Suzanne Mello-Stark | Vox

It’s now clear US voting is hackable. Here are 6 things we must do to prevent chaos.

2017-06-16T17:22:26-04:00

A voter casts a ballot in Georgia’s special runoff election this month, in the state’s sixth congressional district. A recent report suggests Georgia’s election system is vulnerable to hacking. | Joe Raedle / Getty

There’s never a good time, politically speaking, to raise questions about our voting system’s vulnerability to hackers. But we can no longer avoid the issue.

Bloomberg News reported this week that the US government determined that Russian hackers penetrated the voting systems in 39 states in the weeks leading up to the November 2016 election. The hacks did not involve changing votes — typically they were forays into voter registration databases — but in at least one case, in Illinois, the hackers tried to delete voter data, Bloomberg reported.

US officials complained to the Russians, who denied involvement, but President Obama decided not to alert the public, because he didn’t want people to lose faith in the system.

To this day, President Trump’s aides suggest that Democrats who call for an investigation into Russian hacking are sore losers. But the evidence that Russia attempted to influence our 2016 election has become unignorable. In January 2017, the CIA, FBI, and NSA jointly released an assessment that Russia used cyber tools to influence American public opinion (specifically, to “denigrate Secretary Clinton”).

And the Bloomberg piece was only one of several bombshells about compromised American voting systems to land this month. The Intercept obtained an NSA document that described in detail how Russian military hackers — not amateurs — mounted a phishing attack against an unnamed voting software supplier, then used information it obtained to try the same with local government officials. What the hackers obtained was unclear — and, again, the interference seems to have fallen short of changing votes. Still, the Intercept wrote, “Russian hacking may have penetrated further into US voting systems than was previously understood.”

Finally, Politico reported the alarming story of how a curious security researcher discovered last year that Kennesaw State University’s Center for Election Systems had left unprotected, on its website, computer files essential for running Georgia elections. Expecting to download a few PDFs about the center’s work, he found himself in possession of registration databases, pollbook software, and instructions to election workers about logging in to registration systems — passwords included.

He reported the vulnerabilities to the center, but several were not fixed as of this March, so he went to the media. Georgia is preparing for a special runoff election this month that has turned into the most expensive House race in US history. If you were a hacker looking to undermine American politics, you couldn’t pick a better election.

Securing our elections from bad actors is not a partisan issue, and should not be treated as such. It is true that our decentralized, precinct-by-precinct system would make a coordinated national vote hack a massive undertaking. But given that our elections usually come down to a few predictable states, swaying even a national election is not as hard a task as it once seemed. Sowing chaos at the district or precinct level appears to be within hackers’ current capabilities.

We need to put partisanship aside, and bolster election security as soon as possible — certainly by the 2018 midterms. Speaking as someone who studies computer security and has served in technical adviser roles in election commissions and secretary of state offices in Rhode Island and Connecticut, I offer the following recommendations:

1) Establish audit capability in every precinct

That means — strange as it may sound in this digital era — reestablishing paper trails. Many precincts attempt post-election audits, but many do not. What’s more, many audits are not vigorous enough to establish with confidence that no interference has occurred. This is something we can, and should, fix immediately. In Connecticut, audits are required by law. Five percent of districts are selected and an electronic audit of the paper ballots is conducted to ensure they match the totals established by the voting machines.

Other states are moving to embrace that standard, but not fast enough. In Rhode Island, which currently lacks audits, legislators have introduced a bill to mandate them. Audits and paper trails should be universal.

2) Ditch direct-recording electronic voting machines (DREs)

This will help with the auditing problem. DREs are used in a number of states, including swing states such as Georgia, Pennsylvania, Wisconsin, and Florida. Ironically, some of these machines were acquired in the wake of the “hanging chad” debacle of the 2000 presidential election, with the goal of modernizing voting systems. But these machines often do not have voter verified paper trails (i.e., paper ballots), which makes audits impossible. DREs were a bad idea from the start, and the experiment needs to end.

3) Implement stronger safeguards for online registration systems

Many states are switching to electronic pollbooks. Poll workers can log in to them and verify that a voter who shows up at a precinct is registered and eligible. By breaking into these systems — as seems to have already happened, to some degree — and changing data, hackers could wreak havoc on Election Day. With a few clicks, hackers could unregister voters, change their mailing addresses, or misspell their names.

It would be even easier to unleash a distributed denial of service (DDOS) attack on a poll station —overwhelming a crucial server with traffic and preventing poll workers from connecting to the registration database. That could halt voting altogether. The recent news reports conclusively show that states are not sufficiently protecting these systems. We have the knowledge to do so; it’s a question of focusing on the problem and supplying the needed resources and experts. And this is yet another case where paper can be an effective defense: If poll workers have hard copies of voter rolls, they can keep working even if their database connections get blocked.

4) Discourage online voting — at all costs

A total of 32 states allow at least some voters to send back marked ballots via a web-based-portal, email, or fax — insecure means of communication. And the MOVE Act (Military and Overseas Voter Empowerment Act) mandates that all states have a mechanism to allow ballots to be sent to voters in military by electronic means. But it is all too easy to adopt someone’s identity online and thereby get a blank ballot. There must be additional measures put in place to ensure that ballots requested online are going to the right people. (Even checking signatures could help.)

As for allowing votes to be cast online, computer security experts are essentially unanimous in arguing that it should never happen. No states should allow votes to be submitted electronically, period.

5) Strengthen the chain of custody

In the context of an election, a strong chain of custody means safeguarding the ballots, as well as the election-related software and hardware used. The public should be confident that the ballots and election machines are secure from the moment of their creation until the tally is finalized at the Board of Elections. Machines must be kept under literal lock and key, given that computer scientists have demonstrated that they can install a new chip into a voting machine, and alter its software, in about a minute. When software is first installed, a “hash” can be applied —essentially, a digital fingerprint that changes if the software has been altered. This is just one example of many protections that security experts with technical expertise can implement.

6) Give states more money

To pay for these necessary changes, funding is needed at the state level. There has not been major funding for election reform since the Help America Vote Act of 2002, which disbursed $1.3 billion to 42 states, American Samoa, and the District of Columbia. This law also established the Election Assistance Commission. Although the EAC does not have federal regulatory authority, it provides a needed mechanism to assist states in identifying, evaluating, and adopting new security standards. With the right resources and experts, the states have a better chance to execute the goals I’ve outlined here.

We tend to forget our cybersecurity history. Russia has been hacking the US since the ’80s. And the more they uncover fresh vulnerabilities in our systems, the more aggressive they will be. As former FBI Director James Comey told the Senate Intelligence Committee this month, “They will be back.”

We must be ready when that happens. Right now, we aren’t.

Suzanne Mello-Stark is an associate teaching professor at Worcester Polytechnic Institute in Worcester, Massachusetts, and has served in technical advisory roles to the election commissions and secretary of state offices in Rhode Island and Connecticut.

The Big Idea is Vox’s home for smart discussion of the most important issues and ideas in politics, science, and culture — typically by outside contributors. If you have an idea for a piece, pitch us at thebigidea@vox.com.

Some states — including swing states — have flawed voting systems

2016-11-01T09:53:20-04:00

Voters in Provo, Utah, voting early. | George Frey/Getty Images

Donald Trump has been arguing that the 2016 election will be rigged, provoking concerns about what his supporters may do if — as seems likely — he loses. In fact, as President Obama and many others have pointed out, the decentralized nature of our state-by-state system makes the coordinated hijacking of a national election all but impossible. Such a feat would require coordination and conspiracy on a truly massive scale— with so many participants that many would surely be caught in the act.

That does not mean that there aren’t problems with the apparatus of our elections. Although the entire system can’t be collectively hacked or rigged, individual electronic voting machines remain vulnerable to hacking — and some states are connecting their voting machines to the internet, needlessly creating another security weakness. This is especially dangerous when those machines don’t create a paper trail that allows for double-checking or auditing.

Some states made the mistake, after the debacle of the 2000 election – remember “hanging chads”? – of rushing to embrace technology as a solution to that year’s problems, yet they failed to think through potential vulnerabilities.

The good news is that while there are problems, we can fix them. It is important, now more than ever, to put safeguards in place, so that if a distortion of facts begins, we can quickly shut down the conspiracy theorists. It may not be possible to finish the reform process by November 8, but it must be a priority.

A diversity of approaches offers protection

States oversee their own election commissions and have the authority to use whatever voting machines they choose, from paper ballot scanners to touchscreen and other digital devices —internet-enabled or not — or a mix of all of the above.

This lack of homogeneity and systemic connectivity among voting machines is precisely what helps protect the election process from significant, widespread manipulation. Hacking would take local, physical breaches of security, an effort that would be extraordinarily difficult to coordinate across precincts (let alone states).

Instead, the major problem is our inability to fully audit election results. VerifiedVoting.org, which advocates for best practices in elections, rates 25 states as having an “inadequate” auditing mechanism — and only seven as “excellent” or “good.”

Many newer voting machines provide no evidence of how an individual voted. There is no paper trail to follow if there are doubts or challenges. If an election is deemed too close to call, or if a machine error occurs, nothing can be done to scrutinize the vote count and reinstate the tally. It would be necessary to hold the election again or accept the election outcome as is.

Old-fashioned hand counting has advantages

In Massachusetts, one state whose voting system I am closely familiar with, 64 of the state’s 350-plus towns and cities still rely on hand counting by volunteers. While that may sound archaic, it allows for an audit or a recount. The other municipalities use four different types of optical scan voting machines — but all of them use paper. So in Massachusetts, if there is a contested election, officials can retrieve the paper ballots and count them again.

The state passed an audit law in 2014, to be used for the first time in the upcoming election; 3 percent of precincts will be manually recounted — one way to detect irregularities.

Since 1997, Rhode Island has used optical scanners with paper ballots. Rhode Island has had very few problems with elections. However, in the event of an issue, there are no laws in place that establish procedures for conducting an orderly audit. Moreover, this year the state “upgraded” to machines that have the ability to send the votes to the board of elections over the internet — a step backward in terms of security. (The machines do have other advantages: They can notify voters when they have cast a ballot in which the bubbles have been filled in incorrectly, for example.)

The seductive attraction, and dangers, of "direct-recording electronic systems"

Several swing states, including Virginia, Pennsylvania, and Florida, pressured by tech-savvy consumers who demanded what they believe is a more sophisticated and convenient system, moved to newer, so-called direct-recording electronic systems (DREs). To the general public, these seem more modern because they employ a familiar touchscreen interface. But many DREs leave no paper trail — known in the trade as a voter-verified paper audit trail — which makes a recount or an audit all but impossible. And because the technology is proprietary, researchers and the public have little to no access to the vendor’s software information for testing, comparing, and troubleshooting.

In order for an election system to be trusted, it must be verifiable. There must be methods with which to check that machines calculate votes as voters intend. There must be strong evidence that machines function as designed, so voters — and candidates — feel confident that elections are fair and accurate. Maintaining a paper trail and keeping election machines off the internet are well-founded methods of instilling trust in our elections.

The importance of a secure chain of custody

We can learn from forensics. After a crime, investigators collect evidence like blood samples and footprints. To prove that evidence remains uncontaminated, it is strongly safeguarded and a chain of custody is established. In an election, chain of custody refers to the safekeeping and secure transport of ballots — and the machines themselves. If a strong chain of custody can be proved, the public can feel confident that the ballots and election machines are secure from the moment of their creation until the final tally at the board of elections. Putting ballots or machines on the internet breaks the chain.

In Connecticut — rated by VerifiedVoter.org above Massachusetts and Rhode Island — paper ballots and manual audits are required by law. For each election, 10 percent of randomly chosen voting districts are selected, and a hand count is conducted. The secretary of state receives a report that indicates the total number of counted ballots. The auditors examine each ballot and make note of potential anomalies, such as marks found outside the ovals or marks made with pencil instead of a pen.

In the modern era, the code used in voting machines needs to be subject to audits too. Hardware and software should be open, transparent, and available for public examination. The code should be periodically reviewed by qualified computer scientists in an open environment to be sure the system is error-free and operates as intended. (Computer scientists are among the strongest proponents of paper trails.)

In addition, voting machines should have error-detection capability, so that problems can be caught in real time, rather than in the audit phase. And error messages should be internally logged as well and externally documented

Two steps forward, one step back

The Help America Vote Act of 2002, adopted two years after the controversy surrounding the 2000 presidential election, established some important guidelines, but, in some states, it also led to a rush to buy DREs — thereby causing fresh problems.

And not just theoretical problems. In a congressional election using DREs that took place in Florida in 2006, Republican Vern Buchanan defeated Democrat Christine Jennings by the minuscule margin of 369 votes. It was determined that in Sarasota County, where DREs were used, 18,000 votes went unrecorded. Since there was no paper trail, there was no way to determine how those 18,000 people voted.

On the tech front, scientists at Princeton University have demonstrated that given access to a DRE system for one minute, they could install malicious code that could alter vote counts and compromise the internal records of the election machine. Although many of the states have since either switched out these machines or adapted them to create paper trails, there are far too many still in use.

We’ve made considerable strides since the 2000 presidential election, but challenges remain.

This November will test our nation’s ability to protect polling places from hacking – and our ability to quickly audit and verify results in close or contested races. If we escape problems in the states that use no-paper-trail DREs, we can exhale — and then finish the job of fixing the system.

The Big Idea is Vox’s home for smart, often scholarly excursions into the most important issues and ideas in politics, science, and culture — typically written by outside contributors. If you have an idea for a piece, pitch us at thebigidea@vox.com.