COVID-19, Cyber Risk, and the 2020 US Presidential Election

On the 3rd of November, Americans are due to hit the polling stations and cast their votes in the Presidential Election of 2020. Yet this year’s race stands to be unprecedented in many regards. Already the COVID-19 crisis is causing adjustments to standard campaign trail events, and amidst the ongoing pandemic, traditional voting methods may be shelved in some states in favor of federal mail-in and state-level online voting.

Most states already allow mail-in voting for federal elections, in 2016, for example, close to a quarter of all ballots were lodged via the postal system. Online voting options are somewhat more limited, however. Some states, including West Virginia and Delaware, allow voters to cast their ballot in state and local elections online, but voting in federal elections online is still restricted to mail or in-person ballots.

There are strong reasons behind these restrictions. According to a bulletin released by four US state departments, including the FBI and the Department of Homeland Security’s cybersecurity branch:

“Securing the return of voted ballots via the internet while ensuring ballot integrity and maintaining voter privacy is difficult, if not impossible, at this time.”

The bulletin went on to state that online voting is far riskier than mail-in systems, an interesting consideration given the media attention paid to mail-in ballots in the run-up to the election. Perhaps more scrutiny should be paid to online voting in states where local votes can be cast via the internet.

In early June of this year, Massachusetts Institute of Technology researchers examined Democracy Live’s OmniBallot, the technology that West Virginia and Delaware are using for online votes. They concluded that the system had multiple security flaws that represented a “severe risk to election security and could allow attackers to alter election results without detection.”

Of key note in this warning is the potential for threat actors to alter election results, something the US has encountered in the recent past. According to Robert Mueller’s 37-page indictment, which was revealed in 2018, Russian agents associated with the Internet Research Agency and its leadership went to considerable lengths to alter the course of American democracy during the 2016 presidential race.

Democracy Live has responded to security criticisms by noting that their product does not truly represent online voting because election officials must print the ballots before votes are actually cast. But cybersecurity researchers have pointed out that there is plenty of potential for vote manipulation before the ballot is printed.

Anyone with a modicum of understanding of how the internet operates is right to be cautious of improperly protected online voting systems. Data in transmission across the internet does not follow a simple path from device A to device B. Rather, it moves on an erratic path from server to server, the path is chosen automatically and is selected autonomously of human input.

The servers that data travels to and from while in transmission are not always in the same country as the sender. Instead, data can pass through multiple servers in multiple nations, and there is no guarantee the servers are not in nations hostile to the United States. Each “stop” at a server represents a cybersecurity risk as ballots may be tampered with en route.

Besides the risks involved in data transmission, another critical concern is the security of a voter’s device. If the citizen’s mobile phone, for example, is infected with specially designed malware, it represents a significant risk to the integrity of the election process.

This is not to say that online voting won’t be a safe option in the future, rather that the US does not currently have secure enough systems in place to ensure electoral integrity. If a solution is forwarded in the coming years, it needs to encompass two key things: an assurance that the voter’s device is not compromised, and a full end-to-end encryption process to protect data in transmission.

Nevertheless, for citizens in some states, voting in state-level elections online is the best option. In these cases, voters should take some basic cybersecurity steps to ensure their vote is counted as intended. Downloading a VPN app ensures end-to-end encryption while sweeping the device in question for malware and viruses eliminates another risk factor.

The views expressed in this article are those of the authors and do not necessarily reflect the views or policies of The World Financial Review.