Experts fear election machinery in too many U.S. precincts remains vulnerable to hackers.
By Thomas K. Grose
Dan Wallach is a professor of computer science at Rice University and a long-time researcher into the vulnerabilities of electronic voting systems. In 2007, he was part of a California study that found a wide variety of security problems with computerized voting, particularly direct-recording electronic (DRE) touch-screen machines that don’t spew out auditable paper ballots. The study raised fears that cyberhackers could attack election systems and change votes. Although California has since dropped the problematic machines, they remain in use in a number of other states. Indeed, according to the nonprofit Verified Voting Foundation, eight states—home to an estimated 10 percent of registered voters in 2016—will head into the November 2020 presidential election relying fully or partially on DREs.
Nearly four years after U.S. intelligence agencies concluded that Russia interfered in the 2016 election, “the threat of hacking, disruption, or manipulation of our election system is very real,” Elizabeth L. Howard, a lawyer at New York University’s Brennan Center for Justice, told a congressional panel in January. Russian meddling didn’t start with the 2016 election cycle; the Senate Intelligence Committee found that between 2014 and 2017, Russian hackers had probed the election systems in all 50 states and breached voter registration rolls in Arizona and Illinois. In an unusual joint statement last November, the Departments of Defense, Homeland Security, and Justice, along with the U.S. intelligence community warned that “Russia, China, Iran, and other foreign malicious actors all will seek to interfere in the voting process” in 2020. The NAACP and voting rights groups remain alert, as well, for partisan attempts at voter suppression aimed at minorities and students.
Many states turned to computer voting after the 2000 election, viewing electronic tallies as more reliable than paper ballot systems. That year, a disputed vote count in Florida forced Americans to wait for weeks to know whether Republican George W. Bush or Democrat Al Gore would be the next president. After a chaotic recount that exposed the notorious “hanging chad”—incompletely punched holes in voter-machine cards—and other flaws in Florida’s election process, the U.S. Supreme Court ruled in favor of Bush.
The Florida imbroglio revealed that paper ballots can not only be counted incorrectly but confuse voters, as well, resulting in votes cast for more than one candidate or for none at all. But computer voting has potentially more serious vulnerabilities because a whole system could be compromised. Last August, a federal judge in Georgia ordered the state to stop using its paperless touchscreen machines and election management system beyond 2019, calling its voting equipment, software, and election and voter databases “antiquated, seriously flawed, and vulnerable to failure, breach, contamination, and attack.”
Systemic Glitches
Electronic systems can simply malfunction. In the 2018 midterm elections, for example, glitches in a system newly installed by Election Systems & Software (ES&S) in Indiana’s Johnson County left it unable to determine if people voted more than once. Afterwards, county officials cancelled ES&S’s contract. Then, last November, a massive voting machine failure in Pennsylvania’s Northampton County initially showed a Democratic judicial candidate getting just 164 votes out of 55,000 ballots cast. When the backup paper ballots were counted, that candidate, Abe Kassis, had narrowly won the race. The county had paid $2.88 million for 320 ES&S Express Vote XL machines under a state mandate to move away from electronic-only ballots. Pennsylvania officials blamed human error in programming the details of the election into the system as well as imprecise factory configuration of a limited number of machines. Testifying before Congress, ES&S CEO Tom Burt acknowledged that “we do not believe we are perfect or invincible. On rare occasions, mistakes are made, a machine falters, or a human error is uncovered. Our reaction to any problems that occur is swift and comprehensive. Our record makes clear that, working with the relevant local officials, we immediately seek to identify the potential problem, send in a team of experts to consult with the customer, and do everything possible to remedy the issue and ensure that final election results are reported accurately.”
But critics of the latest generation of machines say problems go beyond the occasional malfunction. Machines are supposed to be air-gapped–not connected to the Internet or to other Internet-connected computers. “That’s true during an election,” Wallach says, but before and after an election, they’re programmed via Internet-connected computers. Officials and vendors claim those computers are air-gapped, too, he says, “but they aren’t; they’re firewalled, and that’s not the same thing. They are a way into the system.” Indeed, last August, at DefCon in Las Vegas, an annual hackers’ convention, white-hat cyberhackers were able to easily penetrate more than six commercially-available machines still in use.
J. Alex Halderman, the University of Michigan computer science and engineering professor whose testimony helped persuade a federal judge that Georgia’s outdated voting machines had to be scrapped, has joined critics of ES&S’s Express Vote XL machines. In a federal court declaration in Philadelphia, he contends the machines’ paper backup system won’t necessarily protect them against malignant hackers. “The paper records scanned by the machine don’t contain the names of candidates on the ballot, but bar codes representing the names,” he says. “It would be feasible for malware to cause the machine to print bar codes that corresponded to candidates the voter did not select.” The result could be a flawed paper trail that even a post-election audit would not catch.
After critics charged that the XL machines failed to meet Pennsylvania’s certification requirement of a “printed ballot,” the state hired a consultant to reexamine them. The consultant tried to “create the issues the petitioners alleged were theoretically possible,” but “were unable to do so,” Pennsylvania’s secretary of state Kathy Boockvar said in a court declaration.
Three Dominant Companies
Pennsylvania’s actions are being watched closely because the state could go either way in November’s elections. Why have some jurisdictions continued to use machines that experts don’t trust? For one thing, they’re expensive to replace. Also, the average election official has limited technological know-how and depends on vendors for advice, says Douglas Jones, a computer scientist at the University of Iowa. “Counties rely on for-profit companies that operate with very little oversight and even less clarity,” he notes. Three companies—ES&S, Dominion Voting Systems, and Hart InterCivic—control 80 percent of the market. Despite their oversize role in recording the votes of 100 million citizens, “some have accused these companies of obfuscating and in some cases misleading election administrators and the American public,” Rep. Zoe Lofgren, a California Democrat, said in opening a House Administration Committee hearing on January 9. What’s more, contends the Brennan Center’s Howard: “A successful cyberattack against any of these companies could have devastating consequences for elections in vast swaths of the country.”
To be sure, alarms raised by experts about the vulnerabilities of voting machines have largely been heeded. “There is progress being made, but it’s more in the states than on the federal level,” explains Andrew Appel, a computer science professor at Princeton University. “Most states now do use paper ballots that are hand-marked.” According to Warren Stewart, a data scientist at the Verified Voting Foundation, 30 states use only paper ballots, and so do many counties in 17 others. He estimates that 68 percent of registered voters live in areas that use paper ballots. Only three states, home to around 2.5 percent of registered voters, use DREs that also produce a paper record.
But in recent years, vendors have also been pushing for wider use of electronic pens, or ballot marking devices (BMDs), that initially were designed for handicapped voters. Three states now use them statewide, and 13 have counties that use them exclusively. Overall, approximately 19.5 percent of registered voters live in jurisdictions that use BMDs. “The problem is a BMD is also hackable,” Appel says, so there could be a difference between what voters see on their screen and what ends up printed on the paper ballot. “It’s a bad trend,” Appel says. The problem is that BMDs rely on voters to check if their paper ballot is correct. “It is a miserably small percentage of voters who’ll notice an error,” Jones says. “People are terrible at proofreading.” A recent study by Halderman found that in a natural experiment, only 6.5 percent of voters, unprompted, would catch errors on printed ballots. Using different prompts boosted the levels to 13 and 16 percent.
Wallach thinks the proofreading problem with BMDs can be overcome by having election staff teams perform live audits of the machines to determine if they were being manipulated. “It’s fairly easy to constrain an adversary. I think we can put them in a box. BMDs are not evil; that’s just false.”
Complex Math
Of course, the beauty of paper ballots is they can be audited. But some states do not have an auditing system in place and many others use one based on a California model that audits a fixed percentage of ballots, “which is time-consuming and costly,” Jones says. A new system, called a risk-limiting audit (RLA), has begun to gain momentum after it was introduced by Colorado in 2017. An RLA counts a precise number of ballots that’s determined by the winner’s margin of victory: the wider the margin, the fewer ballots audited. Basically, it uses complex math to verify to a high degree whether the declared winner’s victory was highly likely or not.
“RLAs are a great idea,” Wallach says. “They’re cheap and meaningful. The magic of RLAs is they can be shoehorned into the canvassing (vote certification) process and they’re cheap enough to do all the time.” Two states—Colorado and Rhode Island—are set to use statewide RLAs this November. Additionally, the Cybersecurity and Infrastructure Security Agency is providing a free, open-source RLA system developed by VotingWorks, a nonprofit voting security firm, to states this year and so far, six have agreed to pilot the software in November.
While much of the angst about election security is focused on the fear of vote-manipulation, Wallach thinks officials are underestimating a bigger danger: denial-of-service attacks. “Ballot-tampering is definitely a risk, but it is nowhere near the top of my list of worries, because a denial-of-service attack is easier to do and much more devastating.” It’s known that cyberhackers have probed the voter registration infrastructure in all states—possibly to cause chaos. “They just might want to break the election, that could be the goal, targeting polling records and tabulation systems. You could damage precincts you don’t like with selective denial-of-service attacks,” Wallach says.
He’s concerned about the rapid rise of e-poll books that states are using to track registered voters and speed up the pace at polling places. It’s estimated that 41 states will use them this year, providing a new way for bad guys to breach election systems. Unlike voting machines, e-poll books are not subject to testing and certification. “Right now, we have very little assurance that voter registration infrastructure, of any sort, has been engineered with nation-state adversaries in mind,” Wallach says.
Congress has approved $425 million for election security. Many states, Appel says, are using their share of that money “and guidance from [the Department of] Homeland Security to beef-up ways to protect” computerized records. However, “the pace of change in election systems is very slow,” Wallach says. “It’s measured in decades. RLAs are a decade-old idea only now gaining acceptance. Good ideas take a long time to percolate into practice.”
Two organizations are out to defy that trend and disrupt the status quo by developing open-source voting machings. VotingWorks, the nonprofit that also offers RLA software, is working on a machine that uses off-the-shelf hardware and open-source software. “It is very much a work-in-progress and remains under active development,” although the machines are already being deployed in Mississippi, says Wallach, who is working with VotingWorks. “The basic idea is keep it cheap, not bespoke.” The business model is to give away the software, then charge users for support. “The model is significantly cheaper than legacy vendors’. You give election officials great stuff and at a lower price.”
The Defense Advanced Research Projects Agency (DARPA) has funded a $10 million project by Galois, an Oregon tech company, to develop an open-source touch-screen device that prints paper ballots that can be read by an optical scanner. The plan is to offer the hardware and software for free to vendors, who would then customize it. “Galois’ is very much a prototype, though it is very good prototype,” Wallach says. Jones, however, is doubtful that the entrenched industry will buy in. “Once a market is dominated by trade secrets and patents, it’s hard to move to a copyright-based system.”
Clearly, technologies exist that can make America’s voting infrastructure more robust, but don’t hold your breath that they will quickly be put into place. Russia, no doubt you’re listening.
Thomas K. Grose, Prism’s chief correspondent, is based in the United Kingdom.
Design by Francis Igot