In the aftermath of the 2000 presidential election, amid the “hanging chads” fiasco in Florida upon which the election hinged, there was a tremendous effort to move toward voting automation to mitigate the perceived drawbacks of what was deemed antiquated paper ballots and/or mechanical/lever machine voting. As a result, the Elections Assistance Commission (EAC) was created in 2002 with the specific charter of incentivizing states to adopt more automated voting systems.
The goal of the EAC was to further more efficient, secure, and reliable elections. What has evolved in the eighteen years since, has been less than an optimal result…
Today, there are over 10,000 election jurisdictions in the United States, supported by over 350,000 electronic voting machines.
Thirteen states have some precincts using voting machines that produce no paper audit trail whatsoever; and five states exclusively use voting machines with no paper audit trail. (Without a paper audit trail, there is virtually no way to know if a specific voting machine’s vote tally is accurate or not.)
This is where the advance of technology created a tradeoff of efficiency for security in voting…
Electronic voting machines fall into one of two categories:
- Optical-scanner (OS) based machines, where a paper ballot is manually marked and then scanned into a machine to record and tally the vote; however, not all Optical-scanner voting systems make use of the leftover paper ballots for audit and review purposes.
- Direct-recording electronic (DRE) machines, such as those which use touch screens to vote, where no paper trail exists at all, just votes recorded in the machine’s memory and uploaded after the conclusion of voting.
Until recently, when electronic voting machines were introduced, election security was ensured by the sheer decentralization of a manual, albeit slow, process.
That is, voters voted on a given election day in a specified local voting precinct by marking a paper ballot. Those votes were overseen and tabulated by a trusted group of poll workers, with the results called into a county voting office. County offices rolled up their tallies to the Secretary of State’s office. And in the context of national elections, state totals were rolled up to federal election authorities. If there were voter discrepancies, voting precincts still had all of those manual ballots that could be recounted and re-verified.
In a very real sense, a “national” election has never existed in the US as a single nationwide race, but rather fifty concurrent independent state elections, comprised of thousands of subordinate county elections. Thus, notwithstanding the topics of voter fraud and ballot box stuffing, the very notion of “hacking” an election in the old paradigm was, to a great extent, a practical impossibility.
Today, in addition to the 350,000 electronic voting machines in use, many voting systems are now tied to two online resources:
- Registered voter eligibility databases (what used to be called the “voter rolls”) and
- Online voter registration systems, which populate the eligible registered voter databases.
These two online systems have become some of the prime targets for hackers targeting elections and voting.
A well-executed Distributed Denial of Service (DDoS) attack, which can be launched by any script-kiddie with a Bitcoin account, could render either of these systems inaccessible and/or inoperable. Such a coordinated attack on the day of an election can literally cause voters not be able to vote.
Hackers (many of whom are foreign state actors seeking to cause disruption, or worse, distrust of the election process and associated societal unrest) have been observed for many years.
For example, in the 2016 election, the Illinois Board of Elections was breached, and soon after a state system in Arizona – with the attackers seeking to gain access to the election system itself of these states.
These documented election hacking incidents, along with the notorious hacks of the Democratic National Committee and others in the 2016 cycle has caused all states to take a hard look at electronic voting security.
Now, there exists an even greater vulnerability in the advent of electronic voting, and that is the notion of pure online voting, i.e. not with a government-approved standards-based voting machine in a local precinct, but online via a web browser or smartphone app.
Many states now have initiatives afoot to attempt to achieve this new evolution in voting, and this type of voting is already in use (to some degree) in thirty-one states. The issue with online voting is that while there are well-defined government standards for stand-alone electronic voting machine technology, there are no standards established (yet) for pure online voting systems.
The Achilles Heel—if you will—with many online voting systems rely on Transport Layer Security (TLS) to work, i.e. the encryption/decryption technology that connects a user’s browser of smartphone app to the online election systems. The problem with this architecture is that TLS encryption keys can be hacked; and if an attacker is successful in doing so, a Man-in-the-Middle (MITM) attack becomes possible. From such a position in the information process flow, a MITM attack could not only cause disruption, but could allow actual data to be changed, as in vote totals.
At many white- and black-hat hacker conventions, this vulnerability and exploit has been routinely demonstrated. What’s more, this level of system compromise can also enable a whole new realm of spying on individuals voting habits and preferences.
“The technical barrier to spying on how citizens vote is extremely low,” noted J. M. Porup of CSOonline.com.
Rest assured, government authorities promoting more automation and eventually pure online voting claim to do so from sincere intentions. They claim these systems enable greater voter participation and convenience, as well as to give access to remote/rural voters and those stationed/deployed in active military service.
The question becomes, is it better to have more secure voting or greater voter participation? And, can we have both?! Shouldn’t IT and cybersecurity experts come together and collectively figure out how to solve the problem of election hacking?
In 2011, the National Institute of Standards and Technology (NIST) invested over $100 million to answer the question of how to deliver secure online voting systems and protect voters from hacking/attacks. Their report concluded: “Online voting is impossible to secure.”
“Online voting is impossible to secure.”
– National Institute of Standards and Technology (2011)
In fact, Richard DeMillo, a cybersecurity professor at Georgia Tech University in Atlanta, GA, admitted, “Paper ballots are absolutely the safest way to vote. All this fancy stuff—you’re talking to a computer scientist and it breaks my heart to say this—it just drives up the cost and doesn’t add anything.”
The simple facts are:
- voting machines can be hacked;
- registered voter databases can be hacked;
- voter registration systems can be hacked; and
- online voting websites can be hacked.
On the other hand, a formidable obstacle for hackers gunning for our elections is to overcome the widely distributed nature of US elections. In other words, for a state-sponsored actor such as China or Russia wishing to affect a national US election, the voting machines and systems of thousands of sites would have to be all be simultaneously compromised. The sheer scale of that task makes it extremely impractical.
Yet, every step that voting technology takes moving toward greater centralization makes the job easier for a potential hacker.
One thing is certain: there is no credible effort being made to get rid of voting automation and return to pure paper ballot voting, and therefore begs the question: What can be done in the short-term until technology finally finds a more foolproof solution to prevent voting/election hacking?
To answer the question, IT and cybersecurity experts have offered many best-practice suggestions, which a growing number of states are starting to implement:
- Any online voting systems should include two- or multi-factor authentication.
- Standalone voting machines and online voting should always provide a printable paper trail for audit purposes.
- All voting machines and systems should require routine penetration tests to search for vulnerabilities.
- Compromise Assessments (using host-based inspection technology) should be performed on all voting machines and systems immediately prior to an election.
- All voting machines and systems need an expedited software patch process, ensuring all systems are up to date prior to any election.
- Employee/volunteer training and awareness, specifically to recognize and avoid phishing attacks. (Many successful compromises of election systems have come through stolen user credentials due to the leading cause of data breaches: human error.)
- No voting machines should ever be connected to the Internet. The Internet is the access medium of attackers, and an airgap renders the machines isolated and protected from attack.
- Increased database security is needed for both on-premise and cloud-based voting systems/databases, specifically in terms of Intrusion Detection and Intrusion Prevention systems (IDS/IPS), especially those designed to thwart DDoS type attacks.
On the bright side, there are current initiatives underway to achieve a true next-generation online voting system that is secure.
The state of West Virginia is currently piloting a new smartphone app called Voatz, which has shown promise.
In Texas, a program launched in our hometown of Austin called “STAR Vote” is moving forward. STAR stands for Secure, Transparent, Audit-able, and Reliable.
Despite NIST claiming online voting is impossible to secure in 2011, seven years later there are new technological breakthroughs which could potentially make the vision for secure online voting a reality.
The most optimistic of these new technologies is blockchain. The Voatz app being tested in West Virginia and the STAR Vote program in Texas both utilize blockchain technology. One of the primary value propositions for blockchain technology is its tamperproof data integrity, which could be used to preclude voter data tampering and thwart election hacks.
Another technology showing promise for online voting, specifically for voter identification and authentication purposes, is geofencing. This technology incorporates a user’s physical GPS location as an element of identification. For example, if an online voting system were set up in such a fashion that a user was required to register and to vote at home, then his/her vote could only be cast from that physical geolocation.
Working hand-in-hand with these types of election-securing technologies is facial recognition and other biometric verification techniques, like fingerprint scanning. Regardless of how secure we try to make the process of registering to vote and casting votes, back-end voting systems and databases need to employ the highest levels of data security to maintain any credible level of integrity.
The conceptual model for future online voting is for a user to be able to register to vote, be authenticated by a government system as eligible to vote, and then to actually cast a vote via their smartphones—being personally authenticated by facial recognition and geofencing—with all voting information being secured by blockchain technology in the cloud. And, still producing a printable audit trail.
West Virginia and Texas are well on their way to seeing this type of secure voting becoming a reality. It remains to be seen how soon other states will follow suit.