Carnegie Mellon University

Image of voting booths

November 05, 2018

Heinz College Students Identify Weaknesses in Election Security

Highest risk in Pennsylvania is state's online voter registration form

By Scott Barsotti

A team of Carnegie Mellon University students examined historical election data in Allegheny County and determined that by compromising 10 percent of the votes in Pennsylvania, an attacker could potentially change the result of more than two-thirds of statewide elections, including presidential races.

"This is a hot topic right now, and there are a lot of aspects involved, including data analytics, public policy and technology that make it a complex issue," said Will Cunha, who graduated in May with a master's degree in information security policy and management from the Heinz College of Information Systems and Public Policy.

Cunha, along with fellow recent Heinz College graduates M.J. Emanuel, Koji Ina and Salvador Ayala completed their capstone project with VoteAllegheny, a nonpartisan nonprofit that advocates for greater election integrity in Allegheny County, where CMU is located, and in Pennsylvania.

The team analyzed local processes and state and county election data from 2000 to 2016 to determine how plausible certain types of attacks might be, and what steps can be taken to secure the vote.

Ayala, who graduated in May with a master's degree in public policy and management, said Pennsylvania and Allegheny County were perfect case studies for this project.

"Pennsylvania is not only a swing state, but it is a state with many electoral votes that make it very important in presidential elections," said Ayala, who noted that in four of the five presidential elections since 2000, the outcome was decided by less than 10 percent of total votes.

In elections for president, U.S. senator, governor and attorney general, the electorate in many states tend to lean strongly toward one major party or the other — these are often described as Republican "Red States" and Democratic "Blue States." More competitive states, or "swing states," are those in which statewide elections are much tighter from cycle to cycle, and party control is more elastic. Pennsylvania is one such state, which could make it an appealing target for a malicious actor.

"In the 2016 presidential race in Pennsylvania, there were only 44,292 votes between the first- and second-place candidates. That's roughly 65 percent of the capacity of Heinz Field," said Cunha, referring to the Pittsburgh Steelers' stadium.

Determining Election Risk

The team used data analytics to determine the potential impact certain attacks might have on elections in Pennsylvania. By merely affecting 2 percent of votes cast, 9 percent of statewide elections in Pennsylvania since 2000 could have been compromised in favor of the second-place candidate. And if an attack could affect 10 percent of the vote, that jumps to 68 percent of elections compromised.

"We ran into an issue with trying to quantify the risk in election security. If you look at most risk management frameworks, many of them utilize a dollar amount as being associated with a level of risk," Cunha said. "In the case of elections, we wouldn't think of risk in terms of dollars lost, but rather ballots being changed or registrations being compromised."

The highest risk to election security in Pennsylvania, according to the team, is the state's online voter registration form.

In their research, they found a state database that includes voter names, addresses, precincts, political party and voter participation history that can be purchased legally from the state for $20. They argue that by using that publicly available data and merging it with stolen or leaked personal data found on the dark web, an attacker could change registrations by impersonating registered voters. When conducted against a targeted voter bloc - identified via social media trends or other data — the potential implications could be quite large.

Cunha notes that much focus is placed on election equipment — specifically electronic voting machines — but they are only one part of a complex process. And while hackers have shown an ability to crack voting machines (e.g. DEFCON's Voting Village), the students thought it was unlikely that an attacker could actually compromise a large enough number of machines in enough key precincts to have a measurable impact. Especially when a bad actor may be just as effective by simply making it appear as though an attack has taken place, sowing doubt in the result.

"There is a big difference between what is possible and what is practical," Cunha said. "Focusing just on election machines is not what we would recommend."

Rather than replacing voting machines, the team suggests less costly measures in the short term, such as adding two-factor authentication to the registration system and fixing previously identified vulnerabilities in currently utilized voting equipment.

Moving forward, election data can help determine where to focus more targeted attention nationwide.

"We can use data analytics to determine what precincts, counties and states are most at risk. That way we can allocate resources more optimally," Ayala said.

Additionally, the students provided insight on the subject of internet voting.

"It sounds cool, and could potentially facilitate more people voting because they could do it on their phones. But what we've found is that moving toward less technology, like paper ballots, would be better. When anything is connected to the internet regardless of how much technology and security is applied to it, there will always be a vulnerability that is discovered or leveraged," Cunha said.