The midterm elections are here. Early voting is already happening in some places. We’re spending the rest of the week on election security and technology, starting with voting machines. Candice Hoke, founding co-director of the Center for Cybersecurity and Privacy Protection at the Cleveland-Marshall College of Law, believes insecure voting machines are the biggest security threat to the midterm elections. And they’re definitely insecure. Last summer at the DefCon hacking conference, security experts hacked and whacked at a variety of voting machines and came away saying the machines were hopelessly vulnerable to even the most basic hacking, like the kind where the default password is still “password.” And lots of them don’t even create paper receipts to ensure the votes were counted correctly. “We have not required voting systems vendors to operate under the same kinds of rules as, say, pharmaceuticals as to the safe and effectiveness of their products,” Hoke said. “So safety, privacy, auditability, transparency, whatever word you want to use, these are all marketing terms in the voting systems arena rather than reflective of some kind of standards that are actually being enforced.”
There is a federal process that tests and certifies these machines for accuracy, security, usability and vote auditing. But it’s up to states to decide whether they want fully certified machines. Thirty-eight states require at least one element of the certification program. Only 12 require the full federal certification, and eight states, including Florida, New Hampshire, Oklahoma and Montana, don’t have any requirements at all.
And as for the vendors, Hoke said they don’t really have the money to build cutting-edge machines.
“The vendors are actually making their money from the technical services they provide to local governments for conducting elections, and that’s their steady stream of income,” Hoke said. “So many of them are, as far as we know because they’re privately held companies, are not doing very well. And so they certainly cannot really afford to invest in software development at the level that we, the public, would want.”
Hoke proposes that voting infrastructure be regulated and funded like a public utility.
“The public utility model is one that we have used where the public is willing to trade certain kinds of protections for an industry in exchange for receiving certain kinds of guarantees from the industry itself,” Hoke said. “So for instance, we could guarantee them a certain level of profit in exchange for being able to assure that the systems, the software, is secure.”