CNET's Dan Patterson interviewed Cris Thomas, space rogue, global strategy lead at IBM X-Force Red, about the myths and realities of hacking election computers. The following is an edited transcript of the interview.
Campaign 2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.
Dan Patterson: Cris Thomas, space rogue, you are the global strategy lead for IBM's X-Force Red. Today we are talking about voting machines and election hacking. Cris, everyone has this fear, especially when we think about the computer components that make up a voting machine, that, while this is the number one vulnerability of elections and election security. Let's bust some FUD, here. What are the myths versus realities of hacking election machines?
Cris Thomas: I mean, it's a good point that you brought up, that they're actually election computers. A lot of times people use election machines, when they're really running Windows. They have USB ports. They're actual computers. It's something to keep in mind when you're thinking and talking about this topic.
Some of the myths that we're looking at are that, although voting computers, themselves, are very vulnerable, and have a lot of vulnerabilities and are very susceptible to attacks, most of those attacks require physical access to the machine. You can't attack them over the internet, because they're not connected to the internet. The hacking of a voting computer, is something that has been brought up over and over. It's really, the risk is really small.
SEE: Information security policy (Tech Pro Research)
Dan Patterson: How many different types of voting systems exist? Or jurisdictions? If you were an attacker, how would you target each one of those systems?
Cris Thomas: Well, there's over 9,000 different precincts across the country. That's one of the benefits of our system, is the fact that it's so distributed. It has a very large attack surface. That makes it a little bit more resilient, than if it was just one system everywhere. That forces an attacker to then, study and learn vulnerabilities in each different... not only the physical hardware, but also, the policies and procedures in place in that area. That makes it very difficult for an attacker to conduct a widespread attack against a voting election.
Dan Patterson: Walk me through what would have to happen to target one machine, instead of those 9,000? If I'm an attacker, a nefarious actor, and I'm determined to attack one machine, walk me through that attack.
Cris Thomas: Well, ideally, probably what would happen is that someone would get a hold of one of those machines before election day. Buy it on eBay. Steal it. Buy it legitimately from the manufacturers, however you would go about getting that system.
Then, you would pull it apart. Research it. Try to figure out where the vulnerabilities are, and what attacks are valid against it. Then, on election day, or before election day, you would need physical access to that machine to carry out your attack. Then, hopefully, you could change a few votes, however many votes go through that one machine. I volunteer as a poll worker in my precinct, locally in Pennsylvania. In my precinct we have 1,000 voters, maybe 500 of them show up. We have two machines. That's 250 votes per machine. If I can attack one machine, I'm at best, can only influence 250 votes. Then, there are usually checks and balances in place that would notice that there are 250 votes that have been changed. That would be caught before it was counted.
SEE: IT leader's guide to big data security (Tech Pro Research)
Dan Patterson: What I'm getting from you, is that, maybe, hacking an election machine, or an election computer, voting machine's maybe not the most efficient way to flip a whole election. What, then, would be the goal, the purpose, of targeting voting machines?
Cris Thomas: It's important to remember that, while the voting computer, or voting machine, itself, may not be the actual target, we still need to secure those systems. That said, one of the goals of an attacker might be to cause fear and uncertainty and doubt, the FUD, as you mentioned earlier, to cause distrust in the system by the American public.
Dan Patterson: Who would want to do that?
Cris Thomas: A lot of people. I'm sure the United States has a lot of enemies in the world, and a lot of people, a lot of different nations and states would like to cause chaos in our democracy. Who exactly is doing it, is the subject of probably various intelligence agencies, not something I'm, specifically, an expert in.
SEE: Cybersecurity and the 2018 Midterms (TechRepublic Flipboard magazine)
Dan Patterson: Should we consider election machines, voting computers, critical infrastructure?
Cris Thomas: That's a good question. One of the benefits, I think, of the fact that we have 9,000 different jurisdictions, is the fact that we have 9,000 different setups and systems and computers, and policies and procedure in place. This makes it very difficult for an attacker to learn all those different changes. If we nationalize the elections and consolidate into one or two or three different systems, that greatly reduces the attack surface, and gives an attacker that much more of an advantage. In addition, the Constitution says that elections are a responsibility of the states. If we nationalize those elections, we have to take that into account.
- US midterm elections: Microsoft thwarts Fancy Bear hacking threat (ZDNet)
- 36 states are using this hacking detection sensor to protect the midterm elections (CNET)
- How to combat global election hacking (TechRepublic)
- Election meddling: How do we stop Russia? (ZDNet)
- What to expect from cyber-attacks during an election year (TechRepublic)
- Facebook's 'war room' hunts and destroys election meddling, fake news (ZDNet)
- Homeland Security creates anti-hacking center to protect industries (CNET)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Producer for CNET and CBS News.