Cybersecurity experts: Risk of electronic voter fraud slim but real

With the fear of voter fraud through traditional and electronic methods spreading this election season, cybersecurity experts are telling voters that the risk of their personal information being stolen and used to manipulate the outcome of the election is small, but not nonexistent.

The threat of government cybersecurity breaches became real in Indiana over the weekend when Madison County government computers were attacked by a ransomware virus that is holding all county government files under encryption until a ransom is paid. Although the county government has yet to pay the unspecified ransom amount or find another way to defeat the virus, Lisa Cannon, director of technology at the Madison County Government Center told The (Anderson) Herald Bulletin that voting records and ballots are held on a separate system and are thus unaffected by the attack.

Similarly, Indiana Secretary of State Connie Lawson announced last month that she had asked the Indiana State Police to investigate the possibility of widespread voter fraud across the state after it was discovered that thousands of voters’ names and dates of births had been changed on their voter registrations. Lawson later backtracked and acknowledged that many of those changes were the result of voters making last-minute alterations to their registrations, but the state police investigation is still ongoing.

In each situation of alleged voter fraud, election officials have repeatedly said that the probability of a widespread scheme designed to manipulate the result of an election succeeding is incredibly slim. But even in the face of marginal odds, cybersecurity experts acknowledge the remote possibility of a successful voter fraud scam and are advocating for laws and policies to protect individual voters.

In a recent article from Bloomberg Law, Calvin Liu, co-founder and director of operations at Ventura Enterprise Risk Management, writes that many vote-hacking methods — such as stealing absentee ballots or fraudulently using the identities of registered voters who chose not to go to the polls on election day — are now easier as voter registrations and absentee applications are online.

Similarly, Scott Shackelford, an associate professor of business law and ethics at the Indiana University Kelley School of Business and senior fellow at the IU Center for Applied Cybersecurity Research, has spent his sabbatical from IU this semester working as a cybersecurity research fellow at the Harvard Kennedy School and researching voter fraud methods in the U.S. and around the world.

Shackelford’s fellowship research has focused on five major ways to manipulate the outcome of an election electronically.

First, a hacker can shape the conversation surrounding an election by leaking information, such as what has been seen with the continual WikiLeaks release of emails that have purportedly been hacked by the Russian government during the 2016 presidential election. Similarly, the way news about an election is shared can impact voter perceptions of that election, especially if incorrect information is spread rapidly through electronic media.

Third, voting machines that do not leave a paper trail can be susceptible to voter fraud because there is no way to check the votes the machine records against a paper voting record. Similarly, electronic tabulation methods that are not backed up by paper records are also susceptible to manipulation through hacking, Shackelford said.

Finally, voter rolls themselves can be added, deleted or manipulated online, which can contribute to delays at the polls or keep voters from casting their ballots altogether, Shackelford said. That was the situation Lawson said she was trying to avoid when she announced the ISP investigation into possible voter fraud in Indiana.

Jeff Kosc, a partner at Benesch, Friedlander, Coplan & Aronoff LLP who deals in cybersecurity litigation, pointed to two similar situations in Illinois and Arizona, where voter registration information was hacked in an attempt to influence elections by removing names from voter registration lists and keeping those voters from going to the polls.

Luckily, those hacks were caught early on, Kosc said, and no ultra-sensitive information, such as credit card numbers, was discovered and stolen. In fact, Kosc said the issue of voter fraud largely has not reached the point of cybersecurity litigation because most voting hacks are still largely completed offline.  

But in the event of an electronic voter hack, Kosc said he would advise victims the same way he would advise his cybersecurity litigation clients – check voter registration information to learn what personal information might have been stolen, monitor credit reports and other similar data and report any suspicious activity involving personal information immediately.

Further, Shackelford’s fellowship research looks at policy changes that could provide for additional legal protections against vote-hacking schemes. For example, his fellowship research paper advocates for the U.S. Department of Homeland Security to reclassify voting machines and similar other elements of the election process as “classified information,” thus adding an extra layer of required protection of voter registration information.

Additionally, the paper calls for stricter laws requiring paper voting trails that can be used to count votes in the event an electronic voting machine is compromised.