Election security experts concerned about voting machines are calling for an audit of ballots in the three states where the presidential election was very close: Michigan, Wisconsin and Pennsylvania. We agree. This is an important election safety measure and should happen in all elections, not just those that have a razor-thin margin. Voting machines, especially those that have digital components, are intrinsically susceptible to being hacked. The main protection against hacking is for voting machines to provide an auditable paper trail. However, if that paper trail is never audited, it’s useless. EFF worked hard, alongside many others, to ensure that paper trails were available in many places across the nation. While there are still places without them, we have made great strides. Yet this election was a forceful reminder of how vulnerable all computer systems are. We not only need elections to be auditable, we need them to be audited. We should use this opportunity to set a precedent of auditing electronic voting results to strengthen confidence—not only in this election, but in future ones.
There is precedent for hackers attempting to influence elections by tampering with voting infrastructure: Ukraine’s 2014 election came under attack from pro-Russian hackers, and this spring Bloomberg reported on how a team of hackers targeted elections throughout Latin America. There was also plenty of hacking related to the 2016 US election, with two separate major dumps of political emails and several reports of attempted attacks on election systems. These attacks tell us that hacking groups, some of whom may be nation states, were particularly interested in affecting this election’s outcome.
Of course, there is good reason to believe US voting machines are vulnerable; for years, EFF along with hundreds of security experts nationwide and even worldwide sounded the alarm about the risk posed by insecure voting machines. EFF handled many cases arising from problems with the machines. In 2004, California decertified many voting machines due to serious security flaws.
Most e-voting machines are not connected to the Internet, but disconnection isn’t a sufficient defense against hacking. Malware can be engineered to cross a so-called air gap by riding on removable storage media like thumb drives and SD cards. The Stuxnet worm is a remarkable example of this in action. It was designed to infect internet-connected workstations and then copy itself over whenever a thumb drive was plugged into those workstations. Once an infected thumb drive was plugged into an air-gapped system, the worm would install itself and begin its work. The voting machines used in America are updated using removable storage that is at some point plugged into a regular computer in a government office. Hackers need only compromise that computer, and they can use that toehold to copy a Stuxnet-like worm onto all removable storage that comes into contact with it and matches a certain profile. Once plugged into a voting machine, that worm could alter the machine’s software to subtly change the vote. A particularly well-written worm would automatically reverse those changes after the election to cover its tracks.