Security Experts:

Connect with us

Hi, what are you looking for?



Electronic Voting: The Greatest Threat to Democracy

The dumpster fire that is the 2016 presidential election is thankfully almost behind us. But in its final throes, it is currently belching a peculiar pollution.

The dumpster fire that is the 2016 presidential election is thankfully almost behind us. But in its final throes, it is currently belching a peculiar pollution. The claims of election rigging coming directly from Donald Trump have raised a serious question about the legitimacy of our elections – the foundation of the legitimacy of our government, as governing in a democracy requires the consent of the governed.

While Mr. Trump may be more concerned with the role of non-citizens, election officials and the media in the manipulation of the outcome, he’s missing the greater threat to the future of democracy – Internet voting. Or rather, the likelihood of Internet voting fraud.

The temptation of Internet voting

Hacking the ElectionThe appeal is obvious – so much of our everyday activity is an interaction with an Internet-connected app that voting would seem to be woefully behind in this regard. If we can securely conduct banking, interact with electronic healthcare records, or apply for travel visas online, why not cast a vote?

There are also cost savings and efficiencies to be gained for state officials with the use of Internet voting, as its use could reduce demand for physical polling places and voting by mail. But perhaps the best argument in favor of Internet voting is the potential to increase participation or turnout by voters due to its convenience, although there would be concerns that it only makes voting easier for the digital “haves” – a declining issue in a nation where 89% of adults use the Internet.

Don’t we already use electronic voting? 

Today’s voting technology is largely a decentralized paper-based process. After the Bush v. Gore “hanging chad” issues in 2000, Congress passed the Help America Vote Act in 2002, supplying almost 4 billion federal dollars to help states upgrade their voting machines. All 50 states took the money, most of which was used to purchase electronic voting machines. 

But by 2007, problems with the machines, including security concerns, led to decline in use of electronic systems. Only five states today use paperless touch screens exclusively – South Carolina, Georgia, Louisiana, New Jersey and Delaware. Many states, such as Maryland, Florida and Virginia, have banned their use in future elections.

How do Internet and electronic voting differ?

The key difference between electronic and Internet voting, from a security perspective, is decentralization and the lack of connection to the Internet. While electronic voting machines can be hacked, it requires physical access to the machines in most cases, which is made more difficult by the fact that all 50 states have their own means of securing the devices.

Michigan offered Internet voting in 2004 in its Democratic primary, and West Virginia piloted Internet voting for military voters in 2009. Utah also used Internet voting for its 2016 primary.

A more troubling example is a 2010 Washington, D.C. pilot project for overseas voters that was hacked within 36 hours.  Hackers from the University of Michigan weren’t detected for two business days, and might have gone unnoticed were it not for the fact that they programmed the system to play the Michigan fight song at the end of the voting process.  The University of Michigan team “uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy and subvert the verification mechanism.” And, these white hat attackers (they had been invited to attempt a breach) noticed attempted intrusions by others that included IP addresses in Iran, India and China.

But these are examples without significant risk of changing the outcome of a national election.

So what’s the risk behind Internet voting?

While it’s logical to ask why we can conduct banking safely online and not voting, the two aren’t as similar as one might believe. Yes, they both must authenticate the user and maintain a record of a transaction, but the voting system must do so anonymously. With banking, the victim at some point will recognize a theft – with voting, that’s unlikely.

The most serious study that attempts to capture “the most complete set of requirements to date that must be satisfied by any Internet voting system used in public elections” is the US Vote Foundation’s specification and feasibility assessment study for “End-to-End Verifiable Internet Voting” (E2E-VIV). Yet, the expert statements of this same report lists voter authentication, client-side malware and distributed denial of service (DDoS) attacks as risks to be addressed before Internet voting can proceed.

The DDoS problem is particularly worrisome given last month’s attack on Dyn that demonstrated the weaponization of IoT devices. Although not an election, the first ever digital Australian census was subjected to a DDoS attack on August 9, 2016 that caused a premature shutdown of the website. When the stakes are higher in a national election, the motivation of attackers to disrupt it for personal fame or gain, coupled with the Internet of Things, could be a toxic combination for Internet voting.

A reliance on Internet voting with current technology will lead to the disenfranchisement of voters, manipulation by foreign or domestic attackers and ultimately to the delegitimization of the vote that will destabilize the elected government. Though Donald Trump may be concerned about vote rigging today, he hasn’t seen anything yet.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet