This letter was sent to the US Senate Select Committee on Intelligence following a hearing on June 21, 2017. (Download PDF)
Verified Voting vigorously applauds the Senate Select Committee on Intelligence for its leadership and commitment to securing our elections. With clear evidence that foreign attackers sought to attack our 2016 elections through various means, our intelligence agencies warn that hostile attackers will be back to attack future elections. Congress and the most vulnerable states should act with urgency to fund and implement protective reforms that will make our election systems resilient against cyber attack: funding the adoption of paper ballots and accessible ballot marking systems, and implementing robust, manual post-election audits of the votes.
The June 21 hearing is an important first step toward those reforms, providing valuable information through witness testimony and questions of the Senators. We wish to expand on several key points that were raised in the hearing to ensure a clear understanding of the challenges we face in securing our elections.
It is crucial to understand that further reforms are urgently needed to bolster the mitigations currently in place so that it is possible to detect and correct a cyber attack on the vote count.
Some testimony asserted that pre-election testing and post-election audits currently in place would catch errors in vote tallies caused by a malicious attacker or software failure. Unfortunately, pre-election testing, though helpful for ensuring the completeness of ballot programming, can be defeated by malicious software designed to detect when the system is in test mode. This is what happened with Volkswagen diesels cars: the software caused the cars’ emissions systems to behave correctly during testing, but then allowed them to pollute under non-testing conditions.
Likewise, while post-election audits currently in place in some states may serve to detect errors in the vote count—and indeed in a number of past elections have detected outcome-changing errors—such audits cannot be relied upon nationally. A post-election audit requires examination of some number of paper ballots marked by voters, to serve as a check on the software vote count. Because voters in five states are consigned to paperless machines, and nine other states contain jurisdictions that do not have paper ballots, it is impossible to conduct a legitimate post-election audit to detect software errors in 14 states.
Moreover, while roughly 70% of the nation has paper ballots,1 little more than half the country conducts post-election audits2 and, with few exceptions, these audits are not strong enough to always reliably detect vote count errors caused by cyber attacks or software problems. This is why we need paper ballots and robust post-election audits: to have sufficient evidence to detect and correct errors in all jurisdictions, not just in some jurisdictions.
Although most voting machines are not directly connected to the Internet, they nonetheless may be exposed to hacking attacks through other connections, as Dr. Alex Halderman explained in his testimony.3 Furthermore, 32 states allow the online casting of ballots for military and overseas voters;4 these ballots are directly exposed to Internet attacks. Because these ballots are cast electronically, their accuracy cannot be verified or accurately audited.
At the hearing, Senators pressed the important point that our current system does not ensure that State election directors will disclose breaches to the public or other entities. In some localities, election systems are managed by outside vendors, some of which may not have the resources to implement strong security. In these cases the vendors would be responsible to detect and report vulnerabilities or intrusions. But vendors may feel a financial and reputational disincentive to disclose vulnerabilities or breaches of their systems. Without reforms to require such disclosure, we cannot reasonably expect to learn of all breaches and vulnerabilities. This exacerbates the difficulty of addressing security challenges.
Paper ballots and post-election ballot audits provide resilience to cyber attacks on our voting process, because the paper ballot is physical, tangible evidence of voter intent that will remain untouched by a cyber attack. In the hearing we were told that one of our adversaries’ aims is to sow distrust in our elections so as to undermine U.S. democratic principles. Paper ballots and audits provide transparency and instill voter confidence in the process. By combining paper ballots with routine, mandatory post-election manual audits, we directly and effectively undercut our adversaries’ ability to shed doubt on the election outcome. Voters will have evidence to support the computer tallies, improving both transparency and voter confidence.
We thank you for focusing on this critical issue and for your commitment to address it. We hope to work with you to move the entire nation to resilient, auditable, transparent and accessible voting systems and stand ready to assist any way we can.
3 Expert Testimony by J. Alex Halderman, Professor of Computer Science, University of Michigan before the Senate Select Committee on Intelligence June 21, 2017 https://www.intelligence.senate.gov/sites/default/files/documents/os-ahalderman-062117.pdf
4 “Secret Ballot at Risk, Recommendations for Protecting our Democracy,” Verified Voting Foundation, Common Cause, Electronic Privacy Information Center, http://secretballotatrisk.org/