It's unlikely that hackers can change votes, but here's how they could cause midterm mischief

Key Points
  • DHS is more concerned about broad cyberattacks in the upcoming election than machine manipulation.
  • Voting machines don't connect to the internet and there are numerous other safeguards in place that make them less desirable to attackers.
  • Voters in Georgia are taking legal action to try and remove vulnerabilities in their machines.
Acting Director of Homeland Security's Office of Intelligence and Analysis Cyber Division Sam Liles (L) and Homeland Security Undersecretary Jeanette Manfra (R) testify during a hearing before the Senate (Select) Intelligence Committee June 21, 2017 on Capitol Hill in Washington, DC.
Getty Images

With all the concern over cybersecurity heading into the midterm elections, it's actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren't connected to the internet, making them hard to access.

So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves.

"This is about more than just voting machines," Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. "If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process."

Manfra was in Washington, D.C., this week for a three-day series of simulated cyberattacks. Officials from 45 states and territories participated, both in Washington and remotely, in an effort to consider a vast array of scenarios that could be used to interfere with the elections.

It's a different approach than what you will find at hacker conferences, which have tried to show how easy it is to break into voting machines. For example, last week children as young as 11 took part in an educational exercise at the DEF CON hacking conference in Las Vegas, demonstrating that even kids can crack into the machines and change votes.

But according to Manfra, that's not how it works, in part because states are required to use machines without internet connections. To tamper with such a device, someone would need direct access to it. Additionally, each state has its own protocols and their voting machines consist of hardware and software that differ from place to place.

The more concerning methods are those that could affect much wider swaths of voters. As the Russians showed in 2016, there's a coordinated effort to cast doubt on results and "sow uncertainty and discord" in the election process itself, Manfra said.

DHS has been working to protect places where hackers could do real harm, like administrative offices and the databases that house voter registration information. The agency has placed new sensors on the databases to monitor web traffic in and out so it can more precisely spot malicious activity.

DHS is also working with state and local cybersecurity organizations under the umbrella of the Multi-State Information Sharing and Analysis Center, an organization that allows specialists at the state and local level to swiftly share data about potential attacks.

Greater communication and collaboration is important, Manfra said. DHS is planning ways to communicate various issues that may arise both to election officials and the public.

Upgrades in Georgia?

None of this is to say that voting machines are perfectly secure. One key safeguard to the machines themselves is giving all of them the capability to print out paper records right after someone votes so that any discrepancies can be discovered. While most states have adopted that feature, Georgia is among the few that have not.

Spurred by stories of foreign interference in the 2016 election, a group of voters in Georgia filed an injunction earlier this month to stop the state from using the existing machines in November. David Cross, a partner at law firm Morrison & Foerster who is representing Georgia voters in the case, cited work by security researchers and academics showing that these machines may not be reliable.

"Now that we know that a sophisticated nation-state was actively trying to intervene, we're concerned that [an attack] would not be that difficult," Cross said, in an interview. Russia has "been clearly working and focusing on this for years," he said.

Cybersecurity expert found people could hack computers using Microsoft's Cortana