At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections. The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far. The bad news is that it doesn’t really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records may be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.
An election wrongly perceived as illegitimate is just as damaging to democracy as one correctly perceived as such. That’s why Halderman calls for a very simple solution to at least this part of election defence: issuing and counting paper ballots. Most, but not all, US voting machines do maintain a separate record on paper of whom a ballot was cast for. But while that record, at least, is unhackable, it’s also rarely considered. In 2016, Halderman spearheaded an effort to encourage the state of Michigan to perform a statistically valid check of the paper ballots – which would have involved counting just a few hundred of the ballots to ensure with a high degree of certainty that tampering had not occurred.
That effort failed, but Halderman isn’t giving up. “This is one of the cheapest cyber defences imaginable, and would cost less than $25m a year” to provide a strong defence across the US. That, he notes, is a fraction of the $380m that the US government has already earmarked for improving election security, but without and standards or strict guidance about how states should use it – meaning that some of that money can be ploughed straight into the buying the same insecure voting machines that led to the trouble in the first place.
“I’ve only one conclusion,” said Schürmann: “Use paper and do your audits.”