There is no evidence of a successful cyberattack to change votes in the US presidential election, according to a crowdfunded effort to recount the vote in key states, but the review also highlighted the unprecedented extent to which the American political system is vulnerable to cyberattack, according to two computer scientists who helped the effort to audit the vote.
J Alex Halderman and Matt Bernhard, both of the University of Michigan, campaigned in favor of a recount of the US presidential election, which was eventually spearheaded by Jill Stein, the Green party candidate.
Only the Wisconsin recount was substantially completed, with the recount in Michigan eventually stopped and a potential recount in Pennsylvania killed before it had even begun. But the researchers say the recounted counties and precincts were enough to give them confidence that Donald Trump is the genuine winner of the election.
“The recounts support that the election outcome was correct,” Bernhard told the Chaos Communications Congress cybersecurity convention in Hamburg, where he and Halderman gave a talk summarising their findings.
In Wisconsin, the only state where the recount was finished, Trump’s victory increased by 131 votes, while in Michigan, where 22 of 83 counties had a full or partial recount, incomplete data suggests was a net change of 1,651 votes, “but no evidence of an attack”, Bernhard said. “I can sleep at night knowing that Trump won the election.”
After the talk, Bernhard clarified that no evidence of hacking is not the same as evidence of no hacking. “We didn’t conclude that hacking didn’t happen,” he told the Guardian, but “based on the little evidence we have, it is less likely that hacking influenced the outcome of the election.
“Just because evidence [of hacking] wasn’t found, that doesn’t mean the results were completely valid.”
But the experience of pushing for the recount hasn’t reassured Halderman and Bernhard that American democracy is safe. In fact, quite the opposite, said Halderman.
“Along the way, we found that hacking an election in the US for president would be even easier than I thought.”
His previous research had already demonstrated security vulnerabilities in every model of voting machine examined, for instance, which would enable an attacker to silently rewrite the electronic record of how many votes each candidate received. But only this election did he learn the extent of centralisation in the organisations that are in charge of maintaining and preparing the voting machines.
In Michigan, for example, 75% of counties use just two companies, each around 20 employees large, to load their machines. Compromising those two companies would theoretically be enough to swing the vote in the state. “How central these points of attack are, that was news to me,” Halderman said.
Similarly, Halderman’s previous research had demonstrated the importance of an auditable paper-trail for electronic voting: either the physical ballot for a machine that scans ballot papers, or a countable receipt for a fully digital system. Theoretically, the existence of that paper trail should provide a protection against attempts to centrally hack the vote.
In practice, however, the last two months have shown that that’s cold comfort. “Also shocking is how unlikely states are to look at any of the paper, even in a surprising and close election like this,” Halderman said. “Even if a candidate can force a recount – and this is probably the most damning thing about the entire experience – there are many many opportunities for the apparent winner to try to stop them, and they will probably be successful.”
The pair called for three significant changes to the electoral process as a result of their experience with the 2016 recount, which should help protect the state. “What we need in the US, quite badly, is some specific reform to the election process,” Halderman said. “Even if the 2016 election wasn’t hacked, the 2020 election might well be; we’re facing increasingly powerful and successful state attackers. We need some defence.”
Firstly, Halderman called for a “common sense” hardening of voting technology, ensuring that the technological flaws which he and his colleagues have been demonstrating for over a decade are finally dealt with. Secondly, he called for a mandatory requirement for voting machines to provide a physical ballot in addition to a digital record: in Pennsylvania, for instance, 70% of digital votes leave no paper record at all.
The final defence requested was for states to actually use the evidence they have, by instituting mandatory “risk-limiting audits”. By counting a small but statistically significant and randomly selected sample of paper ballots, the state can prove statistically that the vote has not been tampered with, without needing to go to the expense of initiating a full recount, and without losing the organisational benefits of digital voting machines.
“I’m pretty sure my undergraduate security class could have changed the outcome of the presidential election,” Halderman said. “It really is that bad.”
- This article was amended on 29 December 2016 to clarify comments made by Matt Bernhard.