Nearly a year after the 2016 presidential election, many Americans have been forced, some for the very first time, to look critically at their voting protections, and recognize that US balloting systems are not nearly as impregnable as they once thought. Clearly, the US intelligence reports about Russia hacks provided a long-overdue wake up call for this issue. The good news: some progress has been made in some jurisdictions in the last year. The bad news: that progress hasn’t been as widespread or comprehensive as the problem would seem to demand. “I think we’re moving in the right direction,” said Larry Norden, of NYU’s nonpartisan Brennan Center for Justice. “I’m heartened by the fact that, for instance, we’re seeing, in both House and Congress, bipartisan proposals to invest in increased election system security.” … Election consultant Pam Smith agreed that there has “definitely [been] a pattern towards more secure elections” across the country. Some states appear to be ahead of the game. Virginia, for example, recently earned praise for decertifying all its touchscreen, paperless Direct Record Electronic (DRE) voting machines ahead of the termination date required by its own legislation.
DEFCON Report on Machine Vulnerabilities Critical First Step in Raising Awareness, But to Secure Election Systems, States Must Adopt Paper Ballots
A new report on cyber vulnerabilities of our elections systems raises awareness of a critical issue, but in order to secure our elections, we need fundamental changes made at the state and local level. Verified Voting collaborated on the DEFCON Hacker Village to raise awareness of a chilling reality: our enemies have the will, intention and ability to tamper with our election infrastructure, potentially delegitimizing our elections and destabilizing our government. Verified Voting has known of this frightening possibility for years—we were founded in 2004, in the wake of election irregularities, to secure our democracy by ensuring that Americans’ votes would be counted the way they intended to cast them.
We know from deep experience: protecting our election infrastructure is a national security issue, and if we don’t act now, as former FBI Director James Comey has stated, ‘They’ll be back.’ That’s why Verified Voting has worked continuously with state election officials to safeguard their systems. Just last month, Verified Voting worked closely with Virginia’s Board of Elections in their move to decertify and remove its insecure, untrustworthy paperless voting machines and replace them with voter-marked paper ballots.
The Travis County Commissioners court rejected all proposals to build its custom-designed voting system that was supposed to improve security, turning it toward more traditional methods of finding a replacement for its current system. Officials made this decision after proposals to build STAR-Vote did not meet the requirements to create a complete system that fulfills all of the county’s needs. A request for proposals went out late last year, with vendors submitting their ideas early this year. Since 2012, Travis County and the county clerk invested more than $330,000 in time and resources to evaluate election computer security and compare various voting systems. Ultimately, it decided to try to invent its own.
This fall’s statewide elections in Virginia and New Jersey are the first big test of security measures taken in response to last year’s attempts by Russia to meddle with the nation’s voting system. Virginia was among 21 states whose systems were targeted by Russian hackers last year for possible cyberattacks. While officials say the hackers scanned the state’s public website and online voter registration system for vulnerabilities and there’s no sign they gained access, state authorities have been shoring up the security of their election systems. One of the most drastic steps was a decision by the Virginia Board of Elections earlier this month to order 22 counties and towns to adopt all new paper-backed voting machines before November. The board decided that the paperless electronic equipment they had been using was vulnerable to attack and should be replaced.
The thin, long piece of paper slides slowly out the voting machine, the internal mechanism guiding it making a sound similar to a copying machine. Printed on it are choices selected during voting, tapped seconds before on an electronic screen attached to the same machine. The piece of paper, in this case a ballot, is then carried to a second machine that electronically tabulates the votes while also dropping the paper into a locked, internal box. “Every vote that’s been cast there is a hard-copy paper record that each voter validated before it was inserted, scanned and tabulated,” said Jeb S. Cameron with Election Systems and Software, a Nebraska-based voting software and election management company that will help Georgia pilot a new paper-ballot voting system in November. That touches on one of the fiercest criticisms Georgia’s current system has received: There’s currently no paper record for most ballots cast in its elections.
The state of Alaska is exploring options for conducting elections after 2018, as it is faced with an aging voting system and financial pressures amid an ongoing state budget deficit. A bipartisan working group established by Lt. Gov. Byron Mallott is examining the issue. Josie Bahnke, director of the state Division of Elections, said one option that has gotten attention is a hybrid system would include allowing for early, in-person voting and voting by mail. But she said discussions are preliminary and more research must be done to see if this approach would work in Alaska, a vast state with far-flung communities. In certain parts of Alaska, the state must provide language assistance, including for a number of Alaska Native languages and dialects.
Federal money set aside to help states upgrade their voting equipment is running out, at a time when many states are seeking to replace aging machines and further fortify against cyberattacks. While federal funding has gradually diminished, the 2016 fiscal year marked a new low. As of September 2016, states had collectively spent more than the approximately $3.2 billion, distributed over several years, that Congress provided under the 2002 Help America Vote Act, according to a report from the independent Election Assistance Commission released Wednesday. Several states now rely mostly on any interest accrued from federal grants or on other sources for election-related efforts, such as replacing equipment that is in some cases a decade old.
Editorials: Utah needs to think about security above all as it buys new voting machines | Robert Gehrke/The Salt Lake Tribune
State elections officials held an open house earlier this month to demonstrate five election systems vying to replace the voting machines that have been chugging away for the past 13 years. Just a few days earlier, a group of hackers in Las Vegas took part in a demonstration of their own, designed to show how easily they could exploit the machines used around the country and potentially compromise our elections process. The results were alarming. The first voting machine was hacked within 90 minutes. By the end of the afternoon, all five had been compromised. One was reprogrammed to play Rick Astley’s 1987 hit “Never Gonna Give You Up.” The whole thing had been Rick Rolled. … Barbara Simons, president of Verified Voting, has been sounding the alarm about voting machine security — or lack thereof — for years. But even she was skeptical before the DefCon hacker exercise that the hackers would be able to compromise the machines. She was wrong. And the Russian interest in hacking election equipment makes her doubly concerned.
The recent news that thirty electronic voting machines of five different types had been hacked for sport at the Def Con hackers’ conference in Las Vegas, some in a matter of minutes, should not have been news at all. Since computerized voting was introduced more than two decades ago, it has been shown again and again to have significant vulnerabilities that put a central tenet of American democracy—free and fair elections—at risk. The Def Con hacks underscored this. So did the 2016 presidential election, in which the voter databases of at least twenty-one and possibly thirty-nine states, and one voting services vendor, came under attack from what were apparently Russian hackers. Last September, then-FBI Director James Comey vowed to get to the bottom of “just what mischief” Russia was up to, but, also sought to reassure lawmakers that our election system remained secure. “The vote system in the United States…is very, very hard for someone to hack into because it’s so clunky and dispersed,” Comey told the House Judiciary Committee. “It’s Mary and Fred putting a machine under the basketball hoop in the gym. These things are not connected to the Internet.” Comey was only partially correct. Clunky and dispersed, American elections are run by the states through three thousand individual counties, each one of which is responsible for purchasing and operating the voting machines set up by Mary and Fred. But Comey missed a central fact about many of those machines: they run on proprietary, secret, black-box software that is not immune to hacking, as Def Con demonstrated.
The toughest thing to convey to newcomers at the DefCon Voting Village in Las Vegas this weekend? Just how far they could go with hacking the voting machines set up on site. “Break things, just try to pace yourself,” said Matt Blaze, a security researcher from the University of Pennsylvania who co-organized the workshop. DefCon veterans were way ahead of him. From the moment the doors opened, they had cracked open plastic cases and tried to hot-wire devices that wouldn’t boot. Within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WINVote machine. The Voting Village organizers—including Harri Hursti, an election technology researcher from Finland, and Sandy Clark from the University of Pennsylvania—had set up about a dozen US digital voting machines for conference attendees to mess with. Some of the models were used in elections until recently and have since been decommissioned; some are still in use. Over three days, attendees probed, deconstructed and, yes, even broke the equipment in an effort to understand how it works and how it could be compromised by attackers. Their findings were impressive, but more importantly, they represented a first step toward familiarizing the security community with voting machines and creating momentum for developing necessary defenses.