Moreover, the DHS protection is basic, focusing on best practices and a checklist mentality for security – something experts disagree with, because attack surfaces are unique and can change from network to network.
It's about influence, not voting machines:
In an interview with CSO Online, Carson Sweet, CTO of CloudPassage, mirrored Lewis' and Gangwer's opinions – influencing the outcome of the voting process by compromising voting machines is improbable, but not impossible.
"We're not on the brink of democracy's digital implosion, but we have a lot of work left to do. In any case, it's about much more than just the voting machines, so let's not get myopic and lose track of the bigger picture," Sweet said.
About 14 percent of electoral votes are in swing states where some percentage of voting machines are DRE without a paper backup – specifically Florida, Virginia, and Pennsylvania. But even in those cases, some districts use paper ballots and DRE with paper backups. Only one state, Louisiana, uses DRE with no paper backup at all.
"This means that irregularities in vote counts, either by compromising the voting machine or election management software (the "back-end" to voting machines) would be recognized in spot-checks or manual verification counts, which many states still perform," Sweet said.
"Keep in mind that just compromising a few machines is not enough, unless you could see into the future to know exactly where those extra 500 votes would matter. You would have to compromise enough machines to guarantee a win; otherwise, what's the point?"
Sweet says that if he were to construct a scenario in which he could impact a vote, the approach would be to disrupt voting in the swing states and other key voting areas.
So how would he do this?
"By compromising online voter databases well before the election," he explains.
"Federal law requiring that voter records be unified online actually make this easier for an attacker since there's only one place to go per state (e.g. California's VoteCal system)," Sweet added.
Imagine what would happen if an attacker were able to dissociate physical signatures from voter records. Or perhaps the attacker could randomly scramble the last six digits of someone's Social Security number; mark a significant number of voters as deceased - or some combination of all of the above.
If done too broadly, Sweet explained, it would cause pandemonium at a voting site. Yet, if done with just the right amount and with consistency, the blame might likely land on bad administration or voters who incorrectly registered.
Sign up for CIO Asia eNewsletters.