Indeed, you won the elections, but I won the count.
The U.S. election system faces unprecedented tests. Many of these tests will become visible in the last yard of the voting process—the final step that occurs after other obstacles to voting are overcome, where the will of the voters must be captured and counted. That last yard is where the voter actually has the opportunity to mark and cast a ballot, and where the ballots are collected and counted, and ideally, where the systems that tally our votes are checked to make sure they work as they should.
This is where the intersection of technology and democracy occurs. Challenges to voters’ rights in that last yard derive from problems caused by the deployment and use of inadequate voting systems, and exacerbated by insufficient checks on the accuracy of the outcome.
Electronic voting is the equivalent of meeting a guy inside a voting booth. You tell the guy your vote. He promises to keep it secret, and he promises to count your vote, and he promises to pass your vote on to the guy above him. You have to trust that your guy knows what he’s doing and won’t make a mistake. You have to trust that no one has bribed or threatened your guy lie about your vote. And you also have to trust the guy who your guy reports to, and the guy who that guy reports to, all the way up the chain.
Voting machine companies insist their systems are audited, their networks are secure, and their machines are tamper-proof—but you have to trust them just as much as you would trust a guy in a voting booth.
Unlike any system resting on paper ballots, none of the information stored inside a direct-recording electronic voting machine can be said to have the status of a legal instrument. Instead, the record is created by the software within the voting machine in response to the voter’s actions, and the record is only as trustworthy as the software itself. It is far from easy to test and inspect software to assure that it functions as advertised, and it is far from easy to assure that the software resident in a machine today is the same software that was authorized for use in that machine months or years ago.
Testimony before the U.S. House of Representatives’ Committee on Science
Douglas W. Jones
Associate Professor of Computer Science, University of Iowa
Chair, Iowa Board of Examiners for Voting Machines and Electronic Voting Systems
Member, Iowa Election Reform Task Force
May 22, 2001
It was in the months prior to September 2001 when, according to then CIA Director George Tenet, the system was blinking red. And here we are nearly two decades later, and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.
‘‘What I’ve seen in the past 10 years is that the vendors have absolutely fumbled every single attempt in security,’’ says Jacob D. Stauffer, vice president of operations for Coherent Cyber, who has conducted voting-machine security assessments for California’s secretary of state for a decade. In a report Stauffer and colleagues published last year about their recent assessment of ES&S [Election Systems & Software LLC] machines, they found the voting machines and election-management systems to be rife with security problems.
Every year, DEFCON convenes thousands of hackers who attempt to breach the security of important technologies in an effort to expose vulnerabilities. Among the dozens of vulnerabilities found in the voting equipment tested at DEFCON, all of which (aside from the WINVote) are used in the United States today, the Voting Village found:
- A voting tabulator that is currently used in 23 states is vulnerable to be remotely hacked via a network attack. Because the device in question is a high-speed unit designed to process a high volume of ballots for an entire county, hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.
- A second critical vulnerability in the same machine was disclosed to the vendor a decade ago, yet that machine, which was used into 2016, still contains the flaw.
- Another machine used in 18 states was able to be hacked in only two minutes, while it takes the average voter six minutes to vote. This indicates one could realistically hack a voting machine in the polling place on Election Day within the time it takes to vote.
- Hackers had the ability to wirelessly reprogram, via mobile phone, a type of electronic card used by millions of Americans to activate the voting terminal to cast their ballots. This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted.
“We didn’t discover a lot of new vulnerabilities,” says Matt Blaze, a computer science professor at the University of Pennsylvania and one of the organizers of the Voting Village, who has been analyzing voting machine security for more than 10 years. “What we discovered was vulnerabilities that we know about are easy to find, easy to reengineer, and have not been fixed over the course of more than a decade of knowing about them. And to me that is both the unsurprising and terribly disturbing lesson that came out of the Voting Village.”
In the 15 years since electronic voting machines were first adopted by many states, numerous reports by computer scientists have shown nearly every make and model to be vulnerable to hacking.
All these machines are known to be hackable.
In 2004, a touchscreen DRE in North Carolina’s Carteret County lost 4,500 votes due to a memory problem. Because there were no paper records, “it was impossible to determine how those lost votes should have been counted,” Verified Voting reported
ES&S is the top voting machine maker in the country, a position it held in the years 2000–2006 when it was installing pcAnywhere on its systems. The company’s machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems.
In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnyhere software, though the public didn’t learn of this until years later in 2012 when a hacker posted some of the source code online, forcing Symantec, the distributor of pcAnywhere, to admit that it had been stolen years earlier.
Around this same time, security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password.
In 2011, during the Democratic primary elections in New Jersey’s Cumberland County, a paperless DRE system attributed votes to the wrong candidates and ended up declaring the actual losers as winners of the election. A new election was held later after the New Jersey attorney general acknowledged that the system had switched votes because it had been programmed incorrectly, the report said.
An electronic voting machine was temporarily taken out of service in Perry County, PA, after a voter filmed it changing his vote for President Obama into one for Gov. Mitt Romney.
If you voted in a Virginia election any time between 2003 and April of this year, your vote was at serious risk of being compromised by hackers.
That’s the assessment reached by Virginia’s board of elections, which recently decertified some 3,000 WINVote touchscreen voting machines after learning about security problems with the systems, including a poorly secured Wi-Fi feature for tallying votes.
The problems with the machines are so severe that Jeremy Epstein, a computer scientist with SRI International who tried for years to get them banned, called them the worst voting machines in the country. If the WINVote systems weren’t hacked in a past election, he noted in a recent blog post and during a presentation last week at the USENIX security conference, “it was only because no one tried.”
More than 80 voting machines in Detroit malfunctioned on Election Day, officials say, resulting in ballot discrepancies in 59% of precincts that raise questions about the reliability of future election results in a city dominated by Democratic and minority voters.
“This is not the first time,” adds Daniel Baxter, elections director for the city. “We’ve had this problem in nearly every election that we administer in the city of Detroit.”
University of Wisconsin-Madison professor Barry Burden led the study of Wisconsin’s 2016 presidential vote recount. It found that at least one in 117 votes was miscounted. “Our best estimate is that at least one in 117 votes (statewide) was miscounted, and probably more,” said Barry Burden, political science professor at the UW-Madison. Burden, who is a director of the UW Elections Research Center, led a study of the 2016 recount.
“As a voter, to think that there’s one in a hundred chance that my ballot would be miscounted—that would be alarming,” Burden said.
We have heard from a number of people voting on Hart eSlate machines [used in 30% of Texas counties] that when they voted straight ticket, it appeared to them that the machine had changed one or more of their selections to a candidate from a different party.
West Virginians serving overseas will be the first in the country to cast federal election ballots using a smartphone app, a move designed to make voting in November’s election easier for troops living abroad. But election integrity and computer security experts expressed alarm at the prospect of voting by phone.
“Mobile voting is a horrific idea,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, told CNN in an email. “It’s internet voting on people’s horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote.”
By themselves, the weaknesses reported here represent serious practical concerns; we found, after all, exploitable vulnerabilities in a widely fielded e-voting system used across the US and elsewhere. But perhaps an even more serious concern is the systemic failure—at every stage—of the various standards, certification and testing processes that were intended to prevent these vulnerabilities from appearing in the first place.
III. Solutions (Theory)
Earlier this month, the National Academies of Sciences, Engineering, and Medicine recommended U.S. states move away from voting machines that don’t include paper ballots.
“If you vote on a paperless DRE system, there are places within the machine that record the data,” Hall said. “But if I don’t trust the machine, I’m not going to trust the backup electronic records,” said Hall, who was one of the authors of a recent MIT/Caltech report on e-voting technologies. “Sure they are auditable. The problem is that people are not going to believe the audit record,” because it is not independent of the system.
The paper ballot, in theory, provides an audit trail that can be used to verify digital tallies. But not all states perform audits, and many that do simply run the paper ballots through a scanner a second time. Fewer than half the states do manual audits, and they typically examine ballots from randomly chosen precincts in a county, instead of a percentage of ballots from all precincts. If the randomly chosen precincts aren’t ones where hacking occurred or where machines failed to accurately record votes, an audit won’t reveal anything—nor will it always catch problems with early-voting, overseas or absentee ballots, all of which are often scanned in county election offices, not in precincts.
“The incorrect assertion that voting machines or voting systems can’t be hacked by remote attackers because they are ‘not connected to the internet’ is not just wrong, it’s damaging,’’ says Susan Greenhalgh, a spokeswoman for the National Election Defense Coalition, an elections integrity group. “This oft-repeated myth instills a false sense of security that is inhibiting officials and lawmakers from urgently requiring that all voting systems use paper ballots and that all elections be robustly audited.”
Georgia is one of 14 states that use electronic voting machines that do not leave a paper trail that can be audited after an election and is one of five states that exclusively use the machines. Cybersecurity experts along with the Senate Intelligence Committee say the machines can leave elections vulnerable to hacking.
As a Nation, we must resolve to strengthen our cybersecurity generally, and the cybersecurity around election infrastructure specifically. Nothing less than the health and strength of our democracy depends on this.
And so today, not just as Vice President, but as a former governor, I want to urge, with great respect, every state to take renewed action. Take advantage of the assistance offered by our administration. Do everything in your power to strengthen and protect your election systems. You owe your constituents that, and the American people expect nothing less.
On Friday, March 23, President Donald J. Trump signed the Consolidated Appropriations Act of 2018 (the Act) into law. The Act included $380 million in grants, made available to states to improve the administration of elections for Federal office, including to enhance technology and make election security improvements.
As co-chairs of the Congressional Task Force on Election Security, we have known for years that our nation’s voting systems are vulnerable. Our taskforce report made clear that Congress must take action to prevent future attacks. In February, House Democrats introduced the Election Security Act that would provide states with the funds they need to upgrade their voting systems, hire necessary IT support, and regulate election vendors. … [continued below]
IV. Solutions (Reality)
.[continued from above] … Despite having 123 co-sponsors, Republicans in Congress have prevented this bill from getting a single hearing, let alone a markup. In July, House Republican appropriators unanimously blocked an amendment to provide the necessary funds for states to protect their election systems from another attack.
The House Appropriations Committee eliminated [what would have been an additional] $380 million from the 2019 Environment, Financial Services and General Government Appropriations Act that would provide grants to state and local governments for a variety of election-related cybersecurity upgrades.
We have $380 million that is in process, but it will be the end of next year before we know how the States have actually spent it. I believe it is far too early to add another one-quarter of a billion dollars, which is what this amendment [to the 2019 Environment, Financial Services and General Government Appropriations Act] would provide, to the States when we don’t know how the first $380 million has even been spent.
The Intelligence Committee did extensive research on how much was needed, and the $380 million amount was what was needed for the moment. I ask us to keep the funding at $380 million and not add another one-quarter of a billion to that amount.
The bipartisan Secure Elections Act, which would implement steps to protect election systems from cyberattacks, was largely viewed as the best chance for lawmakers to pass a bill on the topic. But the bill was held up in a Senate committee over the summer, and its authors say it won’t be brought up again until after November’s midterm elections.
You may have heard that Congress recently appropriated $380 million for election security nationwide. Not quite. Remember butterfly ballots and hanging chads? The recent federal appropriation was simply the final disbursement of money originally approved in 2003 to address the debacle of the 2000 presidential election in Florida.
There has been no new additional funding authorized to address our modern security challenges.
$380 million [from the EAC] will not be enough to replace all paperless voting systems. In smaller states like Delaware, or in states like Texas and Arkansas—where a relatively small percentage of machines are still paperless—the federal money could go a long way toward replacing such equipment. But in some larger states that are almost or fully paperless, like Pennsylvania, New Jersey, and Georgia, this money might not even cover 20 percent of the cost of new hardware.
Delaware, Georgia, Louisiana, New Jersey, and South Carolina will all vote [in 2018] without such paper trails. That’s in addition to [Pennsylvania, Texas, Kansas, Florida, Tennessee, Arkansas, Indiana, Kentucky, and Mississippi] that use paperless voting machines in some, but not all, counties. Those range from Pennsylvania, where three-fourths of the state’s 67 counties use paperless machines, to Arkansas, where the state has been upgrading its final handful of paperless-voting counties and expects all but one to have voter-verified paper trails by Election Day.
.[U.S. District Judge Amy] Totenberg turned down the plaintiffs’ request that she stop use of [Georgia’s paperless] machines before the Nov. 6 election. But in a 46-page ruling, Totenberg said the state had stood by for far too long, given the “mounting tide of evidence of the inadequacy and security risks” of Georgia’s voting machinery and software.
.[The spokesman to Texas’ Secretary of State] said his office “has no legal authority whatsoever to force any” voting machine vendors “to make upgrades if their voting systems are otherwise in compliance with federal and state law,” and that Hart eSlate’s system was certified in 2009. He said counties are responsible for purchasing their own new voting equipment.
“Our machines have never been connected to the Internet,” Delaware Election Commissioner Elaine Manlove told ABC News. “We take every security precaution that there is.”
As we have noted before, we remained confident in the overall integrity of electoral infrastructure, a confidence that was borne out on election day. As a result, we believe our elections were free and fair from a cybersecurity perspective.
Before closing, I want to reiterate that we have confidence in the overall integrity of our electoral system. Our voting infrastructure is diverse, subject to local control, and has many checks and balances built in.
Testimony to the House Committee on Oversight and Government Reform
Dr. Andy Ozment
Assistant Secretary, Office of Cybersecurity and Communications
National Protection and Programs Directorate, U.S. Department of Homeland Security
September 26, 2016
Our elections are secure, and we are working around the clock to ensure they stay that way. We are open to federal assistance, but not in designating the elections system critical infrastructure. Uncertainty, fear-mongering, and empty rhetoric during this critical time can damage American’s trust in their election process and undermine the vote we will have in November.
Once called “a modern-day Jack Kerouac” by NPR after he hitchhiked 7,000 miles through the United States, Josh deLacy has since found homes in the Pacific Northwest, the Episcopal Church, and the post calvin. He is the managing director of Branded Look LLC and communications director at St. Luke’s Church. Josh’s writing has appeared in places such as The Emerson Review, Front Porch Review, and Perspectives.