UAH expert says election hacking possible, expects problem to grow

HUNTSVILLE, Ala. -- Alabama Secretary of State John Merrill announced Thursday he has ordered a security review of the state’s voting systems.

The announcement comes in the wake of the FBI reporting this week that hackers – suspected to have been using Russian-based computer servers – penetrated state election systems in Arizona and Illinois.

“In response to concerns that have been raised regarding the security of the voter rolls in the state of Alabama, I have asked for our election systems vendor to complete a comprehensive review of our state system to ensure that no breaches have occurred,” Merrill said.

"I remain confident that our system is strong. We will continue to review our systems to ensure that we do not allow any personal data or election results to ever be compromised in this way."

Jeet Gupta, an eminent scholar of technology management of the University of Alabama in Huntsville, Thursday discussed hacking with WHNT News 19. Gupta said computer security experts and hackers are locked in a race.

“We are becoming quite smart in protecting our systems, that nobody can hack,” he said. “But as we are advancing in the technology and the know-how and the software that we use to be able to do that, hackers are also advancing, because they know the information technology as much, if not more, than the people who develop the information technology.”

Gupta said individual hackers tend to violate systems for monetary gain, while state-sponsored hackers are engaged in a new kind of warfare.

“States do it to get the benefits that they cannot get otherwise,” he said. “There was a time when we fought the war in the battlefield with swords and everything, and then with the rifles and all of that. Now we’ve got sophisticated equipment, the drones and everything to be fighting the battles.

“What is happening is now we are moving from the physical space to the cyberspace in the war.”

A successful hack of a state voter registration database could be especially damaging, Gupta said, offering an example of a generic state.

“Let’s suppose the Democrats have an advantage of winning, either the senate seat or the presidential election or whatever,” he said. “If I can get the voter registration records, I can find out who are the Democrats, who are going to be voting in this election.

“And I can purge them, from that database, and if people don’t find out in time to be able to correct that, then I have disadvantaged the Democratic base. I could do the same thing for the Republican base if I want to, any which way I want.”

Gupta said a real-time hack changing votes on election night would be difficult, but it is possible that it could be done. He said the hackers would need advance information.

“It’s possible to do in almost real-time, but it is a little harder,” he said. “Because you need to have a lot more speed and a lot more computing power to be able do that. It’s doable.”

Vote counting systems are a more likely point of attack, Gupta said, than changing votes.

“More likely scenario is that you got in, you hacked the system and people did not come to know, and you change the software, how it is counted,” he said. “That you can do.”

The war between hackers and those charged with stopping is ongoing. UAH has a cybersecurity program and offers cybersecurity scholarships in conjunction with the federal government.

Gupta urged young people interested in the subject to consider the appeal of being a “white hat” hacker - one whose job it is to investigate computer system vulnerabilities to fix them, rather than exploit them.

Gupta doesn’t expect hacking attempts aimed at disrupting elections to end in November, he expects the problem to grown.

He said it’s just another aspect of humanity’s relationship with technology.

“On one hand we see these threats, on the other hand we see the opportunities of what we can use the technology for,” he said. “And many times, the threats are not as severe as to mitigate the opportunities that we have.

The election systems vendor, Election Systems & Software, sent a letter to Merill saying that it has multiple safeguards in place to prevent such an attack and has taken further steps to prevent any unauthorized traffic to its systems.

Read the letter here:

71dbf5a0-c802-4f62-8048-7dc95223b688