In October 2016, the Risk Management cover story “Hack the Vote: Cyberrisk at the Ballot Box” highlighted many of the vulnerabilities in America’s election infrastructure. Continuing investigation in the wake of that election has made the stakes clearer than ever. Two years later, many of the vulnerabilities still remain, and many of the threats are a lot more real.
In 2016, we knew there were many potential vulnerabilities in the voting system. Many were hypothetical or speculative, some sounded paranoid, others were clear but under-appreciated weaknesses stemming from the widespread use of old, unpatched technology. There may have been alarm but not total surprise about the problems posed by yet another form of crumbling infrastructure.
In 2018, some of those risks are no quite so longer hypothetical. Whether in revelations about the extent of meddling in the 2016 presidential election or in proof-of-concept hacks by researchers testing for weaknesses, there are documented vulnerabilities throughout the system. Every part of the election process can be hacked, from voting machines and electronic pollbooks to voter registration databases and election websites that publish results, each threatening to erode public sentiment and confidence in the integrity of one of our most fundamental institutions.
The systems that make up our election infrastructure are now receiving increased scrutiny from lawmakers, a concerned electorate and security researchers. Indeed, last year’s DEF CON—one of the world’s top hacking conferences—featured the first-ever Voting Village, where organizers presented about 30 pieces of various election equipment and invited attendees to see what they could do. In a nondescript room in the convention center at Caesar’s Palace in Las Vegas, interested hackers of all ages, education levels and professional backgrounds brought their laptops and soldering irons to examine machines still widely in use, hunting for vulnerabilities. The first hack took 90 minutes. Whether it was through old, unpatched software to address known exploits, Wi-Fi access, default password use, exposed ports that could be used to plug in and install malicious software on the machines, they found means of hacking every item in the room through wireless, networked, and hardware attacks. They even found actual unencrypted voter data of hundreds of thousands of people—and these were machines that had simply been purchased on eBay.
Proof-of-concept hacks and the ongoing revelations about Russian interference in the 2016 election aside, this does not mean that elections have successfully been hacked wholesale, that votes are routinely changed, or that democracy is now an illusion.
Indeed, it is still hard to exploit vulnerabilities in the wild and especially hard to do so at scale. State and local election officials are quick to point out that basic security measures and oversight mitigate against some of the more intrusive hacks that require periods of physical access. Common practices like using poll monitors and locking equipment up when not in use are not insurmountable, but they are effective, and overall, the entities charged with running America’s elections do a very good job of mitigating a wide range of risks with acutely limited resources.
But real risks remain and—crucially—are less adequately mitigated against than they could or should be. In addition to improved technology and increased funding, key risk management processes can help fortify the voting system and ensure the accuracy of its results.
The More Things Change, The More They Stay The Same
Spurred by the ongoing revelations about vulnerability and interference from the 2016 presidential election, some progress has been made. The intelligence community widely agrees that there was foreign interference in the last election, and National Security Advisor John Bolton warned in August that there are increased meddling efforts around the upcoming midterm elections from not only Russia but also China, Iran and North Korea. “Election security wasn’t a mission we envisioned for the department when it was created, but it’s now one of my highest priorities,” Department of Homeland Security Secretary Kirstjen Nielsen said in September. “And in the past two years, we have worked hand-in-hand with state and local officials to make our election infrastructure more secure than ever.”
Players across the public and private sectors are sharing information and resources like never before. Universities are dedicating both their expertise and advocacy, offering resources to campaigns and election officials through public interest programs like the Defending Digital Democracy Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs. There are threat-sharing initiatives between tech companies and government entities, intelligence organizations are on high alert, and all 50 states have joined a monitoring and information-sharing system called the Multi-State Information Sharing and Analysis Center (MS-ISAC). The majority of states have deployed Albert sensors that detect intrusion on state and county networks, and DHS reports network security sensors will be in place on election infrastructure for 90% of voters by the midterm election.
In January 2017, the voting system was finally declared part of the country’s critical infrastructure, allowing the Department of Homeland Security to offer state and local officials services to reduce both cyber and physical risks—when requested—on a prioritized basis. DHS is working on improving communication between federal and state officials around the resources available at the states’ request and pushing intelligence and threat alerts out to state and local stakeholders. The chief election official of every state can apply for the top secret security clearance necessary to be fully briefed on cyber threats and request two more for senior staff. As of the end of August, states were in varying stages of this process, with about 100 out of 150 approved.
But many fundamental problems still remain. While it is now critical infrastructure, the voting system is unregulated at the federal level—oversight bodies like the Election Assistance Commission (EAC) only suggest best practices and offer additional resources. In some ways, this can help insulate against threats to the whole system, but it also introduces risks, with everything from equipment purchasing to poll worker training to registration databases operating under a patchwork of more than 9,000 state, county and city jurisdictions.
According to the Brennan Center for Justice at NYU School of Law, in 43 states and the District of Columbia, some residents still use machines that are no longer even manufactured, and 41 states use equipment that is at least a decade old. Particularly troubling, 13 states still use paperless voting machines, which are widely considered the riskiest option as they leave no physical record or auditable trail of the software-generated vote totals in the event of either an accidental outage or outright tampering. Five use these machines statewide. Virginia is the only state that has decertified such machines since the 2016 election. In states that do have paper records, only 26 require election officials to conduct post-election audits of these ballots (widely considered a best practice) and in many states, the center reports these audits are “not comprehensive enough to be likely to detect the use of election-changing software.”
In March, Congress authorized $380 million in funding for the states to invest in fortifying election infrastructure. Experts believe, however, this is only a down payment on critical improvements, and efforts to pass measures extending additional funding have failed in both the House and the Senate. Per the Help America Vote Act, this funding is divvied up by state population, not necessarily by need. As a result, in the 13 states that most critically need to replace voting machines, this funding may cover as little as 15% of the cost for a state just to replace the paperless machines in use. According to estimates from the Brennan Center and Verified Voting, for example, Pennsylvania needs $50.4 million to $79.1 million just to replace paperless electronic voting machines statewide, yet it will receive roughly $13.5 million in this round of funding from Congress. Only six states (Alaska, Arkansas, Delaware, Louisiana, North Dakota and Pennsylvania) plan to use the entirety of their allotted funds on new voting equipment.
Such decisions about how to allocate the aid money are not specified by Congress or governed by the EAC’s guidance. Instead, it is up to the discretion of state officials who must consider a range of critical fortification measures, including cybersecurity training and assessments, hiring IT personnel, updating software, making upgrades and improvements to the security of voter registration databases and election websites, and conducting post-election audits. And there is a critical need to fund these too, as many basic cyber hygiene considerations are addressed inconsistently, and while every cybersecurity expert will list end users as the greatest risk to their system, education remains a critical gap. For example, according to Microsoft’s “From Policy to Practice: Strengthening Cybersecurity in State Governments,” only 18 states currently require cybersecurity training for all employees.
Developing Mitigation Strategies
As for so many other entities, potential cyberthreats can seem endless, and staying abreast of the latest cyberrisk developments, assessing their severity and probability, and developing a plan to best channel limited resources into mitigation strategies can seem an impossible task. Indeed, the public entities challenged with managing these risks must apply their acutely limited budgets to well-resourced, ever-evolving threats. But there are clear and actionable means of further reducing risk in practice.
In order to shore up election security, the Brennan Center has offered formal guidance on prevention and response planning for several specific risks, highlighting the scenarios it considers both most likely to happen and most feasible to mitigate against. These are: electronic pollbook failures and outages, voting equipment failures, voter registration system failures/outages, and election night reporting system failures or outages, as well as communication strategies around any or all of the above.
As in 2016, experts agree that one of the most important risk reduction measures is actually scaling back the reliance on technology and ensuring the use of paper ballots, reviewed in-precinct via optical scanning. They advise replacing the riskiest machines—those that do not generate such ballots and, in turn, an audit trail—should be the top priority for election officials. Mandating risk-limiting audits would provide further assurance and minimize the possibility that significant tampering could go undetected. To that end, Secretary Nielsen said in September, “I am calling on every state in the Union to ensure that by the 2020 election, they have redundant, auditable election systems. The best way to do that is with a physical paper trail and effective audits so that Americans can be confident that—no matter what—their vote is counted and counted correctly.”
Back-end systems also require increased focus. Voter registration databases are repositories for volumes of valuable information and are vulnerable like any other database, and back office systems face the same array of cyberrisks as any enterprise, from phishing to basic operational outage. The systems that facilitate elections are also vulnerable. Pollbook machines, for example, can be tampered with to add or delete voters, impacting who is allowed to cast a ballot when they show up to their polling place. Provisional ballots can be used in such an event, but this can cause significant disruption and could deter voters who do not have the time or do not understand the issue and options for recourse. The state of Georgia is actively engaged in legal action with voting rights groups over similar problems from the 2016 election, where voters discovered inconsistencies in registration status that challenged their ability to vote when they showed up at the polls, among other issues, although it is unclear whether that was due to outside tampering.
Ancillary components of the election system can also introduce confusion or chaos on election day. At this year’s DEF CON, the Voting and Packet-Hacking Villages teamed up with r00tz Asylum, a program at the conference for children to learn hacking skills, to explore the vulnerability of replicas of secretary of state websites from a number of swing states. In an official statement on the event, the National Association of Secretaries of State said, “While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.” Indeed, this is not a way to hack voting machines, but as government websites that report results and form the basis of election night reporting, they represent one of the most public components of the election process. Merely publishing incorrect results could undermine the integrity of an election. Yet these sites receive little attention and none of the best practices released since the 2016 election address such a scenario, the village organizers reported. Of the 39 children involved, 35 were able to complete an exploit, tampering with vote tallies and changing candidate names, with one 11-year-old succeeding in a mere 10 minutes.
Given the range and volume of potential threat vectors, many experts are urging that election officials focus some of their efforts on incident response and detailed contingency planning. Advocacy groups and other third-parties have been active in channeling expertise into free resources to encourage state and local officials to develop stronger crisis response plans that incorporate the latest research and best practices. The Brennan Center, for example, has released a toolkit for election officials and a planning checklist, emphasizing the critical need for contingency planning. The Harvard Kennedy School’s Defending Digital Democracy Project also released several practical guides to cybersecurity best practices for campaign and election professionals and issued three additional guides for election administrators this summer.Federal officials are also emphasizing the importance of risk management strategies in preparing for the midterms. In August, DHS hosted “Tabletop the Vote 2018,” a three-day election cybersecurity exercise to examine, practice and strengthen existing crisis response plans, educate officials on the resources available, and further connect stakeholders including federal and state officials, law enforcement, intelligence agencies and private vendors. Participants included officials from 44 states and the District of Columbia, the Election Assistance Commission, and law enforcement and intelligence agencies including the FBI, NSA and the U.S. Cyber Command. Rather than simulate a specific cyberattack, they practiced responding to a range of potential scenarios, including malware infections of voting machines or election management systems, denial-of-service attacks on board of election websites and spearphishing attacks on campaigns. Critically, given the sophistication of threat actors, they focused on the multi-dimensional nature of attacks, adding in the layers of social media manipulation and the challenges of communicating with the public. Indeed, this exercise and others like it routinely emphasize the need to develop stronger communications strategies as part of any incident response plan to assure voters of the integrity of an election.
States are also taking action. New York has brought together state and local election officials and law enforcement to conduct detailed tabletop exercises and practice incident response. California dedicated $134 million in this year’s budget to upgrading or replacing voting systems, as well as $3 million in additional funding to create the offices of Election Cybersecurity and Enterprise Risk Management. The state’s Enterprise Risk Management Office is specifically tasked with coordinating efforts between the secretary of state and local elections officials to reduce the likelihood and severity of cyber incidents and establishing best practices for cyber incident response.
Many third parties are also stepping in to provide officials with additional resources. Initiatives from academic institutions are making research and best practices widely available, and some private tech companies are pitching in with threat intelligence and security tools or guidance, such as Microsoft’s Defending Democracy program. The security research community also presents great opportunity for identifying and mitigating risks, and the runaway success of Voting Village at DEF CON in both 2017 and 2018 highlighted the tremendous talent and interest many hackers have to channel into helping a cause that acutely lacks resources. Indeed, even a volunteer effort like Voting Village would likely demand more resources than states alone could handle. According to its organizers, they not only donate their time and expertise, they actually lose money running it. At the end, their findings and mitigation recommendations are reported in detail to both election officials and voting machine manufacturers. As election cybersecurity expert and village co-founder Harri Hursti noted, “They can only mitigate against vulnerabilities they know about,” so the hackers’ goal is to push for higher security and, in turn, greater confidence, at a faster pace than the one currently taken without outside pressure.
But ultimately major changes do require investment, and federal funding continues to come up short. Congress has repeatedly failed to pass measures allocating additional funds to help fortify voting infrastructure beyond the $380 million in March, even as warnings increased with the approaching midterm elections. In fact, during a panel at DEF CON, California Secretary of State Alex Padilla said that, while he appreciates the money appropriated by Congress, “the money that came to states is not new money—it’s the remaining Help America Vote Act dollars, appropriated last month but authorized 15 years ago, in the wake of Florida 2000. That’s butterfly ballot hanging-chad money, not cyberthreats in 2016/2018/2020 money.”
Unfortunately, given the limitations of both budget and time, a significant amount of the resources being allocated by the EAC and various initiatives from the government and private sector will primarily go toward fortifying for the 2020 elections, not the 2018 midterms. Experts agree that funding alone should not and does not mean that states and municipalities cannot take serious action now, however. Replacing legacy infrastructure is critical, but fundamental risk management processes can still significantly reduce risks when voters hit the polls this November.
“We have a choice right now,” said Lawrence Norden, deputy director of the Brennan Center’s Democracy Program. “We can either bemoan the rise in cyber threats against our elections, or act today to implement simple, common-sense security plans to ensure that everyone can vote this November and that all votes are accurately counted. While there is still much to do to upgrade and replace the country’s most vulnerable election infrastructure, there are basic steps election officials can take to protect our system from hacks or even basic failures on Election Day.”