A Nov. 29 House hearing on the cybersecurity of voting infrastructure highlighted warnings about some machines used to cast votes and the software used to tally them, but officials were positive about the progress being made and the low likelihood that an attack could actually switch any votes. Several experts who testified at the hearing, held by the House Oversight Committee’s subcommittees on information technology and intergovernmental affairs, recommended that states should begin switching — if they haven’t already — away from direct-recording electronic voting machines. Matt Blaze, a computer science professor at University of Pennsylvania, said the complexity of DRE machines makes them very hard to secure. The vote tallies stored in internal memory, ballot definition parameters displayed to voters and electronic log files used for post-election audit are all subject to alteration.
… The witnesses provided a number of recommendations for how to secure election infrastructure in their testimony, including:
Optical scan: These systems consist of a paper ballot filled out by the voter and a digital scanning system that records the ballots. The hard copy ballot allows for audits and provides a backup should anything go awry with the digital side of the process. Moving all voting over optical scan systems would “leave a direct artifact of the voter’s choice,” Blaze said.
Audits: Audits should be mandatory “after every election to detect software failures and attacks,” Blaze recommended. Voting systems will always rely on software in one way or another, but, he said, post-election audits “ensure that the integrity of the election outcome does not depend on the herculean task of securing every software component in the system.”
Funding: Congressional funding to localities “is a critical need” for ensuring the security of elections, Cortés said. Susan Hennessey, a fellow in National Security in Governance Studies at the Brookings Institution, said additional resources should be conditional on localities meeting best practices outlined at a federal level.
Standards: All voting equipment should receive a federal certification and election administrators be trained and accredited, Cortes said. Hennessey advocated a national strategy that puts in place “neutral standards and thresholds” be set up before the next national election.
Regulation: Regulating the voting machine vendors is also necessary, Hennessey said. Government must not only set security standards for the machines, but also require the manufacturers to undergo routine penetration testing.