Election 2020: Your cybersecurity questions answered

As millions of Americans have headed to the polls for the US presidential election, security officials have been working around the clock to ensure that cyberattacks and disinformation campaigns don't interfere with your vote.

On the morning of Election Day, the Department of Homeland Security's acting secretary, Chad Wolf, sought to reassure Americans about the safety of the vote. He said that while cybersecurity officials will be on high alert throughout the day, they haven't found any concerns yet.

"We have no indications that a foreign actor has succeeded in compromising or affecting the actual votes cast in this election," Wolf said.

That's not for lack of trying. Hackers from Russia, Iran and China have been launching attacks in attempts to influence the election, looking for a repeat of political cyberattacks in 2016.

Cybersecurity plays a major role now in the electoral process, and it's likely you or someone you know has questions about how this is all going to play out. These answers should address your concerns.
We've been regularly updating this piece with questions and answers in the run-up to Election Day on Nov. 3, so please continue to check in or submit questions you have about how cybersecurity will affect your vote.

What's the likelihood of fraud affecting my vote?

Whether you cast your ballot in person or by mail, the chances of fraud happening with your vote are extremely slim. Even in 2016, when Russian hackers had infiltrated the Democratic National Committee and voter registration databases in Florida, US officials never found any evidence that the vote itself had been affected. 

In the weeks leading up to the 2020 election, officials from the FBI and the US Cybersecurity and Infrastructure Security Agency stressed that hackers can't change the vote count but can influence people to believe that they did. Security measures include sensors on every state's network to monitor for cyberattacks, patching vulnerabilities as soon as possible and regular meetings with local election officials to brief for potential threats. 

Mail-in ballot fraud is also extremely rare and has its own series of security measures to guard against potential attacks. Intelligence officials have said on multiple occasions that there's no evidence of any coordinated campaigns to commit mail-in voting fraud. 

Watch this: Big tech explains how it will fight foreign government hacks in US elections

07:12

If fraud does happen to your vote, it'll come through disinformation and voter suppression. While your vote itself is protected, disinformation campaigns from Iran and Russia are looking to prevent people from casting their ballots. 

On Oct. 22, the FBI issued a warning that Iran had been behind threatening emails to intimidate voters in four states. It included a video claiming to be able to alter the vote, which election officials said was fake. 

The best way to protect your vote from fraud is to go ahead and cast your ballot. 

The voting machine selected a different candidate than the one I chose. Doesn't that mean it was hacked? 

If this hasn't happened to you directly, you've likely seen a video of this happening on social media, or something similar to it. 

In 2018, voters in Texas complained of machines that were changing their selections, but it wasn't because of any cyberattacks. The state's voting machines had a software bug that meant if you selected the "straight party ticket" option and kept pressing buttons before the page finished loading, it would change your selection. 

Technical difficulties with voting machines come in many different forms, including touchscreen issues and poll sites that don't have enough power cords for their machines. Because election infrastructure differs by each county and state, there's a wide variety of machines and even voting methods -- some counties may not even use machines to record the ballots.

On Election Day, several counties have already reported issues with voting machines or election infrastructure. Some voting machines weren't working in Georgia counties, while an Ohio county moved to paper pollbooks after issues with uploading voter verification data.

"Technology sometimes fails and breaks. We are already seeing early indications of system disruption, so again, I ask you to be patient," CISA director Chris Krebs said at a press conference on Election Day.

Disinformation campaigns will flock to these software glitches and claim that it's election fraud, as Russia did during the 2016 election with a video of a person who was simply using the voting machine the wrong way. 

Just because something isn't working properly doesn't mean that it was hacked. 

"Although many preparations have been made, there are unexpected things in every election that can occur including: voting locations opening late, election workers cancelling at the last minute, power outages, voting equipment malfunctions and lines at some voting locations," the National Association of Secretaries of State said in a statement on Oct. 30. "It is important to note, these are not indicative of malicious activity and election officials have contingency plans in place for these and a variety of other scenarios."

Several of these technical errors have been explained by problems only peripherally related to technology. For example, the Associated Press reported that hand sanitizer on a voter's hands caused errors with a ballot scanner in Iowa.

How easy is it to hack a voting machine?

Historically, voting machines have been fairly simple to compromise, thanks to their outdated software. At the same time, election machine makers didn't have bug disclosure programs and didn't let security researchers test their machines for vulnerabilities.

It's why every year since the Voting Village started at the hacking conference Defcon in 2017, people have set out to tear through the machines' defenses. Makers of voting machine originally dismissed many of the hackers' findings, but at the Black Hat security conference in August, election technology company ES&S said it would start allowing for vulnerability testing on its products. 

While voting machines have vulnerabilities, there's a stark difference between security researchers changing the ballot counts at a hacker conference and actually pulling it off at a polling site. 

Election workers are trained to watch for any suspicious activity and would likely discover, for example, someone attempting to stick a USB drive into the machine while casting a ballot. And even if some votes are digitally altered, there are generally auditable paper ballots available as a backup measure to prevent election fraud, Krebs said.  

Still, the existing vulnerabilities on voting machines will always leave room for potential that votes can be hacked. As long as the machines have security flaws, disinformation campaigns will exploit that to have voters believe that their ballots aren't being counted. 

Hackers got my voter registration data. Does that mean the election has been compromised?

In September, hackers on a Russian forum posted that they had stolen data on voters in Michigan, raising concerns about a repeat of cyberattacks on two voter registration databases in Florida in 2016. 

You should approach these claims with caution. Michigan's secretary of state refuted the post, noting that the state's voter registration records are public, as is the case it is in many states across the US. 

CISA and the FBI also issued a warning in September on this, noting that foreign actors would attempt to spread rumors that election infrastructure was hacked through fake leaks on voter registration data. 

"In reality, much US voter information can be purchased or acquired through publicly available sources. While cyber actors have in recent years obtained voter registration information, the acquisition of this data did not impact the voting process or the integrity of election results," the warning says.

Florida's board of elections demonstrated the resiliency of its system after an alleged hacker changed Gov. Ron DeSantis' address online on voter records. 

He was still able to vote despite the technical difficulties, officials said.

The election results website I visited isn't loading. Has it been hacked? 

More often than not, if an election website isn't working, it's likely not a cyberattack. 

Florida's voter registration website went down for several hours on the state's deadline day this year, but it turned out that was because the state was unprepared for the flood of traffic, officials said. A similar outage happened in October with Virginia's voter registration site on its deadline date, but it turned out to be because of a cut fiber cable at a nearby construction project. 

Election websites often go down because they're not prepared for millions of people visiting the page suddenly, an NBC News report found. An outage isn't always an indicator of a cyberattack.

On Election Day, CISA officials said that if an election results website is down, it's most likely going to be because of high demand rather than a cyberattack. 

"The demand and the stress on these systems is probably the most likely effect we'll see," a senior cybersecurity official said. "The huge national, if not international, interest in the results or outcome of the election is going to put a strain on some systems across the country."

On Oct. 21, the online infrastructure company Cloudflare released a tool that lets people view traffic going to election-related websites, to help signal any potential cyberattacks that could cause an outage.    

"While we may not see a targeted cyberattack, given the critical role the web now plays to the election process, we believe we would likely see any wide-spread attacks attempting to disrupt the US elections," Cloudflare CEO Matthew Prince said in a blog post.

What happens if a ransomware attack affects my local election county? 

Ransomware is a major concern for local officials, who worry it can affect elections even if it isn't directly targeting voters. 

The malware, which encrypts computers unless victims pay the hacker's ransom, has increasingly targeted governments because of their vulnerabilities and ability to pay the costs. In October, Microsoft took action to knock off Russia's largest botnet, which delivered scores of ransomware attacks, but it came back online within days. 

On Oct. 28, the FBI warned that the botnet was behind a wave of ransomware attacks targeting hospitals, potentially disrupting services for patients in need of critical care. 

A ransomware attack would disrupt an election, but officials said it wouldn't stop votes from getting counted. Minnesota Secretary of State Steve Simon told CNET in August that ballots could still be counted by hand, for example. 

A Georgia county's election division suffered a ransomware attack in October, blocking access to a database of local signatures, according to NBC News. But officials were still able to verify signatures for mail-in ballots through its physical records. 

"These attempts could render these systems temporarily inaccessible to election officials, which could slow, but would not prevent, voting or the reporting of results," CISA and the FBI said in a warning on Sept. 24. 

Why can't I vote online? 

Online voting is generally frowned upon among election security experts. While some companies offer online voting infrastructure, there are several security flaws with the process, and election officials don't want to use the technology until it's proven to protect the ballot. 

Online votes aren't safe from hackers who can take over a person's device, or make changes to the final count on their infrastructure. In the US, it's offered to military and overseas voters, but you may also have to waive your rights to a secure ballot.  

At a briefing by the National Association of Secretaries of State in October, election officials from New Mexico, Louisiana, Ohio and Washington all denounced online voting, pointing out security concerns.

While you can securely bank online, that's because it's tied to an account with logs of your information. Votes are supposed to be anonymous to prevent bribery and voter intimidation, which leaves a hole in verifying ballots online. 

"People compare it to, 'Well, I can bank online, I can register online.' Registration, I can confirm. The vote, I can't ensure an individual's vote like someone can ensure their bank account from fraudulent activity," Louisiana Secretary of State Kyle Ardoin said. "Basically, until there's greater security available, we're not even entertaining that."

You also can't text to vote. 

I'm seeing a lot of different posts on who won the election. Which one should I trust? 

For starters, FBI Director Chris Wray recommends staying away from social media for election information. 

Also, election security officials fully expect there to be a wave of disinformation about the results, using measures like creating fake election results websites or hijacking legitimate pages to show different outcomes.

The FBI and CISA recommend getting your election results from your state and local officials, and using multiple sources to confirm the outcome rather than sharing what you're seeing immediately. 

Why don't we know who won the election if all the polls have closed? 

Just because the polls have closed doesn't mean that counting the ballots is over. 

Because of the influx of mail-in voting ballots, election officials aren't expecting a final tally until at least three days after the election. The delay is to make sure that every vote is counted and that the results are accurate. That time will also be a window of opportunity ripe for disinformation from foreign actors looking to capitalize on the confusion following Election Day. 

"We're not out of the woods yet," Krebs said on Election Day. "Today, in some sense, is halftime."

Twitter and Facebook said they're preparing for disinformation campaigns following Election Day, taking measures like labeling posts that claim election results before the official count is finalized.