Ballot Box Hack Threat May Impact Voter Confidence

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Sept. 28 — State election systems' cybersecurity is important to ensure election integrity and voter confidence after recent cyberattacks against political organizations and the technology sector, House lawmakers heard at a Sept. 28 hearing.

The hearing comes after high-profile attacks against the Democratic National Committee (15 PVLR 1606, 8/8/16), state election databases (15 PVLR 1764, 9/5/16) and Yahoo! Inc. (15 PVLR 1881, 9/26/16) gained national attention.

Cybersecurity threats have garnered enough attention that it was discussed during the 2016 presidential debate. Although many cybersecurity researchers, national security officials and Democratic nominee Hillary Clinton say that state-sponsored hackers, specifically Russia, were behind the attacks, Republican nominee Donald J. Trump refused to point fingers at a specific hacking group .

Regardless of which party is responsible for the high-profile attacks, state and local officials should distinguish between “real threats” and ones based on “sensationalistic rhetoric,” Lawrence Norden, deputy director of the Brennan Center for Justice at New York University, said at the hearing. The real risk isn't to the outcome of the upcoming election, or to local election results, but rather to the public confidence in voting machines, he said.

In response, the Department of Homeland Security has increased efforts to help state and local officials combat cyberattacks even if the threat is only to public confidence.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said at the hearing that it is the “fundamental right” of U.S. citizens “to have their voice heard” in elections. To help ensure this right, the DHS has partnered with state and local officials by offering cybersecurity best practices, increased cyberthreat information sharing and assisting stake holders in incident response after a data breach, he said.

State and local governments need to realize that “in the field of cybersecurity we must always be vigilant and never relax,” Ozment said.

Complex System = Secure?

Whether voters should have confidence in the upcoming election may come down to the complexity of the voting system.

Thomas Hicks, chairman of the U.S. Election Assistance Commission, said that the U.S. election systems is secure and that voters should have confidence in the upcoming election because there is no national or uniform system for hackers to infiltrate.

Additionally, a hacking attack against one state election system may allow other states to increase the cybersecurity of their own ballot boxes after an attack, Hicks said. A breach in one state won't compromise voting data in another state, he said. State data breaches allow other states to step up and have their respective officials do system security checks, he said.

Election System Vulnerabilities

Although the panelists all denied that a cyberattack will change the outcome of the 2016 election, there is still disagreement over whether the election system is vulnerable.

Rep. Ted Lieu (D-Calif.) wasn't convinced that the hacking of one election system won't have a material impact on other states' systems. If the ballot of just one swing state, even just one county, is influenced then the outcome of the national election may be compromised, he said.

In response, Hicks said that it would take a “tremendous amount of people” to hack into a election system and that he is confident that a hack won't happen.

Lieu, a “recovering computer science major,” disagreed with Hicks assessment. He pointed to a prior report from Symantec Corp. that the cybersecurity company was able to easily hack into an electronic voting system. A Symantec official said that the voting machine was “vulnerable” to both physical and digital breaches (15 PVLR 1855, 9/19/16).

Advocacy Group Concerned

Ensuring cybersecurity on the state election level has also drawn the concern of privacy advocacy group the Electronic Privacy Information Center (EPIC).

EPIC's main point of concern is the increased risk of cyberattacks for states that want to allow voters to cast their ballot online, the privacy advocacy group said in a Sept. 28 letter to the House Information Technology subcommittee.

The privacy advocacy group pointed out that states that have adopted online balloting have hedged their bets against cyberattacks. Alaskan officials told voters who used the online system that they are waiving their “right to a secret ballot and are assuming the risk that a faulty transmission may occur.” EPIC pointed out that a physical voting machine with that kind of warning “would be unacceptable” to the public.

Andrew W. Appel, computer science professor at Princeton University, echoed the concerns of EPIC. At the hearing, Appel said that “at a minimum” he would push for congressional action to eliminate touch screen voting machines due to the cybersecurity risks they pose compared to their optical scanning counterparts.

Touch screen voting machines have higher cybersecurity risks because after the vote there is no “paper ballot to count” in case of any computer based election tampering, Appel said. Additionally, these machines also rely on computer programs that may be easily hacked through compromised “ballot cartridges,” he said.

Any computer software engineer should be able to create a program that would harm the integrity of the voting system, Appel said.

DHS Aims to Help States

Voting cybersecurity also gained the attention of the Senate Committee on Homeland Security and Governmental Affairs Sept. 27.

DHS Secretary Jeh Johnson at the hearing focused on threats to national security. The DHS has seen efforts of cyberattacks against “voter registration data maintained in state election systems,” he said. Although federal and state officials need to “be vigilant” in protecting election tampering, Johnson said he has “confidence in the overall integrity of our electoral systems.”

As of the hearing, “18 states have requested” the DHS' “assistance” with protecting state election systems, Johnson said. The DHS will work state and local election officials on cybersecurity and offer “risk and vulnerability assessments” in addition to an increased focus on sharing cyberthreat information with state and local officials.

The DHS “strongly encourages” more states and local government officials to take advantage of federal cybersecurity assistance, Johnson said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

Further information on the hearing is available at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security