A spate of predictably alarmist headlines hit the wires in August after an 11-year-old needed just 10 minutes to hack a facsimile of a state election website at DefCon. But for the professionals who monitor America's voting infrastructure, it hardly came as a surprise to learn that hacking into a system at ground zero of American democracy is literally child's play, not when many voting machines seem to almost invite intrusion by relying on unchanged passwords like "password" or "abcde," and having Wifi enabled.
What’s more, at least two-thirds of the voting machines still in use today across the United States are estimated to be more than a decade old. While Congress has appropriated $380 million to bolster states' voting infrastructure, budget limitations will prevent a wholesale upgrading of state and local systems or their replacement by the acquisition of more secure machines.
We're "woefully underprepared," says Matthew Bernhard, a University of Michigan Ph.D. candidate specializing in election security. Earlier this year, Bernhard demonstrated how attackers could bypass the tamper-evident seals the state officials put around the machines prevent outsiders from gaining access to their internals.
"A lot of “fail safes” could be put in place, but aren't,” he said.
Still, some believe an increased commitment in states around the country to both paper ballots and post-election audits could help reassure the public that the vote is legitimate.
Earlier this year, Brian Varner, a Symantec special projects researcher, purchased two current-generation voting machines on eBay for $100 each. Varner had done the same in 2016 and had identified major gaps in the devices' security. This year's machines "were in worse shape than the old machines I got back in 2016," Varner says, citing new vulnerabilities such as lack of vote encryption and easy access through USB ports. “These machines have more exploitation vectors….I don't feel like we've moved forward much at all."
Dynamics like this inspired a recent National Academy of Sciences report that, among other recommendations, called for all elections to use human-marked ballots; for marked ballots never being sent over the Internet; for states to require post-election audits; and that a set of standard cybersecurity best practices be implemented for all state and local elections.
But the report's recommendations deal with the long-term and could involve considerable cost. Tellingly, Varner says the best bet may be voters and poll workers keeping an eagle eye on machines to prevent shenanigans, while officials monitor the machines while in transit and locking them up when in storage. "Accountability and physical control," Varner says, "is about the best we can do at this point."
Paper Ballots and Audits
All that aside, there remains reason for optimism that headway can be made.
"The facts are clear," says David Becker, the executive director of the Center for Election Innovation and Research, "Eighty percent of American voters have access to paper ballots. That's the highest percentage of non-punch-card paper ballots since computers were introduced to elections. [And] the majority of states audit those ballots."
Just five states--Georgia, South Carolina, Louisiana, Delaware, and New Jersey--use all-electronic voting machines, and each of those hope to get funding to move away from such systems by 2020.
As a result, Becker says, "2018 is going to be the most secure election we've ever had."
That may sound Pollyannaish, but Becker's not alone in expressing confidence. Bernhard, too, forecasts an election-security landscape that's a "little better" this year than in 2016 thanks to increased use of paper ballots and audits.
Still, the security of this coming election is anything but a layup. Indeed, Bernhard decries the thousands of jurisdictions nationally that either don't perform audits or whose audits are insufficient. And that's to say nothing of what he sees as insecure voter-registration systems and electronic-voting machines in places like Georgia that offer no recourse if, say, the power goes out on election night.
In the meantime, Becker said the fact that rival states intent on delegitimizing our democracy may yet strike demands vigilance as the midterms approach. He said there are numerous ways groups working on behalf of nation-states could attack local election results, including hacks of vote tabulation, or denial-of-service attacks on election-night reporting machines.