THREATS TO DEMOCRACY Of course, cyber attacks aren’t limited to the financial and business realm. J. Alex Halderman, an assistant professor of electrical engineering and computer science, researches the vulnerabilities of electronic voting. Last fall he learned that the city of Washington, D.C., in order to see how airtight its new web-based voter system was, invited any and all to hack away at it during a weeklong test period. Halderman jumped at the opportunity, recruiting two of his doctoral students and a department staff member to join him. The system, designed to allow overseas voters to submit absentee ballots, works like this:
A voter downloads a PDF of a ballot, fills it in using a reader such as Acrobat, then uploads the completed ballot back into the system. Halderman and his crew speedily spotted a vulnerability in the way the system handles the uploading of completed ballots. Exploiting this weakness, they were able to change completed ballots to favor write-in candidates of their choosing (evil robots from science fiction), and view ballots cast after their attack, including the names of the voters who submitted them. To polish it off, they left a musical calling card on the thank you screen that pops up at the end: the Michigan fight song. /// ///
Total time, from first accessing the test system to basically trashing, albeit amusingly, the cherished tenets of ballot accuracy and secrecy upon which democracy depends: Thirty-six hours. Halderman was not in the least surprised at the ease with which they infiltrated the system. He’s studied electronic voting for years, and has examined systems in California, Ohio, and India. Every time independent experts poke around in the source code, he says — and many vendors resist allowing that — they find vulnerabilities that could allow someone to change votes and alter election outcomes, totally undetected. In D.C.’s case, after Halderman and his colleagues demonstrated its weaknesses, the website’s
PHOTO Abedin Taherkenareh/epa/Corbis
In November 2010, the Iranian government confirmed that its first nuclear power plant in Bushehr (right) was hit by Stuxnet, a computer worm that targets industrial software and equipment.
ONCE THE STUFF OF HOLLYWOOD FILMS, CYBERWARFARE IS A NEW REALITY THREATENING GLOBAL SECURITY Cyberwarfare is a chilling word, but it’s being invoked lately over Stuxnet, a wily, tenacious worm that appears to target very specific industrial operations, most notably nuclear facilities in Iran. In November, after months of denial, President Mahmoud Ahmadinejad confirmed that the worm had stalled some centrifuges but that the problem had been fixed. Referred to as a “cyberweapon” and “cybermissile,” Stuxnet’s sophistication would require, many believe, the knowledge and resources of a national government agency, raising widespread speculation that it’s of Israeli provenance. “Are Israel and Iran Waging Cyber War?” asked a headline in The First Post, the online site of the British newsmagazine The Week. “A cyber-missile aimed at Iran?” asked another, on The Economist’s site. The virus’s origin has not been determined, but the world is on alert. In November, Sean McGurk, the head of the Cybersecurity Center at the Department of Homeland Security, told a Senate committee that Stuxnet is a “game changer,” potentially threatening infrastructure worldwide. Another high-profile, politically motivated cyberattack was aimed at the former Soviet republic of Georgia, where several government websites were knocked out of service in August 2008, just as Russia launched a five-day military campaign against the country. Many believed the attacks were orchestrated by botnets associated with Russian organized crime. Dorothy Denning, a defense analysis professor at the Naval Postgraduate School, doesn’t believe any of these attacks have yet risen to the level of cyberterrorism, which she judges as something that kills people and destroys property, as actual terrorism does. People associated with Al Qaeda have carried out denial-of-service attacks but nothing that crosses into the physical world, she says. “They don’t have the capability to do anything more serious than that, and I don’t think they’re doing anything to develop that capability.” But as someone who’s been working in computer security since 1972, she doesn’t rule anything out. “We’ll know when it happens.”
Published on May 10, 2011