In March, officials from 38 states packed into a conference hall in Cambridge, Massachusetts, for a two-day election simulation exercise that was run like a war game. More than 120 state and local election officials, communications directors, IT managers, and secretaries of state ran drills simulating security catastrophes that could happen on the worst Election Day imaginable. The tabletop exercise began each simulation months before the Nov. 6 midterm elections, accelerating the timeline until states were countering attacks in real time as voters went to the polls. Organized by the Defending Digital Democracy (D3P) project at Harvard, a bipartisan effort to protect democratic processes from cyber and information attacks, the drills forced participants to respond to one nightmare scenario after another—voting machine and voter database hacks, distributed denial of service (DDoS) attacks taking down websites, leaked misinformation about candidates, fake polling information disseminated to suppress votes, and social media campaigns coordinated by nation-state attackers to sow distrust.
… The more systemic issue nationwide is that voting machines and election management software differ massively from state to state. There are only a handful of major vendors registered to provide voting machines and certified voting systems, which can be paper ballot systems, electronic voting systems, or a combination of the two.
According to nonprofit organization Verified Voting, 99 percent of America’s votes are counted by computer in some form, either by scanning various types of paper ballots or through direct electronic entry. Verified Voting’s 2018 report found that 36 states still use voting equipment proven to be insecure, and 31 states will use direct-recording electronic voting machines for at least a portion of voters.
Most alarmingly, five states—Delaware, Georgia, Louisiana, New Jersey, and South Carolina—currently use direct-recording electronic voting machines with no voter-verified paper audit trail. So if vote counts are altered in the electronic system, either through a physical or remote hack, the states may have no way of verifying the valid results in an audit process where often only a statistical sampling of votes is needed, rather than a full recount.
“There’s not a box of hanging chads for us to count,” said Joel Wallenstrom, CEO of encrypted messaging app Wickr. “If there are claims in the midterms that the results aren’t real because the Russians did something, how do we deal with that misinformation issue? People read bombastic headlines, and their trust in the system is further eroded.”