By Eric Beasley
There’s a pattern in my postings, if you notice. Often times, someone asks me in public or private a question and I decide that the best format to answer the question is in the form of the blog post. Last time, it was a question about BleachBit, today it’s a question of hacking an election (Thanks Dave).
First off, we need to define the term “hack.” Hacking does not necessarily mean a person furiously typing away on a 1337-looking keyboard surrounded with energy drinks and pre-diabeetus.
Hacking is a generic term used to describe an exploit in a system or mechanism which produces a desired result. You can “hack” an ice chest, fan, and ice into an air conditioner. So in this context of hacking an election, we will examine a theoretical manner in which the actual results of the election can be changed through direct human intervention.
Secondly, you also must understand that in the security world, there is no such thing as a 0% chance. There is a chance that anything might happen. For an example of this, consider flood insurance. Some areas are what we call a 1 in a 1,000 year flood zone, every 1,000 years this area might flood. This could quite literally be the top of a 5,000 foot peak, but in the security and disaster fields, we never say never.
How are Elections Won?
We all know about the Electoral College, winner take all states, Blue States, Red States, and Identity-Crisis States that change their mind. The so-called “swing states” change a little bit every election cycle. Which state is a swing is not so relevant to this discussion, as the fact that they exist.
The reality is that changing the vote totals in a Red or Blue state is a difficult, nearly impossible task. Let’s say that hacking the electoral process in New York, California, Texas, or Utah is a 1 in a 1,000 year hack. The margins of victory are too great for hacking to take place.
Step 1: Identify your Swing States
The goal of hacking an election is to make one candidate win 50.1% of the vote in states worth a total of 270 electoral votes. We do not need to win 100% of the vote in every state. So now the target states have been reduced from 50 to a manageable number. If this was the 2012 election, we would be talking about Florida, Ohio, Virginia, and Colorado. In the 2016 election cycle, we’re talking about Minnesota, Nevada, Florida, North Carolina, Ohio, Iowa, and Arizona.
Since the 2016 election cycle sucks, I’m going to pretend that I am a cyber-espionage expert who has decided that Mitt Romney should be our next President, because the thought of working for Trump disgusts me to the core of my being.
Step 2: Identify the Strong Democrat Districts
Since Florida, Ohio, Virginia, and Colorado are winner-take-all states, my targets would be precincts which vote over 60% Democrat. Urban centers with this sort of voter concentration are prime targets for two reasons. First off, any electoral disruptions would mostly affect the competition. Second, urban areas are prime targets for how I would hack the election….
Step 3: Indirect Chaos
The reality is that offline voting machines are a difficult target to attack and modify vote totals. Perhaps if I had some elite international mercenaries at my disposal, I could physically hijack some ballot boxes on the way to the local Board of Elections, but that’s something for the movies.
In reality, the way to hack the election would not be to directly attack the election results. I would attack the mechanisms and infrastructure that allow people to vote.
You’ve seen this attack in Live Free or Die Hard. Turn all the traffic lights green. Block the intersections with damaged vehicles and angry commuters. Create massive traffic jams. Then turn off the power, perpetuating the chaos.
Think about it. You cannot vote if there is no electricity. Multiple times over the last few years, penetration testers have figured out how to hack our power grid. Shut down the power grid in these urban areas. People would be unable to even get to a polling place.
This attack would also have the secondary effect of general urban chaos. You would see looting begin in these dense urban environments. Police would be occupied trying to stop the madness. People would be scared and unlikely to venture out to vote.
Step 4: Emergency Broadcast System
Here’s another technological Achilles’ Heel of our society. We trust the government too much. One function of government is the Emergency Broadcast System, meant to warn citizens of any impending disaster like a tornado, hurricane, or generic dangerous situations. Before you ask, yes this system has been hacked before to warn of a Zombie attack.
With the power out, folks will turn to their battery powered radios, all of which can tune into this frequency. Hack the system and broadcast whatever regionally-appropriate disaster warnings. It doesn’t matter what the disaster is, just that people hear it and do not go out and vote.
How many votes would need to be suppressed?
I pulled up the numbers for the 2012 election by state. As I said earlier, to hack that election you only need to flip 4 states to vote 50.1% for Romney. Below are the vote totals for those 4 states:
Barack Obama 4,235,270
Mitt Romney 4,162,081
Margin – 73,189
Barack Obama 2,697,260
Mitt Romney 2,593,779
Margin – 103,481
Barack Obama 1,905,528
Mitt Romney 1,789,618
Margin – 115,910
Barack Obama 1,238,490
Mitt Romney 1,125,391
Margin – 113,099
TOTAL – 405,679
In order for this hack to be successful, the chaos caused through cyber intrusions into our infrastructure would have to prevent approximately 100,000 Democrat voters in each state from making it to the polls on election day. Assuming these targeted areas vote 60% Democrat, the required voter suppression through hacking would equal 676,132 votes across 4 states.
That is only 0.57% of the total votes cast in the 2012 election.
The attacks on our power grid, traffic light system, and emergency broadcast system have been demonstrated in the real world as plausible attacks on our infrastructure. Those attacks have been successfully carried out, either by security professionals or as pranks.
The only postulation here is the overall effect of these attacks on the ability of citizens to reach their polling place. I would argue that considering the small margins of victory in each of the above 4 states, that disruption of critical infrastructure in targeted counties would reduce the number of votes sufficiently to “hack” the election.
With enough resources, there are tertiary objectives that could be set forth in order to elevate the chaos. This would involve more directed intrusions, such as hacking into a car and driving it into a polling place, yet another real world demonstrated hack. As an augment to the above infrastructure attacks, such actions would only serve to further the chaos.