Votes of confidence

Amid evidence that foreign powers initiated targeted attacks on states’ voting systems leading up to the 2016 election, county officials, academic experts and information security professionals agree that incorporating a paper trail and using audits are surefire methods to ensure the security of elections.

Using security techniques in elections isn’t a new concept — it’s been practiced for decades, says Weber County, Utah, Clerk/Auditor Ricky Hatch, who testified before Congress about county involvement in elections in July. However, increased reliance on technology has led officials to focus more on cyber security and to integrate it into elections.

Attacks on election systems are growing in sophistication, too. In the past two years, a leaked National Security Agency intelligence report and Department of Homeland Security documents have indicated that foreign groups like the Russian military, a Russian company and entities linked to the Russian government have made hacking attempts into states’ election systems as well as a U.S. voting equipment manufacturer. Spear-phishing emails were also sent to over 100 election officials.

The existence of these attacks is alarming, but it’s arguably equally disconcerting just how many parts of an election system can be exploited for nefarious purposes.

Centralized issues

Voter registration, the ballot programming environment, voting machines, ePoll books, reporting and tabulation systems are all parts of election systems that are vulnerable to cyber attacks, according to University of Michigan Professor of Computer Science and Engineering J. Alex Halderman.

“The thing that keeps me up at night, the thing I worry about most is the combination of the ballot programming environments, which are called election management systems, and the actual voting machines in the field,” he says.

In April, Halderman released a video created in collaboration with The New York Times that showed him hacking voting machines used in a mock election held at the university. While explaining his method in the video, Halderman also shows how foreign powers could hack an election without themselves infiltrating individual voting machines.

According to the professor, foreign governments can hack voting machines’ manufacturers, steal their software code and write a virus that is then emailed to every election official that programs the machines with new ballots. In time, the virus can help hijack the ballots’ programming, and the election officials would (ostensibly) put that hacked code into the voting machines. That code can then steal votes and thus hack the election.    

Some safeguards are in place for such an attack. Hatch says that ES&S, Weber County’s voting equipment vendor, provides a process that the county can independently perform to ensure that the tabulation software’s source code hasn’t been altered.

Hatch admits however, that phishing attacks like those used by the Russian military as shown in the leaked NSA report, can easily use social engineering to obtain access to sensitive information.

“People are really the major deficiency here,” says Dave Kennedy, founder and senior principal security consultant at information security consulting firm TrustedSec as well as chief hacking officer at endpoint protection software firm Binary Defense.

“If I can hack into a person’s computer and use that as a mechanism into an environment, that’s definitely a huge concern in ways that you can actually mass-impact an election process,” he adds.

The perks of processing paper

Given the rise of hacking attacks on elections, election security has become a cyber security issue.

“Everyone at the county has email, everybody has access to the internet, so we’re very careful with our user awareness training to make sure that everybody is aware of the risks out there and some of the tactics that are being used to try and compromise our security,” Hatch explains, noting that his county has increased its employee’s awareness of cyber security-related issues since the 2016 election.

But counties can’t depend on cybersecurity training alone, Halderman argues. “We need to be cognizant that not everyone can or will be a security expert. So, it’s important to make sure that people get the very basics but also that we have mechanisms that don’t require security expertise to defend us,” he says.

The best mechanisms to defend against election systems hacking are the use of paper and using audits. “Those are the best defenses that we know from the point of view of security technology,” Halderman says.

Unlike electronic voting, paper physically cannot be hacked as part of a cyber attack, and manually inspecting paper ballots is a highly secure way to verify election results. But having a backup paper trail also offers the ability for audits to be conducted on electronic voting. “When you use paper, it drastically reduces the ability for large-scale cyber alterations of large numbers of vote,” Hatch says.

Currently, voters that go to a polling place in Weber County on Election Day are handed a paper ballot that they mark with a pen, according to Hatch. The paper ballot is then scanned at the location.

Prior to switching to largely vote-by-mail elections in 2013, Weber County had used touch-screen voting machines beginning in 2005. But even then, before a voter would cast her ballot, the machine in use would print out the voter’s choices and prompt the voter to verify her votes on the paper before either submitting the ballot or nullifying it. This in-the-moment audit is an example of a voter-verified paper audit trail (VVPAT) and serves as an additional level of security in elections.

As of April, just five states entirely used machines that did not provide paper trails like a VVPAT, and nine states contained counties that didn’t provide paper trails, according to reports from Axios and McClatchy.

“Certainly, we have a few states where they’re still going on old equipment that doesn’t have a paper trail, and they’ll get that fixed,” Hatch says. “Nobody wants that anymore. It just takes time and money to get all that fixed and replaced.”

Counting paper ballots however, can be time-consuming and laborious. “It’s slower to get information out there in a society that demands information real-time and quickly,” Kennedy says.

However, a specific auditing method that multiple states and organizations endorse could counteract these detriments.

Saving time while limiting risk

As of October, 30 states and the District of Columbia required a traditional post-election audit, according to the National Conference of State Legislatures (NCSL). In a traditional post-election audit, a fixed amount of voting machines or districts are audited — no matter if the race is close or a landslide.

Three states — Colorado, Rhode Island and Virginia — require that risk-limiting audits (RLAs) be conducted after an election, according to the NCSL. Ohio recommends that RLAs be done as part of its post-election audit requirement, Washington state allows counties to conduct RLAs and California will begin to allow counties to conduct RLAs starting in 2020.

Non-governmental organizations endorse these audits, too. The Center for Internet Security (CIS) lists RLAs as a best practice in elections infrastructure security in its handbook on the subject. The American Statistical Association also recommends that RLAs be conducted and reported for federal, state and local elections, according to a 2010 statement from the association.

The CIS handbook explains that an RLA involves a randomly-sampled recount whose size is determined by a “stopping rule” that’s based on the probability that the election’s actual outcome will differ from what’s already been reported. So, additional ballots are counted again until there is “a pre-determined statistical level of confidence that the reported result is correct.”

A close election would thus require a larger audit than a landslide election would. Accordingly, an audit would end sooner depending on how closely an audit’s results match the reported results. Since the stopping rule is arbitrary to the closeness of an election, RLAs can save time and effort while still retaining a high level of confidence in the results.

“Risk-limiting audits are seeing increased interest, but I think many other counties would benefit from finding out about them and looking into whether it’s something that counties themselves can implement as an added layer of defense,” Halderman says.

System status

Experts have mixed views on the status of election security in the U.S.

Kennedy, who operates in the private sector, says it’s not good. Halderman admits that progress has been made since 2016, especially with security concerns, but that there’s a long way to go.

Hatch is more optimistic, saying that election security is improving daily, with systems consistently being tweaked to meet increasingly maturing threats.

“I’ve been really pleased at how the elections industry both private and public has responded to the increased threats that we’ve had, and the information sharing is tremendous from the state, local as well as federal levels,” he says. “One thing the elections world is good at is responding to a changing landscape.”

Regardless of differing beliefs, a common thread is that elections security will consistently need to strengthen to meet the increasing sophistication of cyber attacks on the democratic process. For Kennedy, a key determinant of such security is having champions of security at the local level.

Halderman expresses a similar viewpoint. “Ultimately, because elections are administered at the local level, we’re going to need buy-in and participation from local election administrators across the country in order to make sure that those defenses are strongly and uniformly in place for 2020,” he says.