Tomorrow, Americans head to the polls, under the looming threat of [extremely dramatic robot voice] Cyber War! After an election season marked by mass misinformation campaigns, the apparently Russia-sponsored hacks of the Democratic National Committee and Hillary Clinton campaign chair John Podesta’s email, and increasingly concerning attacks on internet infrastructure, it’s hard not to expect cybershenanigans tomorrow. The question is: What would they even look like?
To start with, there’s a wide array of potential perpetrators, with varying capabilities and goals. The most advanced are state-sponsored groups like Russia’s Fancy Bear — which is believed to be behind the DNC and Podesta hacks — and China’s Comment Group, an elite unit of the People’s Liberation Army. Groups of this kind are generally known as “advanced persistent threats,” or APTs, and have sophisticated techniques, specific targets, and more-or-less clear goals — such as, for example, to disrupt the U.S. election by obtaining and dumping the private emails of a top political aide.
At the other end of the scale are the script kiddies and non-hackers — both unaffiliated kids and U.S. partisans who congregate on forums like 4chan and Hackerforums, and fierce Russian, Chinese, or Syrian nationalists who operate with the approval but not the guidance of the government they support — who make use of open-source software or old-fashioned brigading techniques to disrupt targeted websites or sow misinformation, whether in support of a given candidate or party, or just because they’re bored and want to blow stuff up.
The problem is that any member of this broad spectrum of hackers could potentially disrupt an election because there are many vulnerabilities in the American democratic process. According to a new report from the Harvard Kennedy School, America is, to turn a phrase, not good at the cyber.
The most basic way an election can be “hacked” is through misinformation. It’s much easier to point tech to old-fashioned purposes, such as lying to or misleading an electorate, than it is to undertake any complex technical needling. Alt-right Trump supporters on 4chan already have been attempting to deploy a variety of misinformation campaigns, including tricking voters into thinking that they can cast ballots via text message, and using the looming shadow of Russia to try and persuade voters to eschew electronic voting and demand a paper ballot. The simple reason is that it makes the voting process slower and more annoying.
Russia itself, for that matter, has a keen understanding of how misinformation campaigns can affect an election. The country’s legendary army of trolls, the Internet Research Agency, isn’t interested in gaining illicit access to servers or shutting down websites. As The New Yorker’s Adrian Chen wrote earlier this year, the purpose of the Internet Research Agency is “not to brainwash readers but to overwhelm social media with a flood of fake content, seeding doubt and paranoia, and destroying the possibility of using the Internet as a democratic space.” In 2014, the Internet Research Agency hoaxed reporters by claiming a chemical fire was consuming a town in Louisiana. If the agency wanted to “hack” U.S. elections, it might attempt to spread panic about a disaster in an electorally important county. In the same vein, disruptors could leak damaging emails or documents, as Russia seems to have done to the DNC and the Clinton campaign through WikiLeaks throughout 2016. The data wouldn’t even need to be real — it just needs to imply seriousness. Would it be successful? It might not matter, to Russia — none of these campaigns requires anything more complicated than an organized group of people with Twitter accounts.
Misinformation campaigns might be the easiest and cheapest way to “hack” an election. But they’re not the only way. Hundreds of precincts still use busted voting machines to tabulate votes — machines that probably have worse security than the smartphone in your pocket. Experts in voting-machine security have been documenting the vulnerabilities for years. While the scary and obvious scenario is a hacker’s adjusting the vote count of a machine, the easier and likely more effective way to hack an election through voting machines would be to just crash them — causing long lines and discouraging those who don’t have three hours to burn. Do that in enough important precincts and you could seriously depress turnout.
Of course, some voting machines might be air-gapped, meaning that they can’t be connected to a network. But those votes need to get counted somehow. If the internet slows to a crawl, electricity goes out — computer voting machines are electric, remember — or important components of the internet infrastructure become overloaded and unreliable, as happened last month when some script kiddies targeted a DNS company and made large swaths of the internet inaccessible, those tasked with collecting and tabulating votes will have a difficult time doing so.
In other words, a “hacked” election looks less like a sinister manipulation of tabulated votes, and more like a distributed group of vaguely affiliated individuals doing nothing more complicated than mucking up the procedural and infrastructural gears that allow people to cast their votes. What can be done about this is largely up to each precinct. There is no federal oversight authority with the power to enforce consistency in election policy. States need stronger audit procedures, more secure technology, and more funding to improve infrastructure.