It’s not easy to get in to see Diane Ellis-Marseglia, one of three commissioners who run Bucks County, Pennsylvania. Security is tight at the Government Administration Building on 55 East Court Street in Doylestown, a three-story brick structure with no windows, where she has an office. It also happens to be where officials retreat on election night to tally the votes recorded on the county’s 900 or so voting machines. Guards at the door X-ray bags and scan each visitor with a wand.Unfortunately, Russian hackers won’t need to come calling on Election Day. Cyberexperts warn that they could use more sophisticated means of changing the outcomes of close races or sowing confusion in an effort to throw the U.S. elections into disrepute. The 2018 midterms offer a compelling target: a patchwork of 3,000 or so county governments that administer elections, often on a shoestring budget, many of them with outdated electronic voting machines vulnerable to manipulation. With Democrats on track to take control of the U.S. House of Representatives and perhaps even the Senate, the political stakes are high. … The U.S. certainly hasn’t forced the Russians to look hard for places to strike. The midterm elections are rich in targets. Bucks County is hardly unique in relying on easily hacked voting machines, whose results could determine control of Congress or individual states. About 30 percent of America’s voting machines are as outdated and nearly unprotected as those in Bucks County, says Marian Schneider, a former Pennsylvania deputy secretary for elections and administration and now president of Verified Voting, a national election-integrity advocacy group. Ballotpedia, a nonprofit website that tracks elections, lists nearly 400 congressional and top state official races this November as competitive enough to be considered battleground contests.
… Pre-voting testing by an official or monitor at the polling place could theoretically catch a button-mapping hack in progress. Unfortunately, such testing isn’t always carried out thoroughly, or at all. For instance, no one noticed when buttons for two candidates in a 2011 New Jersey primary election, for two seats on the Cumberland County Democratic Executive Committee, were switched. According to Appel, who was consulted after that election, the only reason the swap was noticed at all was that the candidate who had expected to win by a landslide actually lost by a landslide. Only after the “losing” candidate obtained an overwhelming number of affidavits from voters was the discrepancy found out. Was it a hack or an honest mistake? With the Shouptronic, there’s no way to know, because it doesn’t leave a paper trail that can be checked after the fact.
“If the only way we can trust an election is by getting affidavits from every voter, we’re in trouble,” says Appel.
It’s possible the Russians perfected their attacks on electronic voting machines in the 2016 election without tipping their hand. No such attacks have been documented—but then again, nobody’s looked. “As far as I know, exactly zero machines were forensically tested after the elections,” says cybersecurity expert Alex Halderman, a computer science and engineering professor at the University of Michigan. In other words, we have no way of knowing if voting machines in Bucks County and other vulnerable counties with tight races for House seats are already primed to report phony results ordered up by Russian intelligence officers.