With the midterm elections of 2018 fewer than 12 months away, Congress is showing heightened concern over the potential for disastrous cyber attacks on the nation’s electronic voting systems.
“Like anything else in the digital age, electronic voting is vulnerable to hacking,” said Will Hurd, R-Texas, chairman of the House Subcommittee on Information Technology. “Our voting machines are no exception.”
Hurd, in opening remarks at a Nov. 29 joint hearing with the House Subcommittee on Intergovernmental Affairs on the cybersecurity of voting machines, said subcommittee members wanted to explore what impact the Department of Homeland Security designation last January of U.S. election systems as “critical infrastructure” has had on states. “It is essential that states take appropriate steps to secure their voting infrastructure,” he said
One state, Virginia, transitioned to paper ballots in its recent election to provide a more secure voting infrastructure. “The transition to paper-based voting systems on a truncated timeline was incredibly successful and significantly increased the security of the election,” Edgardo Cortes, commissioner of Virginia’s Department of Elections, testified before the subcommittees. “The November 2017 general election was effectively administered without any reported voting equipment issues.”
Tom Schedler, secretary of state of Louisiana, where voters in all jurisdictions use electronic voting machines except for absentee voters, who use paper ballots, said he wasn’t “naïve about the likelihood of future cyberattacks against digital elements” of election systems. But, he told subcommittee members, “we also know paper ballots include fraud vulnerabilities as well unless proper procedures and protocols are adopted and followed by election officials.”
Only four other states–Delaware, Georgia, New Jersey and South Carolina–still use only electronic machines. The rest use either paper or a mix of paper and Direct Recording Electronic (DRE) systems. DRE systems employ computers that record votes directly into the computers’ memory.
Schedler, a member of the National Association of Secretaries of State’s election infrastructure coordinating council, expressed confidence in the security of Louisiana’s electronic voting machines.
“Because they are very tightly controlled by our office and our office alone, I have the utmost confidence in our vote tallies,” he said. “In fact, in many ways, our machines are overwhelmingly trusted by our voters when compared to their confidence in the security of mailed, paper ballots.”
However, Matt Blaze, an associate professor of computer science at the University of Pennsylvania, citing “the risks and vulnerabilities inherent” in DRE systems, recommended in his testimony that DRE machines be “immediately phased out” from U.S. elections. Among better options, he said, are systems such as precinct-counted optical scan ballots, which leave a direct artifact of the voter’s choice.
“Computers and software play central roles in almost every aspect of our election process: managing voter registration records, defining ballots, provisioning voting machines, tallying and reporting results, and controlling electronic voting machines used at polling places,” he added. “The integrity and security of our elections are thus inexorably tied to the integrity and security of the computers and software that we rely on for these many functions.”
Commenting on voting-machine security issues, Dr. Matthew McFadden, cyber service area director for CSRA, a company that provides information technology services to government clients in national security, civil government and health care, suggested that state-of-the-art operating systems that are hardened would go a long way toward ensuring security.
“Using the latest, hardened operating systems and limiting access to the transport layer are examples of operational policies that ensure integrity of the machine and chain of custody,” McFadden told MeriTalk. “Using a physical receipt and blockchain technology would allow for a hardened system that ensures the integrity of the system.”
An issue with some voting machines, such as DRE systems, “is that they don’t leave a physical trail or receipt, so it’s difficult to validate,” he told MeriTalk. “The use of blockchain technology in voting machines would ensure validity as there is an encrypted digital ledger. All transactions are transparent and everything leaves a trail.”
In addition, he said, developing an open-source voting system and validated hardware may help perfect the voting machine system.
“It would allow security researchers and the public to independently validate and improve the system,” he said. “Increasing accountability and transparency should be two important goals of moving our voting critical infrastructure forward.”