The Internet Law Resource Center™ is the complete information solution for practitioners in cyberlaw. Follow the latest developments on ICANN’s gTLD program, keyword advertising, online privacy,...
Aug. 2 — A majority of U.S. states are planning to conduct their November elections using electronic machines with technology invented when cybersecurity threats did not loom as quite as large as they do now.
It seems like an election crisis waiting to happen. But, despite recent hacks of Democratic Party data– and suspicions of Russian government involvement—a widespread attack on electronic voting machines is unlikely, according to people familiar with existing systems. Still, states and Congress should move to upgrade and protect a legion of outdated machines from isolated attacks, they say.
The voting machines—unlike the Democratic National Committee’s e-mail systems or Illinois’ recently hacked online voter registration systems—are not connected to each other or the internet with regularity, making the system decentralized and more secure, Kay Stimson, spokeswoman for the National Association of Secretaries of State, told Bloomberg BNA.
“There’s no indication from national security agencies to state election officials that any threat currently exists when it comes to this issue,” Stimson said.
There are more than 8,000 voting jurisdictions in the nation. Federal law doesn’t mandate a specific voting platform; state and local governments independently certify and budget for their own voting systems, according to the U.S. Election Assistance Commission. That has led to a patchwork of technologies and vendors in use—from states such as Colorado that use mail-in ballots, to optically-scanned paper ballots to all-electronic machines in Georgia—according to the National Conference of State Legislatures.
There’s no evidence that a voting machine has been hacked during an election, said Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, who specializes in voting technology. Although that doesn’t mean a hack couldn’t happen, the wide variety of machines and methods used to vote from precinct to precinct would require an army of people within U.S. borders trying to tamper with machines on a local level, Hall said.
“A widespread effect is highly unlikely because the resources required would be very large,” Hall said. “There are attacks you can accomplish from afar for an internet voting system that aren’t possible with the system we have now.”
Hall said that doesn’t mean that small-scale electronic voting hacks aren’t a concern. Outdated voting machines are “horrifically insecure,” he said.
Last year, 24 percent of Virginia precincts used what was dubbed the “worst voting machine ever”—one with an internet connection hackable from a polling place parking lot, said Pamela Smith, president of Verified Voting, a nonprofit organization that advocates for accuracy of elections.
The machine has since been decertified, and some states have enacted laws regulating internet connectivity of machines.
Online voting pilot programs, such as one that was tested in Washington D.C. in 2010, were shown to be hackable after University of Michigan students breached the system in 36 hours, Smith said. Thirty states will use some form of internet–based voting in November, but it remains limited to certain types of overseas, absentee or military voters, Smith said.
The most important element to safeguarding elections, according to sources familiar with the subject, is having a voting system that can be audited: about three-quarters of Americans will vote in November using methods that leave a paper trail. That allows even electronic machine voters to check that their vote was recorded correctly, and election officials to conduct recounts, Smith said. About half of the states require post-election audits, and most of the others can conduct them “if any other problems came to light,” Stimson said.
In short, analog methods may be the best security against a hack.
“You can probably hack any system, but in some systems you can check what the intent was,” Smith said.
States with electronic machines that do not print out paper voting receipts will be more vulnerable to a hack, Smith said. Delaware, Georgia, Louisiana, New Jersey and South Carolina use these machines statewide, and ten other states have them in some locations, according to Smith.
There also may be a small window of time that some voting machines are connected to a computer network or the internet to upload a new ballot or transmit data to the precinct, Smith said. A paper trail and post-election audit lets local officials match their results to official records in case there was suspected tampering of software, she said.
Election observers, academic researchers and think tanks are calling for federal funding for more secure voting systems, but no legislation is pending and some worry a push won't happen without a crisis driving public outcry. Florida’s 2000 election recount spurred Congress to pass the Help America Vote Act (HAVA) and fund an upgrade in voting technology. A large share of voting machines still in use were purchased with those funds after 2003, according to a 2014 Presidential Commission on Election Administration report recommending sweeping upgrades.
“The systems that are in place are reaching a point where they won’t work anymore,” Antonio Mugica, co-owner and chief executive officer of Smartmatic International Corp., said of his company’s electronic voting machines. “It’s a fantastic system, and it works, but you wouldn’t be using your same laptop from 12 years ago.”
Requiring machines with higher cybersecurity standards, compensating election officials better and offering FBI rewards for citizen reports of vote tampering that lead to a prosecution are all methods to prevent future cyberattacks, Hall said. Legislation should also require states to use systems that produce a paper trail, he added.
“That stuff is about the best band aid that we can imagine,” Hall said. “If we don’t audit things, we’re never going to catch the indicators that someone might be doing a vicious attack.”
In the next three months before the election, polling places should run robust tests of voting systems open to outside observers, make sure their platform isn’t networked or online and prepare to do a post-election audit even if it’s not required by their state, Smith said. Voters should check their jurisdiction’s registration system to make sure they’re identified correctly, and not be swayed to stay home on November 8 because of fears of rigged system, she said.
“That’s one way to be sure your vote won’t count, is to not show up,” Smith said.
To contact the reporter on this story: Michaela Ross in Washington at email@example.com
To contact the editor responsible for this story: Keith Perine at firstname.lastname@example.org
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)