Widespread Hack of U.S. Voting Machines ‘Highly Unlikely'

The Internet Law Resource Center™ is the complete information solution for practitioners in cyberlaw. Follow the latest developments on ICANN’s gTLD program, keyword advertising, online privacy,...

By Michaela Ross

Aug. 2 — A majority of U.S. states are planning to conduct their November elections using electronic machines with technology invented when cybersecurity threats did not loom as quite as large as they do now.

It seems like an election crisis waiting to happen. But, despite recent hacks of Democratic Party data– and suspicions of Russian government involvement—a widespread attack on electronic voting machines is unlikely, according to people familiar with existing systems. Still, states and Congress should move to upgrade and protect a legion of outdated machines from isolated attacks, they say.

The voting machines—unlike the Democratic National Committee’s e-mail systems or Illinois’ recently hacked online voter registration systems—are not connected to each other or the internet with regularity, making the system decentralized and more secure, Kay Stimson, spokeswoman for the National Association of Secretaries of State, told Bloomberg BNA.

“There’s no indication from national security agencies to state election officials that any threat currently exists when it comes to this issue,” Stimson said.

Patchwork of Tech

There are more than 8,000 voting jurisdictions in the nation. Federal law doesn’t mandate a specific voting platform; state and local governments independently certify and budget for their own voting systems, according to the U.S. Election Assistance Commission. That has led to a patchwork of technologies and vendors in use—from states such as Colorado that use mail-in ballots, to optically-scanned paper ballots to all-electronic machines in Georgia—according to the National Conference of State Legislatures.

There’s no evidence that a voting machine has been hacked during an election, said Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, who specializes in voting technology. Although that doesn’t mean a hack couldn’t happen, the wide variety of machines and methods used to vote from precinct to precinct would require an army of people within U.S. borders trying to tamper with machines on a local level, Hall said.

“A widespread effect is highly unlikely because the resources required would be very large,” Hall said. “There are attacks you can accomplish from afar for an internet voting system that aren’t possible with the system we have now.”

Hall said that doesn’t mean that small-scale electronic voting hacks aren’t a concern. Outdated voting machines are “horrifically insecure,” he said.

Last year, 24 percent of Virginia precincts used what was dubbed the “worst voting machine ever”—one with an internet connection hackable from a polling place parking lot, said Pamela Smith, president of Verified Voting, a nonprofit organization that advocates for accuracy of elections.

The machine has since been decertified, and some states have enacted laws regulating internet connectivity of machines.

Online voting pilot programs, such as one that was tested in Washington D.C. in 2010, were shown to be hackable after University of Michigan students breached the system in 36 hours, Smith said. Thirty states will use some form of internet–based voting in November, but it remains limited to certain types of overseas, absentee or military voters, Smith said.

Audits Crucial

The most important element to safeguarding elections, according to sources familiar with the subject, is having a voting system that can be audited: about three-quarters of Americans will vote in November using methods that leave a paper trail. That allows even electronic machine voters to check that their vote was recorded correctly, and election officials to conduct recounts, Smith said. About half of the states require post-election audits, and most of the others can conduct them “if any other problems came to light,” Stimson said.

In short, analog methods may be the best security against a hack.

“You can probably hack any system, but in some systems you can check what the intent was,” Smith said.

States with electronic machines that do not print out paper voting receipts will be more vulnerable to a hack, Smith said. Delaware, Georgia, Louisiana, New Jersey and South Carolina use these machines statewide, and ten other states have them in some locations, according to Smith.

There also may be a small window of time that some voting machines are connected to a computer network or the internet to upload a new ballot or transmit data to the precinct, Smith said. A paper trail and post-election audit lets local officials match their results to official records in case there was suspected tampering of software, she said.

No Federal Funding In Sight

Election observers, academic researchers and think tanks are calling for federal funding for more secure voting systems, but no legislation is pending and some worry a push won't happen without a crisis driving public outcry. Florida’s 2000 election recount spurred Congress to pass the Help America Vote Act (HAVA) and fund an upgrade in voting technology. A large share of voting machines still in use were purchased with those funds after 2003, according to a 2014 Presidential Commission on Election Administration report recommending sweeping upgrades.

“The systems that are in place are reaching a point where they won’t work anymore,” Antonio Mugica, co-owner and chief executive officer of Smartmatic International Corp., said of his company’s electronic voting machines. “It’s a fantastic system, and it works, but you wouldn’t be using your same laptop from 12 years ago.”

Requiring machines with higher cybersecurity standards, compensating election officials better and offering FBI rewards for citizen reports of vote tampering that lead to a prosecution are all methods to prevent future cyberattacks, Hall said. Legislation should also require states to use systems that produce a paper trail, he added.

“That stuff is about the best band aid that we can imagine,” Hall said. “If we don’t audit things, we’re never going to catch the indicators that someone might be doing a vicious attack.”

In the next three months before the election, polling places should run robust tests of voting systems open to outside observers, make sure their platform isn’t networked or online and prepare to do a post-election audit even if it’s not required by their state, Smith said. Voters should check their jurisdiction’s registration system to make sure they’re identified correctly, and not be swayed to stay home on November 8 because of fears of rigged system, she said.

“That’s one way to be sure your vote won’t count, is to not show up,” Smith said.

To contact the reporter on this story: Michaela Ross in Washington at mross@bna.com

To contact the editor responsible for this story: Keith Perine at kperine@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.