As local officials across the country scramble to hack-proof their voting systems ahead of the midterm elections, there’s one state that is paving the way as a leader in election security. Colorado has done virtually everything election experts recommend states do to stave off a repeat of 2016, when Russian hackers targeted 21 states as part of the Russian government’s massive election interference campaign. The state records every vote on a paper ballot. It conducts rigorous post-election audits favored by voting researchers. Nearly every county is equipped with up-to-date voting machines. Election officials take part in security trainings and IT workers test computer networks for weaknesses. Secretary of State Wayne Williams told me the state benefited from having some of those measures in place before 2016. Once the extent of Russia’s digital campaign in the presidential election became clear, he made it a priority to invest more in them, he said. “If people perceive a risk, they’re less likely to participate in voting,” Williams said. “We want to protect people from that threat, and we want to people to perceive that they are protected from that threat.”Full Article: The Cybersecurity 202: How Colorado became the safest state to cast a vote - The Washington Post.
New measures to bolster security for Michigan’s 2018 midterm elections were announced this month, but experts said they don’t address all past gripes with state procedures. During this year’s May election and November general election, Michigan will hand-count ballots for all precincts selected in the post-election audit, secretary of state spokesman Fred Woodhams said. The state currently uses paper ballots that are scanned through optical voting machines. Past elections’ audits required reviewing voting machine equipment as well as procedural compliance of poll workers, he said, but did not entail recounting paper ballots. … But the reforms don’t fully reassure Alex Halderman, a professor of computer science and engineering at the University of Michigan. He noted that under Michigan procedure, post-election audits occur after the results are already certified, rendering the practice moot when it comes to disputing a race outcome.Full Article: Manual election audits to debut in Michigan 2018 race | State-region | petoskeynews.com.
Media Release: Senate Intelligence Committee’s Recommendations Outline Urgent Need for Paper Ballots, Post-Election Audits
Marian K. Schneider: “The recommendations…make the case that states need immediate federal support to build a stronger defense.”
(March 21 2018) — The Senate Select Committee on Intelligence released a report today about Russian targeting of election infrastructure during the 2016 election. Read the full set of recommendations here. The following is a statement from Marian K. Schneider, president of Verified Voting:
“The Senate Select Committee on Intelligence (SSCI) report recognizes that voter-verified paper ballots and post-election audits are the best way – given current technology – to ensure that an attack on our voting systems can be detected and the outcome verified.
“As the Intelligence Committee hearing established again this morning, there was foreign interference during the 2016 election and a real possibility that similar acts to undermine faith in our democratic system will occur again. Security experts agree that safeguarding and protecting our election systems is important, and the Intelligence Committee report is another indication that Congress and state governments must urgently address the vulnerabilities in our election systems, both by mandating voter-verified paper records and audits as well as allocating resources to accomplish these goals.
“Some states are already taking steps to safeguard their voting systems. Virginia made the move to decertify all of its voting machines last year, acknowledging that its voting machines were computerized and like all computers they are vulnerable, while Colorado became the first state to implement risk-limiting audits (RLAs) statewide. Other states are following suit, but states need resources to replace aging, insecure voting equipment and implement robust post-election audits.
“The Intelligence Committee’s report correctly identified that by making federal funds available to states that need them, states will be able to help defray the costs of audits and improve cybersecurity. But legislation like the Secure Elections Act would also help states replace aging systems and move toward a truly secure paper-based voting system. In order to adopt the Intelligence Committee’s recommendations, Congress must immediately pass this legislation and support states’ efforts to safeguard elections.
“It’s time we prepare to monitor, detect, respond and recover from any potential attacks that undermine the democracy of our elections. The recommendations laid out by the Intelligence Committee make the case that states need immediate federal support to build a stronger defense by using paper ballots or having a voter-verified paper trail and implementing widespread, statistically sound audits like RLAs.”
Verified Voting is a national non-partisan, non-profit educational and advocacy organization committed to safeguarding elections in the digital age. Founded by computer scientists, Verified Voting advocates for the responsible use of emerging technologies to ensure that Americans can be confident their votes will be cast as intended and counted as cast. We promote auditable, accessible and resilient voting for all eligible citizens.
MEDIA CONTACT: Aurora Matthews
Media Release: Pennsylvania Special Election Underscores Urgent Need for Voter-Verifiable Paper Systems to Check Computer-Generated Votes
Marian K. Schneider: “All races should be audited – whether they are close or not.”
The following is a statement from Marian K. Schneider, president of Verified Voting, formerly Deputy Secretary for Elections and Administration in the Pennsylvania Department of State, about Tuesday’s special election in Pennsylvania’s 18th Congressional District. For additional media inquires, please contact email@example.com
“Pennsylvania law does not mandate a recount in this race, although candidates can petition for a recount, a difficult and expensive process. In Pennsylvania, 83 percent of voters, including all the voters in the 18th Congressional District, cast their votes on electronic voting machines that record the choices directly onto computer memory. Because no paper record of the voters’ choices exist, there is no way to double check if those machines correctly captured voter intent. All races should be audited – whether they are close or not – but elections like this underscore the need to have processes in place to instill confidence in the results. While there is no indication that there is any need to question the results of yesterday’s election, a ‘recount’ of a paperless voting machine will not catch software bugs, election programming errors or vote rigging malware in the voting machines.
“Pennsylvania announced earlier this year that it would no longer purchase unverifiable direct recording electronic (DRE) systems, but the special election yesterday demonstrates exactly why there is an urgent need for physical paper ballots that can be used to check the computer-generated votes. Verified Voting advocates for a quality assurance process that uses statistical methods and random sampling to verify the accuracy of the results.”
Russian hackers poked and prodded voting systems throughout the country during the election of 2016, failing to change votes or alter registration rolls but succeeding in pointing out where the United States is vulnerable. In just a few months, they’ll almost certainly be back again, and if not the Russians, then any one of a number of nations or groups hoping to sow discord and cause chaos around the signature event of our democracy. If they’re successful, we’ll have no one to blame but ourselves. The hackers mostly took aim at voter registration rolls, which because they are shared between computers and often undersecured are open to outside attack. By altering or deleting names on such lists, hackers could keep people from voting; on a wide scale, that would certainly cast a pall of distrust and anger over the system, and throw any results into question. There is some disagreement on how many states were targeted in these attacks, but the hackers were successful in compromising voter information in at least Illinois, where voter registration rolls were downloaded before the intrusion was detected.Full Article: Our View: U.S. election security should be top priority - Portland Press Herald.
Editorials: Vote auditing can ensure integrity of Virginia’s elections | Audrey Malagon/Virginian-Pilot
It’s time for better quality control in our election processes. Virginia’s 94th District in the House of Delegates drew names after disputes over a single ballot’s validity. In the 28th District, many voters were told to vote in the wrong district. A single district can determine party control of the House, affecting health care, taxes and education. Yet how can we be sure the ballots we cast are even read and counted correctly? Mathematics makes checking the integrity of our elections simple and inexpensive, and Virginia should do this more often. My grandmother worked in a syringe factory in my hometown. Her supervisor used to pull a few syringes off the line and inspect them. He didn’t check every syringe, but if the ones he randomly checked looked OK, he was confident that the products going out were the right quality. This idea of random checking isn’t just for factories; we rely on it to make sure smoke detectors will save us in a fire and restaurants won’t make us sick.Full Article: Audrey Malagon: Vote auditing can ensure integrity of elections | Guest Columnist | pilotonline.com.
State Rep. Kathleen Clyde, a Democratic candidate for Ohio secretary of state, said Wednesday she’s preparing to introduce a pair of bills designed to safeguard the state’s elections against cyberattacks. Clyde spoke about the bills at the Ohio Association of Elections Officials annual conference in Columbus. She was motivated to draft the legislation after it was reported that Russia attempted to interfere in the presidential election in 2016. “Many believe that this problem will only continue and we need to make sure that we are preparing for any attempts to hack our voting systems,” Clyde said in a phone interview prior to the conference. Unless Clyde is able to get Republican sponsors, her bill is unlikely to get through the GOP-dominated Ohio state legislature.Full Article: Ohio Lawmaker Prepares to Introduce Elections Cybersecurity Bills.
Editorials: Decertifying Virginia’s vulnerable voting machines is just the first step | Fredericksburg Free Lance Star
The Virginia State Board of Elections has belatedly decided that all electronic touchscreen voting machines still in use throughout the commonwealth cannot be used for the Nov. 7 general election because they are vulnerable to hacking, even though they are not connected to the internet. This revelation is not new. For more than a decade, computer scientists at Princeton, Johns Hopkins, and other top universities have demonstrated that hackers can surreptitiously change votes on these machines without leaving a trace. In 2005, Finnish computer programmer Harri Hursti successfully hacked into Diebold voting machines that were in a locked warehouse in Leon County, Fla., under the watchful eyes of elections officials, a feat still referred to today as the Hursti Hack. But it took another demonstration of successful hacking at the DEFcon cybersecurity conference in Las Vegas this summer to finally convince board members that they needed to immediately decertify all touchscreen voting machines still in use in Virginia. Better late than never, as the old saying goes, but that left 22 cities and counties that still use them to tabulate election results in the lurch. Decertification should have happened years ago.Full Article: EDITORIAL: Decertifying vulnerable voting machines is just the first step | Editorials | fredericksburg.com.
Amid national news reports about potential election-hacking by Russia — and a machine ballot miscount in North Kingstown last year — state lawmakers have added audits of vote tallies to their special-session agenda. At a rare Friday afternoon meeting in September, the House Judiciary Committee is also scheduled to vote on a criminal-sentencing overhaul that stalled out in the 2016 legislative session, and then got caught up in end-of-session chaos this past June. … That was expected. But the committee will also likely approve — and send along to the full House for action at Tuesday’s special session — a bill requiring post-election audits to make sure that the state’s voting machines — which are actually optical scanners — got the winners and losers right. The Senate has already passed a version of the bill, sponsored by Sen. James Sheehan. But that bill — and a matching House version with Republican and Democrat-sponsors — had not made it all the way when the regular session ended abruptly in June.Full Article: Vote-tally audits, criminal-sentencing overhaul on RI lawmakers' agenda.
To stop cyberattacks on voting, America should follow the state’s lead on paper ballots. There’s no evidence that hacking impacted the 2016 elections. But there’s growing evidence that elections in 2018 and 2020 could be at risk. The threat could come from North Korea, Iran, or any of a host of foreign adversaries. The challenges are getting clearer. In August, Chicago’s Board of Elections reported that sensitive information about the city’s 1.8 million registered voters was left exposed online for an unknown period. Earlier in the summer, the Department of Homeland Security confirmed that foreign agents targeted voting systems in 21 states in the last election. Other news reports found that hackers successfully compromised election technology vendors who program voting systems. In the fight to secure America’s voting systems, Alabama is already employing the most crucial defensive weapon: paper ballots. The transparency and simplicity of the state’s system is tough to hack and relatively easy to verify. To guard against a foreign attack on our nation’s election systems, we need action to ensure others follow Alabama’s example.Full Article: Alabama has the right approach to election security | AL.com.
The Sedgwick County Commission is seeking state approval to do voting machine audits regularly. The commission is working to get legislation passed in 2018 that will allow audits of election results. Currently, the state of Kansas does not allow a review of ballots, except as it relates to specific election challenges. Lawmakers failed to pass a bill on election audits last year. Commissioner Jim Howell says there is broad support for the legislation for the upcoming 2018 session. He says Sedgwick County’s new voting machines are designed for audits. “We would like to do random sample auditing across our county, and that would add a lot of transparency and a lot of confidence in our election process, and right now we don’t have that,” Howell says.Full Article: Sedgwick County Commission Wants Election Audit Legislation Passed In 2018 | KMUW.
On the second day of early voting in the November election, Jacob Montoya cast a ballot at the Hays County Government Center. He was a San Marcos mayoral candidate and eager to cast his ballot in that race and other local contests. But his vote ultimately went uncounted, one of 1,816 votes stored on a memory card that was misplaced and discovered weeks after Election Day on Nov. 6. “Do you think the younger generation is going to vote after something like this?” Montoya said. “My vote didn’t matter. First of all, they didn’t count it, and then when they did find it, they didn’t count it anyway.” … The confusion regarding the November election has led many Hays County residents to call for the use of paper ballots, which advocates say could give voters peace of mind that their vote has been accurately recorded.Full Article: Missing ballots spur calls for auditable vote system | Community Impact Newspaper.
You did your civic duty. You voted. You may even get a red, white and blue sticker to wear proudly on your T-shirt. But are you sure your vote will be counted — and counted properly? If your state uses computers for voting or counting results, there’s a chance it may not, experts say. “We know that computers can have some bugs or even cleverly-hidden malicious code called malware,” said Barbara Simons, president of Verified Voting, a non-profit, nonpartisan group encouraging secure and accurate elections. “As we learned in 2016, we also have to worry about the possibility of computers and voting systems being hacked,” she added. But if you live in Colorado, you’ll now have a better chance of finding out if your vote fell victim to a glitch or a hack.Full Article: Colorado’s new vote checks could help discover a vote hack - Archer Security Group.
States across the nation are ramping up their digital defenses to prevent the hacking of election systems in 2018. The efforts come in the wake of Russia’s interference in the 2016 presidential election, which state officials say was a needed wake up call on cybersecurity threats to election systems and infrastructure. … Security experts are still divided over the extent of hacking risks to actual voting machines. Some say that because many different voting machines are used across the country and because they are not connected to the internet, that would make any large scale attack hard to carry out. … But others contend that digital voting machines are vulnerable and could be targeted to influence actual election outcomes. “Some election functions are actually quite centralized,” Alex Halderman, a University of Michigan computer science professor, told the Senate Intelligence Committee in June. “A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters.”Full Article: States ramping up defenses against election hacks | TheHill.
The state of Colorado is moving to audit future digital election results, hiring a Portland-based startup to develop software to help ensure that electronic vote tallies are accurate. The startup Free & Fair announced on Monday that it had been selected by the state to develop a software system for state and local election officials to conduct what are called “risk-limiting audits.” A risk-limiting audit, or RLA, is a method that checks election outcomes by comparing a random sample of paper ballots to the accompanying digital versions. The development comes amid deepening fears on Capitol Hill about the possibility of foreign interference in future elections, following Russia’s use of cyberattacks and disinformation to influence the 2016 presidential election. According to the U.S. intelligence community, Moscow’s efforts also included targeting state and local election systems.Full Article: Colorado hires startup to help audit digital election results | TheHill.
Russia’s meddling in the 2016 election may not have altered the outcome of any races, but it showed that America’s voting system is far more vulnerable to attack than most people realized. Whether the attackers are hostile nations like Russia (which could well try it again even though President Trump has raised the issue with President Vladimir Putin of Russia) or hostile groups like ISIS, the threat is very real. The question is this: Can the system be strengthened against cyberattacks in time for the 2018 midterms and the 2020 presidential race? The answer, encouragingly, is that there are concrete steps state and local governments can take right now to improve the security and integrity of their elections. A new study by the Brennan Center for Justice identifies two critical pieces of election infrastructure — aging voting machines and voter registration databases relying on outdated software — that present appealing targets for hackers and yet can be shored up at a reasonable cost. … The report identifies three immediate steps states and localities can take to counter the threat.Full Article: Combating a Real Threat to Election Integrity - The New York Times.
This article appeared originally in the March 2017 issue of Scientific American.
The FBI, NSA and CIA all agree that the Russian government tried to influence the 2016 presidential election by hacking candidates and political parties and leaking the documents they gathered. That’s disturbing. But they could have done even worse. It is entirely possible for an adversary to hack American computerized voting systems directly and select the next commander in chief.
A dedicated group of technically sophisticated individuals could steal an election by hacking voting machines in key counties in just a few states. Indeed, University of Michigan computer science professor J. Alex Halderman says that he and his students could have changed the result of the November election. Halderman et al. have hacked a lot of voting machines, and there are videos to prove it. I believe him.
Halderman isn’t going to steal an election, but a foreign nation might be tempted to do so. It needn’t be a superpower like Russia or China. Even a medium-size country would have the resources to accomplish this, with techniques that could include hacking directly into voting systems over the Internet; bribing employees of election offices and voting-machine vendors; or just buying the companies that make the voting machines outright. It is likely that such an attack would not be detected, given our current election security practices.Full Article: Our Voting System Is Hackable by Foreign Powers - Scientific American.
Editorials: Peace of Mind for a Tumultuous Election: Paper Trails and Risk-Limiting Audits | Arlene Ash and Mary Batcher/Huffington Post
With increasingly heated allegations of “rigged elections,” things have probably not gotten better since a September 29 poll concluded that “more than 15 million voters may stay home on Election Day” over concerns about cyber-security. Equally problematic would be doubts about who won following November 8. A vibrant democracy requires trusted elections. Paper validation of ballots cast and meaningful audits of those ballots are important – and neglected – tools for bolstering trust. As statisticians working in healthcare and business, we frequently help researchers, patients, and business executives think about the probability and severity of potential risks. Based on the news coverage it receives, you might think that the problem of people who are not entitled to vote showing up at polling places is rampant. It is not. A comprehensive study of all American elections between 2000 and 2014 identified only 31 possible cases out of a billion votes cast. That is, only 0.000003 percent of votes might have been due to the kind of fraud that Voter ID laws could possibly prevent! In contrast, electoral malpractice, intentional or not – including confusing ballot designs, computer security breaches and malfunctions, long lines, partisan administration, misleading information about where and how to vote, poorly maintained voting lists, and overly aggressive voter list purges – plague every American election.Full Article: Peace of Mind for a Tumultuous Election: Paper Trails and Risk-Limiting Audits | Huffington Post.
Standardizing voter registration processes, voting machines and vote tabulation is the key to eliminating most vulnerabilities plaguing U.S. elections, according to several cybersecurity experts. These standardizations would embed security, enable backups and eliminate many backdoors through which hackers and vote fraudsters currently can warp the results of an election. While voting is administered at the state and local levels, these remedies would need to be applied nationwide. The current web of diverse processes may increase the difficulty for wide-scale election tampering, but they also ensure that achieving security is too broad a challenge for any single remedy to be applied. This diversity also virtually ensures that some location will have a vulnerability that, if exploited effectively, could cast doubt on a nationwide election result. … Auditing capabilities are important, says Ron Bandes, network security analyst in the CERT division of the Software Engineering Institute of Carnegie Mellon University. He also is president of VoteAllegheny, a nonpartisan election integrity organization.Full Article: Elections at Risk in Cyberspace, Part IV: Securing the Vote | SIGNAL Magazine.
With the Democratic National Committee cyberattack far more widespread than originally thought, fears of foreign power using cyber-espionage to influence this November’s election are growing, and real. It’s also prompted concern that hackers may shift focus to an even more vulnerable target: your vote. Voters in 43 states will cast their ballot for the next president using aging electronic voting machines, many now ten years old with dated software lacking proper security. Despite machine manufacturers’ repeated claims of their integrity, high-profile studies have shown hackers can alter vote tallies on these notoriously-penetrable machines within minutes. Tactics available to hackers are numerous and growing: A distributed denial-of-service (DDoS) attack would disable voting machines or the back-end servers, preventing voters from participating in the election. Deleted voting records ahead of Election Day would expunge names from the registered voter rolls. And malware could be used to “steal” an election by tampering with voting machine hardware or software.Full Article: This Election Could Be Hacked, And We Need To Plan For It - Forbes.