The presidential election has been hot on the to-do list of cyberhackers for a while.
"I heard chatter through the grapevines many months ago," said C. Ariel Pinto, associate professor of engineering management and systems engineering.
But Pinto, who specializes in multi-disciplinary approaches to risk management in engineering systems and systems engineering, feels voters should feel reasonably secure about our election infrastructure.
"If I strip down my expectations for this Nov. 3 to the essentials, it is to freely vote, and for that vote to be counted," he said. "I expect delays, doubts, anxiety and even frustration in the days and weeks after I cast my vote due to some cyber incident. But I believe the true essence of my vote is safe from cyberhackers."
He cited four reasons why:
- Federal, state, and local agencies are well prepared. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the situation since 2018. It has been partnering with state, local and other federal agencies in understanding and managing cyber risk to their critical election systems, including how to harden their operations and prepare for potential attacks. CISA also tracks cybersecurity activities in the election ecosystem and continuously provides guidance to all concerned agencies, including to the Virginia Department of Elections.
- Makers of election equipment, and the equipment itself, undergo a strict certification and vetting process. Included in that process is checking the equipment's cybersecurity requirements, such as making sure network and security configurations are up to date, guaranteeing that equipment has never been connected to the internet prior to use and, for some types of devices, ensuring that they not have wireless capabilities. Aside from technical information, trustworthiness of equipment manufacturers and vendors are checked through corporate information, such as identity of business subsidiaries, parent companies, owners with controlling interest and significant investors.
- Broad differences in election system configuration. Because there is no one national agency is in charge of the election infrastructure, each state and locality may have different equipment and configurations. "For example, some states use cloud services, while others do not even allow wireless communications at the polls," Pinto said. "This creates a natural heterogeneity across states and localities that makes nationwide attacks very unlikely. In Virginia, voting machines are never connected to the internet on election day, which means that hackers can't gain access and mess with votes."
- Paper trails. In case an election system is compromised by hackers at a state or local level, most still use paper ballots or have a paper trail of ballot counting and aggregation. This includes Virginia. Paper ballots would allow manual verification, if needed. "Of course, this is barring legal challenges, such as those created by hanging chads in Florida in 2000," he said.
Nonetheless, he warns not to underestimate the capabilities of hackers.
"They have surprised me many times," he said. "So there is still that strong possibility of hackers creating temporary and localized disruptions, or even spreading disinformation in an attempt to delegitimize my vote along with millions of others."
But Pinto remains confident.
"I recognize protecting the crown jewel of this democratic process - the vote - requires vigilance and a dose of patience," he said. "But eventually the integrity of this election will be established and upheld."