In the 2016 United States election, a majority of Americans used voting machines that have been in use for over a decade. Needless to say, this antiquated infrastructure makes the security of voting machines a primary concern in upcoming elections. When considering that millions of Americans use paperless voting machines that can be undetectably hacked and do not offer a way to audit votes to check for error, it’s no wonder there is an outcry after major elections. Additionally, the existence of diverse hardware and software currently in use makes it difficult to properly secure the integrity of the votes recorded. Though there are about 3,200 voting counties in the United States and its territories, the electoral college system creates key voting districts that could actually be targeted to change the outcome of entire elections. If left unattended, this security crisis will continue to leave the United States elections open for attack from foreign and domestic entities.
At DEF CON 2019- Las Vegas, the largest hacking conference in the world, the Voting Village was put to the test by both amateur and professional hackers alike. The voting machines tested are of two types that are used around the country: Direct-Recording Electronic voting machines and Ballot-Marking voting devices. A Direct-Recording Electronic (DRE) voting machine allows voters to cast their ballots by using a touchscreen to select their candidates. The DRE then tallies the votes in its own computer memory, without a paper ballot or record. Alternatively, a Ballot-Marking Device (BMD) is a device that allows the voter to cast votes on a machine that will print out a paper ballot that has the voter’s choices filled out. Then by using an optical scanner, the paper ballots are tabulated. In comparison, the BMD is considered a better device to use due to the audit trail in paper form available after the machines are used. In other words, the voting record is not solely stored on the computer’s memory where it is vulnerable to tampering.
The DEF CON hacking competition revealed both the DREs and BMDs had many security flaws. First, there is outdated software on the systems that is exploited by simple compromising attacks. Second, the hardware runs legacy operating systems that are vulnerable. Third, most of the default credentials on the machines remain unchanged. This allows someone to log into the device as an administrator and restrict votes being recorded on a machine. Finally, most of the devices are being networked at the voting precincts, placing them on a network connected to the internet, leaving them open to be attacked from anywhere in the world.
Recommendations that resulted from the DEF CON hacker exercise included advice to promptly act to secure all voting machines. It was strongly recommended machines be replaced with newer models, complete with security in place to mitigate the current risks of tampering. In addition, these machines should only be networked behind secure infrastructure. As the optimum voting machine, a mandatory deployment of post-election risk-limiting audits for the machines, as well as mandatory paper, voter-marked ballot systems was advised.
In September, Congress authorized $250 million to upgrade voting machines for the upcoming election, but this falls short of the recommended $600 million that was passed in the House. This desire to push for stronger election security was introduced by House Democrats. However, in July, Republican Majority Leader Mitch McConnell denied the need for further funding. He claimed that increased voting security shouldn’t be voted on because it is “too partisan,” only days after, attention was brought to the Russian interference in the 2016 presidential election. Unfortunately, even with the authorized funding, it will take a long time to buy and replace the current machines. Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency, an agency that operates within the Department of Homeland Security, said that the funding was a “good start” but election security will require constant support, not a one-time check.
There has been substantial progress in replacing and updating the voting machines, but there is still plenty more to do before the 2020 election. Forty-two states will have paper records of every vote by 2020, and this will assist in a better auditing process of votes. In addition to upgrading machines, resources need to be allocated for cybersecurity support for local voting jurisdictions, and for improving voter registration databases. Citizens must rally behind the call for improved election security and push Congress to allocate appropriate funding to secure this fundamental practice of democracy. To choose not to improve the voting system in the United States is to allow future or continued interference in what should be a free and fair election process.
Author: Quinn Johnson, Tech Assistant
References:
Ewing, P. (2019, August 31). What you need to know about U.S. election security and voting machines. Retrieved from https://www.npr.org/2019/08/31/754412132/what-you-need-to-know-about-u-s-election-security-and-voting-machines.
Ewing, P. (2019, September 20). McConnell, decried as “Moscow Mitch,” approves election security money. Retrieved from https://www.npr.org/2019/09/20/762499808/senate-breaks-logjam-on-election-security-cash-but-activists-say-more-is-needed.
Geller, E., Jin, B., Hermani, J., & Farrell, M. B. (2019, November 12). The scramble to secure America’s voting machines. Retrieved from https://www.politico.com/interactives/2019/election-security-americas-voting-machines/.
McCadney, A. C., Howard, E., & Norden, L. (2019, August 13). Voting machine security: Where we stand a few months before the New Hampshire primary. Retrieved from https://www.brennancenter.org/our-work/analysis-opinion/voting-machine-security-where-we-stand-few-months-new-hampshire-primary.
Telford, T. (2019, August 13). Hackers were told to break into U.S. voting machines. They didn’t have much trouble. Retrieved from https://www.washingtonpost.com/business/2019/08/12/def-con-hackers-lawmakers-came-together-tackle-holes-election-security/.