Simon Ardizzone and Sarah Teale are, with Russell Michaels, the directors of the HBO documentary Kill Chain: The Cyber War on America’s Elections, which is now streaming for free on HBO Go and HBO Now. Ardizzone and Teale previously collaborated, also with Michaels, on the Emmy-nominated 2006 HBO documentary Hacking Democracy. (Picture of Ardizzone by Sarah Teale; picture of Teale by Carin Van Der Donk.)
When HBO chose March 26, 2020, as the airdate for our documentary Kill Chain: The Cyber War on America’s Elections, we obviously had no idea that we would be launching our film in the middle of a pandemic. But oddly enough, as the primary vote in Wisconsin recently showed, the challenges presented by COVID-19 have only sharpened the debate about our ability to vote using paper ballots and highlighted the deep shortcomings of our current system.
How do we vote when most of our precincts are run by the elderly – the population most at risk from coronavirus? How do we vote in the primaries when we are not supposed to gather and visit public places? How do we vote when so many of the voting machines use touch screens and are therefore an infection risk? Does mailing in our ballots present the answer? Perhaps the coronavirus offers us an unprecedented opportunity to secure the vote, but there are also risks.
Our film Kill Chain: The Cyber War on America’s Elections follows renowned Finnish hacker and cyber security expert Harri Hursti. When we started making this film in 2017, Hursti refused to believe the reports that the Russians had hacked the 2016 U.S. presidential elections until he saw proof of it with his own eyes. We saw it everywhere. Russians targeted the registration rolls in all 50 states and, as journalist and author Sue Halpern says, if you prevent people from voting because their names are not on the rolls or are inaccurate, you have effectively hacked an election. A Russian speaker who was given the name Rasputin hacked the Election Assistance Commission (EAC) where code for all the voting machines is stored and the type of machine used in every precinct is recorded, as well as their vulnerabilities and problems. As Hursti said, the EAC is the crown jewel for any aspiring election hacker. Rasputin was attempting to sell that access to Iran. When a young Indian hacker known as CyberZeist gained access to the voting systems in Alaska and claimed he could have changed any vote, he found that state-backed Russians, lurking on the Dark Web, were asking for intelligence on how to hack the same voting systems. They probably still are.
Most people assume that hacking a voting machine involves changing vote totals, but it is also possible to make machines fail: Unreliable voting machines can be a potent weapon. In Georgia, we found that in at least two majority-black precincts, none of the cards used to start the machines were working, and people stood in line for upwards of five hours to vote. And it was in Georgia where the Secretary of State moved all of the programming for the machines into his office and oversaw the elections even though he was also running for Governor. In North Carolina, the registration rolls stopped working altogether in a majority-black district and they had to resort to paper at the last minute.
We end Kill Chain with a plea from all our experts and politicians that we return to voting with hand-marked papers ballots and an automatic – and random – audit of a percentage of those ballots. The coronavirus has renewed calls for hand-marked paper ballots that can be mailed in, but this option deserves a careful look and, as Hursti points out, this potential fix could also give hackers unprecedented opportunities to hack the vote.
In traditional elections, votes are cast on hundreds or thousands of devices across a jurisdiction, which makes it harder for hackers to access the votes. But mail-in election results are produced by just a few vote-counting computers which scan the ballots. And they are usually stored in one location. This makes it way easier for hackers to identify and target the ballot-scanner and, therefore, the votes. Relying on just a few machines, in a county or city, to deliver all the results, without checking a sample of the ballots, is a high-risk strategy.
Hursti discovered that most hackers install a range of software that will be hidden in multiple components of a computer, so that even wiping the hard drive will not remove the hackers’ access. CyberZeist told him, “I’ll go under their radar even if they are 24/7 monitoring it [the vote-counting server].” When reviewing the hack on the Alaska Division of Elections’ servers, Hursti discovered that CyberZeist could read or write any file, including system files: In other words, CyberZeist could have planted vote-stealing software that might still be there, waiting for a command to activate. As Hursti showed in Kill Chain, threat-actors might not even be looking to change results in an election, but to sabotage democracy and bring the process into disrepute.
For Hursti, there is no way to tell if a computer is “clean” of vote-stealing malware. Therefore, the only way forward is to hand count a sample of the paper ballots and to check the results against the totals produced by the scanning and tabulating computers. State governments must implement this if they are to head off the risk of hackers changing votes or sabotaging the U.S. presidential election.
As we approach the 2020 presidential election, and the upcoming primaries, the calls for mail-in paper ballots will increase and will hopefully succeed, but we need to proceed carefully and consider the security implications.
All images courtesy HBO.