blockchain in Supply Chain: Whats the Link? - JD Supra - August 14th, 2021
- Facebook introduces end-to-end encryption for its voice & video call features - Techstory - August 14th, 2021
- Hardware Encryption Devices Market Research Report 2021 Elaborate Analysis With Growth Forecast To 2027 Intel, Toshiba, Micron Technology Inc,... - August 14th, 2021
- If You Build It, They Will Come: Apple Has Opened the Backdoor to Increased Surveillance and Censorship Around the World - EFF - August 14th, 2021
- Encryption Software Market Report 2021-26: Size, Growth, Size, Share and Forecast IMARC Group - The Market Writeuo - The Market Writeuo - August 14th, 2021
- AES Encryption Software Market Growth in the Forecast Period of 2021 to 2026 With Top Companies: , Dell, Eset, Gemalto, IBM, Mcafee - The Market... - August 14th, 2021
- Regulated encryption isnt possible heres what is - POLITICO Europe - August 3rd, 2021
- Work from home and cloud are prompting hard looks at security - GCN.com - August 3rd, 2021
- Atakama and Spirion to announce their strategic partnership at Black Hat 2021 - PRNewswire - August 3rd, 2021
- Spirion and Atakama Join Forces at Black Hat 2021 Conference - MarTech Series - August 3rd, 2021
- Looking for ways to password protect a file or folder on Windows 11? Here's how you can do it - India Today - August 3rd, 2021
- XSOC CORP's SOCKET Receives UL- 2900 Certification for Securing Encrypted Workflows of Today's Enterprise and Industrial Connected Devices - Business... - August 3rd, 2021
- Apple @ Work: FileVault 2 is so good, theres no reason for IT departments not to use it - 9to5Mac - August 3rd, 2021
- The Future of Industrial Security - Security Today - August 3rd, 2021
- Global Encryption Software System Market Size And Forecast to 2021 2027 analysis with key players : IBM, Microsoft, Sophos ltd, Gemalto, Net App Inc,... - August 3rd, 2021
- Cloud Encryption Software Market Size 2021 Industry Demand, Share, Global Trend, Industry News, Business Growth, Top Key Players Update, Business... - August 3rd, 2021
- Global E-mail Encryption Market Dynamics Analysis, Production, Supply and Demand, Covered in the Latest Research 2021-2026 - Digital Journal - August 3rd, 2021
- Insights on the Optical Encryption Global Market to 2027 - Featuring Arista Networks, Broadcom and CenturyLink Among Others - ResearchAndMarkets.com -... - July 8th, 2021
- Jupiter Project Presents 'Metis Messenger', the Decentralized Chat Application That Syncs Across All Platforms - GlobeNewswire - July 8th, 2021
- If full encryption of police radios necessary? Berkeley may allow public to hear one of their channels - The Daily Post - July 2nd, 2021
- Leveraging Encryption Keys to Better Secure the Federal Cloud - Nextgov - July 2nd, 2021
- Benefits of Adopting Data Encryption in Businesses - CIOReview - July 2nd, 2021
- Encryption can be lucrative, but with environmental costs - Floridanewstimes.com - July 2nd, 2021
- UK Government has suggested messaging apps to avoid using end-to-end encryption on the accounts of children because that can be harmful to them -... - July 2nd, 2021
- Diavol ransomware linked to Trickbot botnet - IT PRO - July 2nd, 2021
- Got data? The biggest-ever portable encrypted SSD just came out - Cult of Mac - July 2nd, 2021
- Application-Level Encryption Market is expected to expand at a CAGR of 25% from 2020 to 2030 KSU | The Sentinel Newspaper - KSU | The Sentinel... - July 2nd, 2021
- Encryption Key Management Market to Eyewitness Massive Growth by 2028: Ciphercloud, Gemalto, Google The Manomet Current - The Manomet Current - July 2nd, 2021
- Data storage: the importance of protecting the device and not just the network - IT-Online - July 2nd, 2021
- Global E-mail Encryption Market 2021 Demands To Sustain in Future Industry Size, Growth, Revenue, Global Statistics and Forecast to 2030 The Manomet... - July 2nd, 2021
- Hardware Encryption Market 2021 Industry Analysis by Manufacturers, End-User, Type, Application, Regions and Forecast to 2027 The Manomet Current -... - July 2nd, 2021
- Former Anonymous and Lulzsec hacker discusses his criminal past and gives his top tips for avoiding ransomware - Texasnewstoday.com - July 2nd, 2021
- Why Inspecting Encrypted Traffic Is A Must - Security Boulevard - June 25th, 2021
- Researchers: 2G Connection Encryption Deliberately Weakened To Comply With Cryptowar Export Restrictions - Techdirt - June 25th, 2021
- The Ultimate Guide to Key Management Systems - Hashed Out by The SSL Store - Hashed Out by The SSL Store - June 25th, 2021
- Will regulation adapt to encryption, or will encryption adapt to regulation?Expert answers - QNT - June 25th, 2021