Elections are a target environment for hackers. Voting systems in 21 states were targeted ahead of the 2016 election. Most of those attacks were unsuccessful, but the efforts continue ahead of the midterms, intelligence officials say.
Vermont Secretary of State Jim Condos recently told On Point that there were three attempts to access the state’s voter database in August.
“The one that raised our attention, if you want to call it [that], was the one that said ‘Russian Federation,’ and we forwarded that on to the Department of Homeland Security,” Condos said.
Massachusetts experienced attempts to hack online voter resource pages, according to the secretary of state’s office. (The state’s voter database isn’t online.)
Several Boston companies are working to improve the election process in various ways.
Much of the conversation on election security has been on voting machines, which are notoriously outdated.
“You probably recognize the current ones. They’re large. They kind of look like trash cans,” said Jordan Esten, the CEO of Clear Ballot. The Boston-based company has a different take on voter machines. Its design looks more like a printer with a duffel bag attached to the back that collects your paper ballot.
Esten said Clear Ballot’s machines take up less storage space, which saves counties money, and are more secure because the technology can be tweaked easily.
“You can continue to innovate and upgrade it as you go without sort of being stuck in technology for 10-plus years,” Esten says.
Clear Ballot’s election technology includes the voting machine, and audit and support software. The system is federally certified and used in eight states including Vermont, New York and Oregon but not yet Massachusetts. The system scans images of ballots so election officials can view them digitally and double-check votes.
But the company doesn’t want to go entirely digital. Esten said a paper trail is necessary.
“You can’t do everything by hand, you can’t do everything digitally. It needs to be a mix,” Esten said. “We very much believe that technology and innovation, when paired with manual processes and paper on the back end, that’s the perfect mix that will continue to grow trust in this country.”
There’s another Boston company that wants to go entirely tech with a smartphone voting app. The company is Voatz.
“There’s always a risk versus reward scenario,” said Voatz co-founder and CEO Nimit Sawhney. “The paper process works well for certain people, but then half of the country isn’t voting. So if we want more citizens to vote and we can create a safe enough environment … why not? We think it’s worth giving opportunities to citizens to vote in an easy manner.”
Voatz has been used in 34 small elections and in both Massachusetts state political conventions. It was also used successfully in West Virginia’s May primary. Now it will have its biggest test — West Virginia’s midterm election.
Sawhney said the criticism is unfounded. The Voatz app only works with newer smartphones with advanced security features, according to Sawhney. It uses facial recognition software to verify voters’ identity and blockchain technology — a digital ledger — to store votes.
“We put it out to the community of hackers to test to give us feedback,” Sawhney said. “And then we go to great lengths to make sure that if you’ve tampered with your phone or if you’re using some malicious applications then the phone will actually not let you submit a vote.”
There’s also a paper trail for each vote. Sawhney wants mobile voting to be an option for those who can’t get to the polls. Right now, he’s focused on deployed military and U.S. citizens abroad.
But it’s not just your actual vote that can go wrong.
Imagine a vigilante group hacks into traffic signals to cause gridlock. Or shuts down a bridge with a bomb threat. Or unleashes an army of Twitter bots to spread false information about the election.
This was election day in “Nolandia” — a fictional mid-sized city in a swing state. Boston-based Cybereason recently held an exercise with staff, cybersecurity students and public safety officials to put the scenarios to the test.
In one room, a “red team” of hackers were eager to wreak havoc.
“Our strategy is to try to suppress as much of the morning vote as we can,” Cybereason’s Danielle Wood tells the group. “And then go whole hog in the evening to basically snarl up traffic, suppress voter activity, create whatever protests that we can and basically blow up the afternoon elections because there’ll be more people trying to vote after work.”
In another room, a “blue team” of law enforcement officials, including former Boston Police Commissioner Ed Davis, calmly tried to respond.
“So resources are coming into the area now [and] we’ve got commanders in the field that are setting up command posts,” Davis tells the group. “You’ve got notifications being made up the chain of command so that everybody is aware of this.”
Cybereason wanted to show what kind of chaos is possible during an election. The company develops tools to respond to cyber threats. But it’s up to cities and towns to react.
Sean Maloney, a state trooper assigned to the FBI’s Boston office, participated in the exercise and said cities and towns need more resources.
“There needs to be a more robust training regimen among state, local and federal law enforcement agencies,” Maloney said. “Right now, there is a response to cyber threats. I think it needs to be expanded and amplified considerably.”
The federal government has offered $380 million in grants to states, including $7.9 million to Massachusetts, for election security upgrades. But some say it’s not nearly enough to deal with the range of attacks that could happen.