We shouldn’t need another reminder, but the DefCon hacking conference in Las Vegas provided one over the weekend anyway: Voting machines are highly susceptible to electronic attacks. You might remember the topic of hacking elections from such recent presidential campaigns as: last year’s. And while – this is important – there’s no evidence that hackers manipulated actual vote tallies in 2016, there’s every reason to believe that cyber-malefactors will try to do just that in future. And the DefCon gang proved how easy that would be. The convention set up a Voting Machine Hacking Village where attendees could see what they could do against more than 30 voting machines (procured, no kidding, via eBay and government auctions). It took less than 90 minutes before a hacker was able to crack the poorly-secured Wi-Fi on one voting machine (which is, thankfully, outdated and was apparently last used in 2015); another programmed a machine to play Rick Astley’s ghastly song, “Never Gonna Give You Up.” Imagine casting your vote on Election Day and getting rickrolled for your trouble.
… There are reasons to not to overplay this exercise. Obviously, you can’t sneak into a polling place and start taking apart voting machines; and physically sabotaging one voting machine at a time would probably not be the most efficient way to rig an election. That said, any vulnerabilities in our election systems are worrisome. We know that last year hackers launched spear-phishing attacks on at least one company that makes voting equipment and software, as well as state and local election organizations. If a state election system from whence the voting machines are programmed prior to the elections is penetrated, for example, machine-level security vulnerabilities would make it that much easier for hackers to compromise our elections.
Remember that five states use voting machines which have no paper record at all and an additional 10 use such machines at least in part. Overall, according to Pamela Smith of Verified Voting, between 20 and 25 percent of voters cast their ballots electronically, without any accompanying paper record. That’s a vulnerability that needs to be closed as soon as possible. And as I’ve written before, each state ought to do a risk-limiting audit as a matter of course to make sure that the votes were properly counted.