SAN FRANCISCO — The chance that the upcoming US elections could be hacked or rigged in some mass way to favor one candidate over another is “far-fetched,” “nonsensical,” and “overblown,” election experts and US officials told BuzzFeed News.
“Election officials are in the midst of an election and there are deep concerns that unfounded and unsubstantiated claims are creating a panic among voters,” said Kay Stimson, a spokeswoman for the National Association of Secretaries of State. “A lot of what is being said is overblown, inaccurate, or misleading.”
Amid concerns over Russian hacking, there have been reports in recent weeks that a foreign government might try to hack the upcoming vote, as well as claims by Republican presidential nominee Donald Trump that the vote would be “rigged.” During the final debate Wednesday night, Trump even went as far as to say that he might not accept the results of the elections.
To get to the heart of how easy or difficult it would be to rig an election, here are five questions BuzzFeed News asked experts ranging from the secretaries of state who receive the results on Election Day to independent commissions that help secure the voting system:
1. How easy is it to hack electronic voting machines?
Cybersecurity companies have released dozens of reports, press releases, and videos speculating about how easy it is to hack electronic voting machines. One video, by Princeton professor Andrew Appel, shows him hacking into a Sequoia AVC Advantage — one of the oldest and most vulnerable electronic-voting machines currently used in the US — in under seven minutes.
Election officials say, however, that it is important to understand the types of systems used to vote in the US and how they are protected. Anywhere between 80–85% of Americans will vote on machines that also produce some form of paper trail to verify their votes. The remaining 15–20% of Americans will vote on electronic or touchscreen systems that are entirely digital.
There are a variety of machines used, but all of them have to adhere to guidelines set by the National Institute for Interdisciplinary Science and Technology. Those guidelines include that the machines never, in the course of their existence, connect to the internet, and that they are kept under lock and key until the moment they are used. They are tested throughout the months leading up to the election to make sure they are working correctly, and then again on the days leading up to the vote.
Hacking into a machine would require either getting access before the election or somehow tampering with them on Election Day. Devices that sell for as little as $15 online could be used on booths to vote multiple times, as shown by the Symantec cybersecurity company.
“It is possible to get physical access and try to hack a machine, but it would require unfettered access to an individual machine so that they could hack it. It would require multiple minutes. The best-case scenario for hacker is that dozens of poll workers don’t notice someone is messing with machine, taking it apart, unscrewing things, for multiple minutes,” said David Becker, executive director at the Center for Election Innovation and Research. “Even if this person is successful somehow, they change the outcome on one machine, which would affect a few hundred people.”
The possibility that the machines could be remotely hacked, such as by someone sitting in Russia or China, is nonexistent, said Becker.
“The short answer is that it is virtually impossible to do a remote hack — these machines are never online and very rarely even on the same network,” said Becker. “There is no way to do this from afar.”
But the biggest problem for any intruders, said elections officials, is that the system is so decentralized. States use hundreds of different types of voting machines and systems, making it impossible for hackers to come up with one method to attack all the machines involved.
“There is no one point of entry,” said Stimson. "It’s a low-connectivity system overall, and there are many systems and there are many levels between the state and the localities. It’s just not that easy.”
2. Can the election results themselves be hacked?
Once the voting is over, local polling officials take the results from each individual machine and transfer it onto a server. (Neither the machines nor the servers are online or have ever been connected to the internet). They then copy the information onto a USB stick (again, one that has never been used and “flashed” to make sure it is empty).
The unofficial results are tabulated that night and sent electronically to the each state’s office of the secretary of state, said Merle King, executive director at the Center for Election Systems at Kennesaw State University. He added that local officials perform a “reasonableness check” to make sure that the results coming in make sense. Even if the results are somehow electronically intercepted mid-way, the local officials still have the original data stored and can re-send results.
“No voting system has an internet interface. None of these systems are online,” said King, emphasizing why the original results would not change. “There is a lot of attention paid to that, to none of the servers being online. “
It takes 5–6 days until after the elections for the official results to be tallied. Local officials burn one copy onto a CD that they keep in their office, and another is burned onto a CD that is hand-delivered, usually by local police, to the offices of each local secretary of state.
If someone wanted to interfere with the results, they would need to be physically present and tamper with the CDs or USB sticks. King said there are multiple local officials in the room, including local representatives of the Republican and Democratic parties, police, and volunteers.
3. What about voter registration systems that have been compromised?
Over the last month, more than two dozen states have reported attempts to break into their voter registration systems, and one state, Illinois, has said hackers successfully stole roughly 90,000 voters’ information. The information stored on those systems includes driver's license numbers, the last four digits of Social Security card numbers, and full names.
“The hackers who have targeted this information are likely looking for ways to commit identity fraud, not influence the vote,” Becker said.
The real threat on Nov. 8 would be if hackers deleted voters from the database or altered their information so that they could not vote. Becker and King both said that were that to occur, it would be up to local officials to spot the anomaly and recheck the voter registration database.
“Even in Illinois, hackers were able to access the information, but there is no sign that they changed or altered it in any way,” said Becker.
He added that voter registration officials keep multiple databases of voter registration information, so that if the information is compromised in one place, they can restore it from another.
4. Should we be worried about an army of undead voters heading to the polls?
At a recent campaign speech in Green Bay, Wisconsin, Trump told crowds “people that have died 10 years ago are still voting” and that “1.8 million deceased individuals” would vote in the election.
The comment appeared to come from a 2012 Pew study that analyzed the voter database to find that up to 1.8 million active voter registrations came from deceased voters. The study also found that about 24 million — or 1 out every 8 — voter registrations were invalid or "significantly inaccurate," including 2.75 million people who are registered to vote in more than one state.
Becker, who once worked at Pew, said that while the study was concerning, all it showed was that voter registration systems were slow to remove people once they died and were not kept up-to-date when people moved states, died, or left the country.
“There is a big jump between having a record that remains in a database after you die, and having someone use that record to vote on behalf of a dead person,” said Becker. “It just doesn’t happen. The idea that a voter has impersonated another voter... We literally have a few dozen cases where that appears to have happened. There are checks and balances in place to make sure you can’t do it.”
5. What is there to still be scared of?
The one thing really concerning officials right now is the level of discussion around the vote potentially being manipulated. Cybersecurity firm Carbon Black recently reported that in a nationwide survey 58% of US voters are concerned that electronic voting machines could be hacked during the election. Even more worrying, the survey found that 20% of voters may stay home due to concerns with election security.
“Election officials are in the midst of an election and there are deep concerns that unfounded unsubstantiated claims are creating panic,” said Stimson. “We always want to hear real credible claims. Those will be met with great seriousness. But right now, I have to say that what we are talking about, what has been in the media, is unfounded, unspecified claims about the vote being hacked or rigged.”
King said the environment around the vote has made people suspicious of the systems in place. He was concerned that some anomalies — that elections experts are actually predicting for these elections — will set off panic. For instance, election officials are expecting that higher-than-average number of people will go to vote this year, but not select anyone for the office of president or vice president.
“What we are going to see in this election is that both major parties have instructed their partisans that it is OK to skip the top of the ballot. If you can’t vote for Trump or Clinton it’s OK, just vote down the ballot for your senator or other local officials,” said King. He said that there would be a rise in what is known as “residual vote rate” — ballots that do not have the top picks filled — that will lead to accusations of vote rigging. “If you believe in one candidate it will be hard for you to understand that someone can go and vote on that day, but not select someone for president.”
He said there was also increased concern over the way social media will be used on Nov. 8. If parties or candidates, for instance, tweeted that certain precincts were closed or out of operation it could create panic among people, even if, in fact, those precincts were open. In a battleground state, how much could false rumors spread over social media ultimately influence the outcome of a vote?
The most important thing, said Becker, was that people not let the concerns of a hacked or rigged election keep them from voting.
“Election officials of both parties, Republican and Democrat, are coming out and saying elections are secure,” said Becker. "There is a unanimity here that shows that this is not an area of partisan decisiveness. Republicans and Democrats agree our elections are secure, convenient, and you should go vote."
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.