This week the General Assembly has been considering an important election-reform bill that could greatly affect the security of the ballots of our troops and the integrity of elections in Virginia. HB 759 would allow military voters to send marked ballots back over the Internet via email. The bill is intended to address the very real challenges facing military voters, but allowing ballots to be returned over the Internet creates extraordinary risks both to the votes of our men and women in uniform and to the electoral infrastructure of our state. The Internet provides great opportunities, but also tremendous risks. The skill and stealth of hackers continues to outpace our ability to secure Internet-based services. Target, Adobe, Sony, Google, Apple, Facebook, Citigroup and others have all been victims, as have the Department of Defense and the State of South Carolina. Government security experts are raising increasingly urgent warnings regarding computer attacks. The rise of organized, well-funded, state-sponsored hackers has made the cyber world less secure now than ever before. Gen. Keith Alexander, head of the National Security Agency and the Department of Defense’s U.S. Cyber Command, stated that between 2009 between 2011 there was a 1,700 percent increase in computer attacks against American infrastructure initiated by criminal gangs, hackers and other nations. At the direction of Congress, scientists at the federal National Institute of Standards and Technology (NIST) have been conducting research into the use of online systems for military voters. NIST has stated that with the security tools currently available, secure online ballot return is not feasible and that more research is needed.
For these reasons the Department of Defense (DOD) itself does not recommend states adopt Internet voting and instead recommends ballots be returned by postal mail. The DOD has also unequivocally prohibited state and local jurisdictions from using DOD grant money to transmit voted ballots over the Internet. In 2012 Virginia was awarded $1.8 million from the DOD to assist military voters, but these funds may not be used for any system or program that enables the electronic return of voted ballots because the security issues remain unresolved.
So why is the General Assembly moving ahead to adopt electronic ballot return for the military against the recommendation of both NIST and the Department of Defense? This bill is largely being driven by the fact that many other states allow some form of electronic ballot return for military voters, and the mistaken conclusion that this means it is safe. However, none of these states have any meaningful or effective audits by third parties in place to detect if fraud has occurred. Even with effective procedures in place, it is estimated that most computer attacks are not discovered for 14 months or more, and skilled attackers won’t leave any trace of their intrusion.
Proponents of transmitting voted ballots online often make the comparison that if we can bank and shop online, we can send ballots over the Internet. But online banking is far from secure; according to the “JP Morgan 13th Annual Online Fraud Report,” $3.4 billion was lost to online fraud, and merchants reported losing an average of 1 percent of online revenue to fraud. Commercial entities can detect fraud by using detailed knowledge of a user’s behavior, and factor losses as a cost of doing business; election divisions can do neither.