When former CIA director James Woolsey said in 2017 that he was “confident the Russians will be back, and that they will take what they have learned last year to attempt to inflict even more damage in future elections,” he was referring primarily to cyberattacks against electronic voting machines and voter registration databases.
That same year, professor J. Alex Halderman of the University of Michigan testified before the US Senate Intelligence Committee that the results of simulated cyberattacks on American voting machines were decidedly bleak.
“What we found was disturbing: We could reprogram the machine to invisibly cause any candidate to win,” Halderman said at the time. “We also created malicious software—vote-stealing code—that could spread from machine-to-machine like a computer virus, and silently change the election outcome. Vulnerabilities like these are endemic throughout our election system.”
Future US elections must guard against not only malicious cyber manipulation, but deep fakes and social engineering, as well. According to a debriefing document shared with Quartz, a simulated 2020 election last month ended in abject chaos and a canceled vote. Now, according to Yury Dvorkin, a professor of electrical and computer engineering at New York University’s Tandon School of Engineering, there’s another possibility to worry about: electric cars.
A successful election attack doesn’t need to gain access to voting systems themselves. Dvorkin says plug-in electric vehicles (PEVs) and the charging stations that charge their batteries could enable large-scale cyberattacks on urban power grids. In a simulation he and his team conducted using Manhattan, Dvorkin found that it would take only 1,000 electric vehicles charging simultaneously to stage an attack on the city’s power grid, potentially blacking out entire sections of New York.
In the context of election security, Dvorkin told Quartz that such attacks could cause power outages in districts a political opponent might want to flip, making it impossible—or at least extremely difficult—for people who live within those boundaries to vote. Streetlights would be affected, causing traffic jams. Subways would be inoperable, and communications networks could go dark. Electronic voting machines would be useless without electricity, shutting down polling stations.
“Based on available statistics, urban populations tend to favor a certain political party,” Dvorkin said. “If on election day there is a blackout in the city, it means that this vote is going to be suppressed. And even if you take a fairly blue state such as New York, where people living in rural areas also often vote for a certain party, suppressing the urban vote may turn the state from blue to red.”
How it could happen
Attacking a power grid to sway an election is not an imagined threat. Power grid attacks blacked out local elections in Argentina and Uruguay last June, and Russian hackers nearly shut down the UK power grid on the country’s election day a year ago. Russian hackers have already been spotted by US intelligence officials and cybersecurity executives probing for weaknesses within the US power grid, and are “very interested” in doing it again, experts say.
In a recent working paper now going through the peer-review process, Dvorkin says most utilities treat PEVs and electric vehicle charging stations “as passive loads and do not proactively monitor their usage and cyber hygiene.” Charging station data is publicly available. An attacker could use that data to reconstruct specific grid layouts via project information and updates reported by the utilities themselves. They could then alter power loads in subtle ways relative to total system demand, which, theoretically, would not be noticeable to the system operator. “As a result, the cybersecurity community warns that PEVs and EVCSs can evolve as an attack vector into the power grid,” Dvorkin said.
Researchers at Princeton University have raised similar concerns. Controlling 600,000 high-wattage devices would “give the adversary the ability to manipulate around 3,000 megawatts of power in an instant.” That’s equivalent to the output of a large nuclear power plant, they said. An overload this intense could lead to cascading power failures “potentially as disruptive as the Northeast blackout of 2003.”
Tripping enough generators to cause a large-scale blackout within a targeted area would only require access to 90,000 internet-enabled air conditioners or 18,000 electric water heaters, according to the Princeton team.
“There is no unique solution that is going to solve this problem,” cautioned Dvorkin, who noted that this type of attack has not yet been executed in practice.
System operators could roll out anomaly detection techniques, though Dvorkin said it is very difficult to define ‘normal’ behaviors. Another possibility would be to roll out ‘microgrid resiliency,’ which partitions the supply of electricity into small sections to limit disturbances. But this is “never going to be implemented before the 2020 elections,” Dvorkin said.
But will it happen?
Quartz described Dvorkin’s assessment to a number of intelligence professionals, who were sufficiently skeptical.
Joseph Wippl, a former CIA clandestine operative who spent the bulk of his career posing undercover as a US diplomat, said disrupting an election by blacking out a city is, “Possible but not probable.”
Jack Barsky, a former KGB “sleeper” agent who later worked for the entity that oversees New York State’s power grid, said he doubted that the open-source data accessible through electric car charging stations would reveal the layout of the high voltage network, which he says would be necessary for a widespread shutdown. “That is strongly guarded by the respective systems operators. But a corrupt insider is always a possibility,” he said.
He also said that grid segments are not aligned with voting districts, so it would be difficult to micro-target specific voting blocs. If an entire city or neighborhood was blacked out on Election Day, Barsky imagines voting would simply resume when the power came back on.
Former FBI agent Phil Carson said he is “pretty confident” a scenario like this won’t happen. “People can ‘what if’ things to death,” he said. “I know every time I put together an ops plan for a drug case operation my bosses would ask me, ‘What if this were to happen?’ to the point of being ridiculous.”
“Relax,” said former Russian intelligence officer Jan Neumann, who now lives in the United States. “There is no reason to freak out about it.”
Dvorkin said he knows that an election hack caused by manipulating the power grid may seem far-fetched at the moment. But, he added: “There is a very fine line between what seems extreme and barely possible right now, and what happens when the election comes.”