As we find out more about Russia’s interference in the 2016 United States presidential election, former NSA hacker and TrustedSec CEO David Kennedy reveals what it would take to hack an election. Kennedy also reveals how France was able to protect themselves. Following is a transcript of the video.
David Kennedy: What’s interesting with the election systems is that as they become more and more electronic, and people can use computer systems to actively go in and cast your votes at the actual ballots, those are all susceptible to attack.
What the government has tried to do is a technique called air gapping, which means that they’re not supposed to be hooked up to the internet or have the ability to communicate the internet, so they can be not hacked by hackers. Essential databases that are used to count the ballots and actually cast votes is connected to multiple networks and the internet. And we’re seeing intrusions occur, and so as we’re using electronic voting as a method to conduct actual voter ballots, it’s a very, very susceptible system. Most of the systems are out of date. Most of the systems aren’t protected against hacks. There’s definitely possibilities for other influences to have a direct impact on our elections themselves.
What’s going on with Russia right now is that we’re just finding out all this data two years after the fact, and so we only look at 2016. What’s going on right now? We have no idea. We don’t know what Russia’s doing right now when it comes to our election systems, how far they’re into our infrastructure, and if they’re actually protected or not. And that’s something that the United States government has to focus on, is making sure that we have a free and safe protected voting system that is not able to be attacked by other influences.
So how would you hack an election cycle? You would need a team. The way that the election systems are set up is they’re very disparate as far as state to state. So each state may have a different system. Each state may have different technology. Each state may have a completely separate infrastructure that they use to get the ballot information counted and used. So it’d take a number of individuals to actively go against all of these states in order to change elections or votes.
What they could do, though, is a small group of hackers, maybe one or two or three folks that were really good at what they do, could hit swing states that are known to be very dependent on election cycles and election winnings, and targeting those specifically, and using those as a method to trigger votes that would cause an election cycle to be changed. Swing states are obviously one of the most important ones across the country, and those are ones that a small group of hackers could probably have a major impact on.
Interesting enough, during the French presidential elections, hackers tried to infiltrate the French election process that was going on. A lot of the different campaigns set up fake sites, fake emails, fake infrastructure so the attackers would directly go after that, and it actually worked. It’s what we call deception. It’s a way of setting up information that isn’t real, but attackers wanna go after, and are enticed to go after, and it actually caused a non-disruption event in France because they were able to actively go after this fake infrastructure.
But we’ve seen in a number of different areas that the problem with electronic voting systems is that they don’t have a lot of information or logging on them, so it’s very difficult to go back and say this was hacked by this specific nation-state at this specific time, and here’s what was changed. These devices are pretty rudimentary, they have very specific functions, and it’s very easy to tamper with them if you have access to get to them. So a lot of times it’s very difficult to find whether or not attackers actively broke into these systems or not.