Vote Integrity

Cybersecurity

​​Photo by Chuck Nacke, Alamy Stock Photo​​​

Vote Integrity
 

​This year is a midterm election year, with countless political races. All 435 seats of the U.S. House of Representatives are up for grabs, as well as 33 U.S. Senate races. On the state level, 36 gubernatorial elections will be held, and all but four of the 50 states will hold legislative elections.

But there's another type of race already happening: a race against time. Namely, will officials be able to secure U.S. election systems when voters cast their ballots in November?

In recent years, election security has emerged as a repeated concern in the United States. The issue vaulted to prominence after the highly contested presidential election of 2000, which led to unprecedented levels of attention regarding voting methods and machines.

In a 2006 congressional race in Sarasota County, Florida, more than 18,000 votes went uncounted due to electronic voting errors.

Later, a New York University study examined three types of voting machines that were used in the 2006 elections, finding significant security and reliability vulnerabilities. (For more background from Security Management, see "Will Your Vote Count," May 2008, and "Machine Politics," October 2012.)

This year's election features another big concern: potential interference from Russia. That country attempted to hack the 2016 presidential election, U.S. officials have said, and concerns persist about a repeat performance.

"There is no doubt that Russia interfered in our 2016 election, and targeted 21 states' voting systems," U.S. Representative Robert Brady (D-PA) said at a recent Capitol Hill hearing on election security. "And we can expect them to return."

Brady is cochair of the Congress­ional Task Force on Election Security, which was created last summer to identify solutions that will safeguard elections going forward. The other cochair is U.S. Representative Bennie G. Thompson (D-MS), ranking member of the U.S. House Committee on Homeland Security.

Brady's comment that voting mach­ines in 21 states were hacked has been confirmed publicly, but authorities have been unwilling to name the states affected.

However, according to Thomas Hicks, commissioner and vice chair of the U.S. Election Assistance Commission (EAC), the hackers originally approached machines in all 50 states. But some were more locked down than others, so the other 29 states were not hacked. (The EAC is an independent, bipartisan commission charged with developing guidance and adopting voluntary voting system guidelines.)

"Make no mistake, it's all 50 states that were scanned. And it was just a little bit of—by the foreign actors or whomever—jiggling the handles and trying to get in. But some of those states were prepared enough that hackers weren't able to get in," Hicks said at the hearing. "So, as we prepare for the 2018 election cycle, we want to make sure that, from voter registration lists, to voting machines, to securing the voting equipment after the election, to election night reporting—from A to Z, all those aspects are taken care of."

To help in the election security effort, EAC representatives have been flying out on a weekly basis to meet with state-level election representatives to advise on security protocols and systemic issues, Hicks said. The EAC has also been working with the U.S. Department of Homeland Security (DHS) to help get information on election security to state and local officials.

"I think there's a lot more that needs to be done, because I believe that not only are there foreign actors that are looking to mess with our elections, but also folks within our own country who are looking to meddle in our election process," Hicks said.

Besides the threat of bad actors, U.S. election security faces another risk—aging and outdated equipment. After the disputed 2000 election, Congress passed the Help America Vote Act in 2002, which brought about an equipment update in many states. But some of those machines now need replacing.

"The equipment that was purchased 15 years ago has come to the end of its life cycle," Hicks said.

And even some of the older mach­ines that are still in decent operating shape were not designed to withstand the type of cyberattacks and tampering methods that are possible today. "With the older equipment out there, security, if it was thought about at all, was really an afterthought," said Virginia Elections Commissioner Edgardo Cortés at the hearing.

Voting machine modernization and better voting security is possible, but it takes significant investment, according to Rhode Island Secretary of State Nellie Gorbea.

At the hearing, she offered her own state as an example, saying that when she took office in 2015 "our voting equipment was on the brink of total failure."

So, the state invested $10 million in an upgrade, featuring paper ballot optical scanning machines with four layers of security and encryption.

Besides the equipment upgrade, there was the "second challenge" of building capacity in the public sector to manage election cybersecurity issues, Gorbea explained. It took a 40 percent increase in staff to do this, she added.

One of the lessons learned from this process, Gorbea said, was that better communication is needed between DHS and state officials regarding topics like threat information sharing. And more officials need to understand that effective cybersecurity does not mean arriving at a specific "destination," but is rather a continuous process of assessment and improvement.

"Cybersecurity is at the forefront of election conversations at every level of government across the country," she said. 

Given this, Gorbea said she would "absolutely" be in favor of federally mandated baseline cybersecurity requirements for new voting equipment, especially given the precedent of the Russian hacking in 2016.

"These attacks are real, and are focused on undermining our representative democracy," she said.

Besides replacing old voting machines and beefing up cyber defenses, states and localities can take other measures to help ensure that the upcoming midterms are secure, according to a recent report, Nine Solutions to Secure America's Elections, issued by the Center for American Progress, a liberal think tank.

In the report, Liz Kennedy, director of democracy and government reform at the center, and Danielle Root, voting rights manager for democracy and government report, set out nine tasks to improve election security.

Although a few, like replace old voting machines, are similar to the measures discussed at the Capitol Hill hearing, others touch on points not raised, such as requiring voter-verified paper ballots or records for every vote cast; conducting robust postelection audits to confirm election outcomes; updating and securing outdated voter registration systems; performing mandatory pre-election testing on all voting machines, as well as continuous vulnerability analysis; and providing federal funding for updating election infrastructure.

"As it currently exists, America's election infrastructure is dangerously insecure and susceptible to hacking, machine malfunctioning, and Election Day disruption," the authors write. "…It is critical that we begin building our defenses to protect against election intrusions before it is too late."

Meanwhile, the Defending Digital Democracy program has issued a handbook offering guidance on how political campaigns can help make elections more secure. Written by a wide-range of security experts, including the CSOs of Facebook and Aetna, the Cybersecurity Campaign Playbook offers best-practice guidance on topics like using cloud services, two-factor authentication, and strong passwords. 

The Defending Digital Democracy program is run by the Belfer Center for Science and International Affairs at the Harvard Kennedy School. The program was established last year, and its leadership includes top campaign officials from both the Republican and Democratic parties.

"Cyber adversaries don't discriminate. Campaigns at all levels—not just presidential campaigns—have been hacked. You should assume that you are a target," the playbook says.  ​