At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections.
The good news is that hacking the US midterms — actually changing the recorded votes to steal the election for a particular candidate — might be harder than it seems, and most of foreign political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far.
The bad news is that it does not really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records might be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.
Illustration: Constance Chou
“The most vulnerable part of election infrastructure is the Web sites,” security expert Jake Braun said.
Braun, a former White House liaison on cybersecurity, is one of a small group of volunteer IT professionals who have been testing the security — or lack thereof — of the US voting infrastructure every year at the Def Con hacking conference, where he cofounded the Voting Village, a sort of conference-within-a-conference.
Unlike a voting machine, Web sites represent a compelling target, because they are, by their nature, connected to the Internet at all times, Braun said.
Whether they are used for voter registration, online campaigning or announcing the results at the end of the election, they can be used to sow havoc.
“We know that Russia has done this before,” Braun said. “They did it in the Ukraine, where they hacked Ukrainian election results on the [Ukrainian] government Web site. Fortunately, the Ukrainians caught it and shut the Web site down, but then the Russians announced that their candidate had won on [English-language news channel] RT, when he hadn’t.”
Disarray ensued, and the Russian press had a foothold from which to begin spreading the allegation that the winner of the election was not legitimate.
Unfortunately for Braun, unlike voting machines, there is not a lot of interest in testing the security of the various states’ election Web sites.
“It’s really important, it’s a huge vulnerability, but the adult down in the Village wouldn’t find this interesting, because they could do it in two minutes,” he said.
Instead, Braun turned to Rootz, another Def Con staple, where the children of attendees experience their own mini hacking convention.
Armed with facsimiles of the Web sites of 13 battleground states and a child-friendly guide to basic hacking techniques, the kids were set loose on critical infrastructure and proceeded to tear it apart.
“It took an 11-year-old girl 10 minutes to do it and she was the first one,” he said.
After that, the convention cycled to a new state’s Web site every 30 minutes and another child would break it in less than 15 minutes, over and over.
At the point I arrived in the room, the Web site for the state of Colorado was being projected on the wall, declaring that the candidate for the “Comnnunism” party, Kim Jong-un, had won the state’s election with 1 quadrillion votes.
The runner-up, rapper Lil Pump, apparently standing for the Democratic party, had just under 46 million votes.
As the number of flaws discovered by Def Con attendees, young and older, mounts, the US government has taken an interest.
This year, Jeanette Manfra, assistant secretary at the Department of Homeland Security’s office of cybersecurity and communications turned up to reassure attendees — partly.
The department put itself in the shoes of the US’ adversaries, Manfra said.
“What are they trying to do? They are trying to undermine our democratic process, and the confidence that we have in our democratic process. And there’s a lot of ways to do that without actually hacking the vote,” she said.
Take, for instance, registration data. If the database is not secure, an attacker could delete, say, every 10th entry. The resulting chaos, as millions of people attempt to secure provisional ballots, or are turned away at the polling station, would certainly undermine confidence.
“This is about more than just voting machines,” Manfra told attendees.
As if to demonstrate Manfra’s words, just days after Def Con, another attack was reported on US democracy, through the campaign computer of a Democratic congressional candidate, California’s David Min.
The four-person campaign team, which first learned of a potential attack in March, could not even afford the minimum price of hiring a security team to investigate, Reuters reported.
However, Manfra did have some good news.
“We found that it’s actually really, really difficult to manipulate the actual vote count itself,” she said. “There’s a lot of reasons for that: Voting machines are physically secure, we’ve got thousands of jurisdictions across the country that all use different things. And so while you may be able to get into a few voting machines, you can’t really affect that at scale without detection, and it would be really hard.”
Not everyone agrees.
“That’s bullshit,” Braun said when I put Manfra’s words to him. “The No. 1 thing we found last year wasn’t a hack at all, it was the fact that we opened up the back of the machine, and of course, no surprise, all the parts are made across the world, especially China.”
“This isn’t conjecture, this isn’t my dystopian fantasy world, this is something we know they do,” he said. “The fragmentation argument is absolute horseshit, because once you’re in the chips, you can hack whole classes of machines, nationwide, from the fucking Kremlin.”
The University of Michigan’s Alex Halderman is one of the world’s experts on the weaknesses of voting machines. He too is not prepared to dismiss the risk of a direct threat to the integrity of a US election.
In the course of a 30-minute talk in the Voting Village, he demonstrated two direct attacks on a popular class of voting machine, stealing a mock election in front of an audience of 50.
Halderman agreed with Manfra that the diversity of US election technology poses a challenge for an attacker, but added: “That helps in some ways and hurts in some ways.”
A real threat does not need to steal every vote in every county in every state in the country, he said.
The bad actor just needs to steal enough votes in a few counties in US battleground states — just enough to swing a close election, he said.
“So rather than diversity protecting us, we have a diversity of strength and weakness, and that’s a weakness for everybody,” Halderman said.
What’s more, the system is not as decentralized as it looks, he said.
While individual voting machines are not — or should not be — connected to the Internet, the PCs that are used to program the individual elections are.
“One large vendor codes the system for 2,000 jurisdictions across 31 states,” Halderman said. “Many other places, like Michigan, use small businesses” — some with just six or seven employees.
Hack those businesses, and an attacker could theoretically reprogram thousands of election machines at once.
For now, according to security policy expert Mara Tam, perhaps the strongest defense that US elections have is simply that actually intervening in them is not something most attackers want to do.
“Under international law, intervention and interference have specific meaning — they imply coercion and they imply denial of sovereignty by force,” Tam told attendees of Black Hat, another security conference in Las Vegas this month.
“Because the United States still has self-determination, and because this” — Russia’s meddling — “was influence, not intervention, it’s not illegal under international law,” she said.
In fact, international law does not even touch it.
“If you’re Russia, you actually don’t want to be caught violating international law. You want to be legitimate, and you can see operational red lines not being crossed. Unless there’s a shooting war going on, in which case all bets are off,” she said.
Of course, that is cold comfort to the defenders. Because there is another threat that is just as dangerous, and which international law provides no defense to at all, said Carsten Schurmann, another vote hacking expert.
“This is the threat of an alleged cyberattack, where people claim that there was a cyberattack, but there actually wasn’t one,” Schurmann said.
That factor, said Tod Beardsley, research director at security firm Rapid7, is one thing that separates election defense from many other areas.
“It’s in the attackers’ best interest to be obvious, be foreign, be noisy. If your goal is about fear and doubt, you don’t even need to throw elections,” Beardsley said.
An election wrongly perceived as illegitimate is just as damaging to democracy as one correctly perceived as such.
That is why Halderman calls for a simple solution to at least this part of election defense: issuing and counting paper ballots.
Most, but not all, US voting machines do maintain a separate record on paper of whom a ballot was cast for, but while that record, at least, is unhackable, it is also rarely considered.
In 2016, Halderman spearheaded an effort to encourage the state of Michigan to perform a statistically valid check of the paper ballots, which would have involved counting just a few hundred to ensure with a high degree of certainty that tampering had not occurred.
That effort failed, but Halderman is not giving up.
“This is one of the cheapest cyberdefences imaginable, and would cost less than US$25 million a year” to provide a strong defense across the US, he said.
That is a fraction of the US$380 million that the US government has already earmarked for improving election security, but without standards or strict guidance about how states should use it — meaning that some of that money can be ploughed straight into the buying the same insecure voting machines that led to the trouble in the first place.
“I’ve only one conclusion,” Schurmann said: “Use paper and do your audits.”
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.
As Maldivian President Mohamed Muizzu’s party won by a landslide in Sunday’s parliamentary election, it is a good time to take another look at recent developments in the Maldivian foreign policy. While Muizzu has been promoting his “Maldives First” policy, the agenda seems to have lost sight of a number of factors. Contemporary Maldivian policy serves as a stark illustration of how a blend of missteps in public posturing, populist agendas and inattentive leadership can lead to diplomatic setbacks and damage a country’s long-term foreign policy priorities. Over the past few months, Maldivian foreign policy has entangled itself in playing