I’ve been having a little back-and-forth with InfoWorld’s Roger Grimes about security vulnerabilities in the U.S. election system. This was sparked by Roger’s post last week, “Voting machines are still too easy to hack.” The title says it all, but as Roger notes, the risk is mitigated by the fact that voting machines are not connected to the internet. You need physical access to voting machines in order to hack them.
This immediately led me to wonder about the vulnerability of systems that are connected to the internet, particularly in light of recent reports that Russian hackers had breached voter registration systems in Illinois and Arizona. What if hackers deleted registered voters wholesale? Some states allow you to register online or through motor-voter initiatives, so the state wouldn’t necessarily have a paper record, nor would many voters. If they weren’t on their designated polling station’s list, they could cast a provisional ballot, but that vote would be invalidated without the state having its own record of registration. Right?
Roger assured me that campaigns receive registered voter lists for mailings and other voter contacts. “These lists are often printed out and in paper form even in the election offices, so they can be used for quick comparisons against any previous or new list,” he said. “There are enough safe checks in the system that any widespread election list deletion would be caught fairly easily and quickly.”
That reassured me -- until I read a recent piece in the Washington Post about how Russia could wreak “electoral disaster.” Apparently Russia has already performed this sort of mischief in the Ukraine. “Rigging” or even attempting to rig the U.S. election in favor of either presidential candidate could destroy faith in the outcome, particularly those who have little idea how the system works.
"Faith" is the key word here. As IDG News Service’s Grant Gross reported in a recent news item, the United States is investigating what appear to be Russian attempts to “spread disinformation and hack into U.S. political systems in an effort to undermine confidence in the upcoming election.” In a world where conspiracy theories fly across the internet as fast as miscreants can type them, this could be truly corrosive. It’s not necessarily about throwing the election to one candidate or another -- it’s about doing enough damage to create a toxic atmosphere of uncertainty.
To use a practical analogy, I imagine all of us have worked for companies at one time or another when repeated outages or mistakes completely undermine faith in the IT department. Can’t they do anything right? They’re trashing the brand and destroying the business! Even normal iterative processes can give stakeholders outside the inner workings of a complex system “jitters,” as InfoWorld’s James Kobielus observes in his post today.
In hindsight, although it felt good at the time, I regret the ranting and raving I did in those situations when those things went badly wrong. Very rarely do we encounter situations in which an entire organization is utterly incompetent and needs to be fired en masse. Sure, certain individuals might well need to be handed their walking papers, but from the outside it’s hard to know who. Most people try their best. They make mistakes -- and in many cases learn from them. If you lose faith in their capabilities entirely without knowing the details, the problem might be yours, not theirs.
Hacking the voting system is only partly about security vulnerabilities and defenses. As James says, “confidence is a psychological and even sociological phenomenon.” Yes, we need to identify weaknesses and batten down the hatches in the face of potential attacks. But the voting system, like any system viewed from the outside, can never be completely transparent. Faith shouldn’t be blind, but neither should it be lazily, cynically abandoned.