voting securityAs Cybersecurity Awareness Month draws to a close, voters across the U.S. gear up to cast their ballots in November’s midterm elections. One of the biggest concerns on everyone’s minds has been just how secure voting is. Whether you mail in your ballot ahead of time, or find yourself standing in line for your chance to fill one out in person at your local polling place, you have plenty of reason to be worried. Rumors of meddling from cyberattackers both foreign and domestic have swirled for the past couple of years since the controversial 2016 election year, and that’s just a drop in the ocean of troubles that plague the modern voting system in America. What is standing in the way of voter security this election season, how can the major cybersecurity issues plaguing elections be addressed and what — if anything — can you, the average voter, do about any of it? Let’s find out.

Why is it so hard to make voting secure?

Voting in the U.S. is, well, complicated — in 2016, voters in America took to 116,990 polling places in 178,217 precincts. Every state is in charge of its own election procedures, making it impossible for uniform standards to be put into place. In order to fully grasp the myriad of problems with voting security in 2018, we have to go back a few decades.

A brief history of modern voting technology

The first-ever voting machines in the U.S. came into play in the 1800s, and different designs ranging from pulling levers to punch cards have been used in the decades since they were introduced. In the 1960s, the first computerized voting method was introduced, and from the get-go it was clear that there were a number of security issues surrounding the blending of technology with elections. To wit, in 1969 a group of computer scientists in Los Angeles played a series of “war games” to test out whether the county’s new computerized punch-card voting machines could be fraudulently manipulated without detection. Victory in these games went overwhelmingly to the offense. Over the decades, voting technology has been revamped and revised, but many of the same security issues have remained.

This was highlighted in the 2000 presidential election controversy, when the reliability of punch card ballots was brought into question. As a result, the Help America Vote Act of 2002 (HAVA) was enacted to push states to get rid of punch card and lever voting machines, replacing them with new electronic voting systems. Because the federal government can’t dictate how states run their elections, instead it used the reliable lure of money to convince states to make the switch. In addition to providing the funds for states to upgrade their machines, HAVA also required at least one handicap accessible machine at every polling place and made it so county voter registration files were consolidated into a single statewide database (to help prevent multi-county registration). The act also created the U.S. Election Assistance Commission to serve as the official federal liaison with state election officials.

Today’s machines are woefully insecure

These days, thanks to HAVA, there are two major types of voting machines used in the U.S. — optical-scan machines and direct-recording electronic machines (D.R.E.s). Optical-scan machines work by feeding paper ballots into a scanner which stores a digital image and records the votes on a removable memory card, while D.R.E.s involve entirely digital ballots that are filled out using touch screens or some other electronic input method and store the votes electronically. Each has its own set of issues — while optical-scan machines all provide an audit trail, since audits are rarely thorough, no evidence of fraud will be uncovered unless the precinct where tampering has occurred are chosen to be randomly audited. D.R.E.s, on the other hand, are rife with security issues — while many have printers to produce a paper trail for auditing, some are entirely paperless.

Adding to the problem is the fact that these machines are not produced by the government — instead, the secrets of their creation and operation are closely guarded as proprietary technology by the private companies who produce them. At present, the EAC lists 18 different registered manufacturers on its site. The voting machine industry makes $300 million a year, and today just three companies — Dominion Voting Systems Corp, ES&S and Hart InterCivic, Inc. — are responsible for approximately 80% of the machines in use across the U.S. There is little oversight, and past attempts to get “behind the curtain” have been resisted quite viciously, as John Kerry learned in 2004 when he and his team were barred access to voting machine software following irregularities in that year’s Ohio election results. As recently as July 2018, manufacturer ES&S came under fire when it was proven that the company had installed remote access software on some of its election systems — despite previous assurances that it had done no such thing.

Beyond the many ways voting machines and the software that programs them can be infiltrated and subverted by hackers, the vendors themselves can be targeted and used to distribute malicious code.

What’s being done to fix the system?

Unfortunately, HAVA’s imposed deadlines for switching states over to electronic voting machines led to rush jobs on production and plenty of security nightmares. Shortly after the 2002 Georgia elections, which served as the first test of D.R.E.s just a few days after HAVA was officially signed into law, a completely unprotected FTP server used to distribute software patches for Diebold voting machines was uncovered. Later, a Diebold warehouse worker came forward with tales of malfunctioning software and hasty patching in the hurry to roll out the machines in time for the election deadline. Despite plenty more reports in the years following of issues with electronic voting machines, little has really happened to force change — largely due to insistence that the new machines were more reliable and secure. As evidenced by The New York Times researcher Kim Zetter’s massive story on election security, the problems that HAVA aimed to fix were merely transferred from one technology to another — and because of how the private companies who create them jealously guard their products, it’s been difficult to impossible for anyone to do anything about it.

New legislation has been slow to fruition

The 2016 election has once again turned Americans’ attention to the security issues surrounding our election system. In the continued aftermath, politicians and academics alike have made efforts to propose solutions. A new bill, the proposed Secure Elections Act, was introduced in 2017 and gained much bipartisan support — but critics have called some of the changes made to the bill in recent months a watering down, and it is currently stalled in the Senate with an uncertain future. As a result, some congress members are turning toward an alternative, the Protecting American Votes and Elections Act of 2018. One of the biggest points of contention for the stalled Secure Elections Act is the use of paper ballots to ensure proper auditing. Still, some progress has been made — this year, congress appropriated $380 million to help states improve their current security and replace outdated machines with new ones. As of June 2018, 55% of the funds had been requested.

What’s happening now — and what’s (hopefully) to come

In preparation of next month’s election, the Department of Homeland Security has been performing security audits to identify weaknesses within different states’ systems. As noted at the start of this article, given how many different jurisdictions there are across the U.S., and the fact that every state runs its elections individually, this is a long process. Both abroad and at home, agencies at state and federal levels are working to beef up security and identify threats, nullifying them when possible — but it’s been a stretch, with some outlets reporting as recently as Oct. 15 that election security plans were not yet finalized with the midterms only weeks away. Like any cybersecurity issue, though, it can seem like a race against invisible opponents with no finish line in sight. The midterm elections might be over in just a few weeks, but the election cycle marches on toward 2020 and beyond.

Many researchers have been detailing what can be done to truly get the advantage over would-be cyberattackers looking to wreak havoc on elections. Harvard University researcher Reed Southard worked with a team at the Harvard Kennedy School’s Belfer Center for Science and International Affairs to create a “State and Local Election Cybersecurity Playbook.” Among the advice this document offers to election officials is that implementation of security protocols, like two-factor authentication, is a must. And a recently issued report from The National Academies of Science, Engineering and Medicine, titled “Securing the Vote: Protecting American Democracy,” outlines six recommendations that tackle both foreign and domestic voter fraud and election security issues.

These proposals include:

  • Use of paper ballots to establish a backup record of every vote.
  • Verification of election results via public and transparent audits of elections (as well as election process, such as registration and results reporting).
  • Cross-checking of voter registration nationwide to weed out any duplicates from people who moved (currently, only 24 states and the District of Columbia match databases).
  • Outlaw voting by Internet entirely, for now, as it’s too risky (approximately 31 states and the District of Columbia currently allow U.S. citizens and military personnel living abroad to vote online).
  • Increase the security of voting by mail, especially as it becomes the standard for many states (e.g., Colorado, Oregon and Washington, with rapidly growing popularity in other states). Suggestions for doing so include creating a system to let voters verify whether their ballots were mailed to them and whether they were received and accepted by election offices.
  • Spend more money to make elections trustworthy, including the creation of ongoing funds to replace outdated voting equipment (something that, you’ll note, has already happened with the recent $380 million Congress allotted this year).

It’s important to note that these proposals are just some of the many being suggested by all manner of experts right now. Until new legislation is passed nationwide, it’s up to states to work with their county election offices to upgrade and improve security surrounding elections.

What does this all mean for voters?

One of the most frustrating aspects of all of this for Americans is that voters are more or less powerless when it comes to implementing stronger cybersecurity in election systems or enacting legislation to fix the many issues. The best thing you can do is to make sure that you perform your civic duty and vote — and pay attention when you do to any signs that something might be going awry. Already this election, there have been reports of people’s voter registration being dumped from voter rolls and machines functioning suspiciously. If you suspect something has gone wrong with your ballot, you can contact your state’s elections office to file a complaint. It can be easy to feel powerless and grow apathetic as a result, but that’s exactly what cyberattackers and others who might perpetrate election fraud want. Concerned about the security of a mail-in ballot? Drop it off in person at your local polling place instead of putting it in the mail. Not sure where to vote or how? Check out USA.gov’s guide for voters. And if you are concerned about what kind of cybersecurity measures your local precinct is taking for its elections, you can easily ask and find out.

While you can’t control voting security, you can control your own cybersecurity. Learn more about how to take control of your digital life by following our cybersecurity blog.