Election Watchdog
A Michigan computer scientist blows the whistle on vulnerable voting technology.
By Mark Matthews
In May of 2006, an anonymous source gave Princeton computer scientists a Diebold AccuVote-TS voting machine, urging them to examine it for security flaws. They found plenty. In a paper published four months later, the researchers reported that with just a minute’s access to the machine, an attacker could install malicious code capable of stealing votes undetectably, “modifying all records, logs, and counters to be consistent with the fraudulent vote count.” The attacker could also create a virus that spreads automatically from machine to machine during an election. Twelve years later, co-author J. Alex Halderman was in a Georgia courtroom demonstrating flaws in the same type of voting machine—one still in use by the state.
Halderman, who entered Princeton as an undergraduate and is now a professor of computer science and engineering at the University of Michigan, has gained a high profile with repeated warnings that states and voting districts reliant solely on electronic voting are putting their elections at risk. Before U.S. District Judge Amy Totenberg, he conducted a mock election pitting George Washington against Benedict Arnold, the Revolutionary War traitor. Although a correct count would show a landslide win by Washington, software he planted in the machine gave Arnold a narrow victory.
Back when Halderman, a Pennsylvania native, was investigating the Diebold machine with Princeton’s Edward Felten, professor of computer science and public affairs, and fellow grad student Ariel Feldman, the universe of imagined election hackers was limited to criminals and dishonest candidates. The idea that foreign governments would be involved “sounded like science fiction,” he says. The 2016 presidential race exposed election hacking by nation states as “part of reality.”
The Senate Intelligence Committee found that Russian cyberhackers were capable of worse disruption than they actually conducted. They gained access to restricted elements of election infrastructure in a small number of states and were in a position to alter or delete voter registration data.
The threat hasn’t sunk in sufficiently with officials or the public, Halderman says. In the 2018 midterm congressional elections, “anything can happen.” Not only did Georgia and 17 other states keep the old version of the Diebold AccuVote-TS, he says, but some jurisdictions have failed to install patching software to correct known vulnerabilities. “It’s as if you had stopped accepting Windows updates for 12 years.”
Halderman says election authorities should install systems that combine electronic tallies with an additional paper record and conduct a post-election audit to verify that paper and electronic votes are the same. The size of the sample required for the audit would depend on the margin of victory, with a tight race requiring examination of more votes.
A National Academies Committee recently made a similar recommendation. By November 2020, all elections should be conducted with human-readable paper ballots, the panel said, and states should make every effort to use them this year. Voting machines that don’t produce a paper audit trail should be removed from service, and networks connected to the Internet should be avoided.
Bipartisan legislation pending in the U.S. Senate provides a financial incentive for states to adopt paper ballots, but it appears unlikely to pass in time to make a difference this year.
Halderman, who collaborated with the New York Times on the video “I Hacked an Election. So Can the Russians,” says some 10,000 students have taken his online Coursera class on security risks in electronic and Internet voting, Securing Digital Democracy. At Michigan, he is teaching a course for seniors that covers cybersecurity threats to U.S. elections. “The science is well established,” he says. Looking to November, he worries that cyberwarriors could affect the outcome by targeting close races in a few key states and districts. One could be Georgia; Judge Totenberg agreed it’s too late to force the state to adopt paper ballots. Just by casting doubt on the validity of an election, Halderman says, hackers can undermine faith in democracy.
Mark Matthews editor of Prism.
© University of Michigan/Getty Images