Stealing votes with software. It may have been a plot in the political thriller TV show "Scandal," but it could happen in real life, too. In fact, Homeland Security Secretary Jeh Johnson said Wednesday that it's a major concern.
In light of the hacking attacks on the Democratic National Committee and another fundraising organization for the Democrats, the US government should ask whether to treat elections as "critical infrastructure," Johnson said at a breakfast in Washington, DC, sponsored by the Christian Science Monitor.
That official designation often refers to physical infrastructure, like the power grid and dams. But elections are critical to democracy, Johnson said, which could justify adding the voting system to the US government's list of 16 critical infrastructure sectors. "There's a vital national interest in our election process," he told reporters at the event.
What good will it do?
Not everyone is sure that adding a new label to elections goes far enough to protect the democratic process. Vishal Gupta, CEO of cybersecurity firm Seclore, said the government has to put its money where its mouth is and into the computer systems involved in voting.
"By simply changing the designation of these systems without laying out a clear and concise plan for bolstering defenses, very little is accomplished from an information security perspective," Gupta said in an email.
The Department of Homeland Security declined to comment further on how it might protect elections.
The agency works with county and state officials to help keep critical infrastructure safe -- and secure elections are part of that mission, a Homeland Security official said. Its role also includes recommending the best practices for keeping voting systems safe and helping respond to any security incidents that arise, the official added.
Is a hack plausible?
About 2,400 miles west of Washington, DC, where Johnson made his announcement, the Black Hat conference is taking place. It's a massive meeting of cybersecurity experts in Las Vegas, and researchers are demonstrating how any number of things can be hacked.
That includes next-generation ATMs, which read the more-secure EMV chips that will appear on more US debit cards as we approach 2017. It also includes connected cars, like the Jeep that researchers Chris Valasek and Charlie Miller have found new ways to hack this year.
So the view from Black Hat suggests a voting system breach is possible. If you build it, they will hack.
What would a hack look like?
Dmitri Alperovitch, chief technology officer and co-founder of cybersecurity firm CrowdStrike, knows a little bit about the threats facing US elections. CrowdStrike said in June that hackers affiliated with two Russian government agencies breached the Democratic National Committee's computer systems and accessed sensitive information. That claim has since been disputed, and someone claiming to be a solo Romanian hacker allegedly leaked sensitive emails and information from DNC systems. Alperovitch stands by his company's findings.
When it comes to hackers changing elections, Alperovitch thinks the most vulnerable point in the election system isn't electronic voting machines. Rather, it's whatever computer any given voting precinct uses to send election results off to the county or state level.
"Those are just regular PCs," he said from a suite at the Mandalay Bay resort in Las Vegas. "God knows what's protecting those."
Still, Alperovitch says electronic voting isn't safe either. (He's in good company. Cybersecurity specialist Bruce Schneier has written for years about how vulnerable such systems are.)
Alperovitch said hanging chads, a problem that made some paper ballots difficult to read in the 2000 presidential election, are easier to deal with than potentially hacked voting machines.
But the worst thing that could happen? That would be if the election appears to go off without a hitch, but the next day a hacker claims to have changed votes in a crucial precinct or county. That could damage voters' trust in the result.
"All they need to do is sow doubt," he said.
Corrected August 4, 2016, 11:06 a.m. PST with the correct job title for Dmitri Alperovitch.
US Tech Policy
reading•Hack the vote: Could cyberattackers disrupt the election?
Jan 30•State of the Union 2018: Start time, how to stream, what to expect and more
Jan 28•Russian bots retweeted Trump 470,000 times in election run-up
Jan 27•Republican lawmaker says tech execs should watch what they say
Jan 26•Facebook, Google and Twitter reveal little in answers to Senate