The Looming Threat

Here’s a scenario that should keep policy makers awake at night in advance of the U.S. midterm elections:

Russian operatives hack into the voter database of a swing Congressional district in Pennsylvania. They delete hundreds of registered voters from the rolls.

Come election day, frustrated voters are turned away from the polls. Long lines form because of these disputes, discouraging still more legitimate voters from casting ballots.

That night, the hackers commandeer the Pennsylvania jurisdiction’s website. They falsely claim the Republican incumbent candidate wins. The most partisan conservative media outlets run with that story. Only later do elected officials get word out that the website was hacked, and in fact the Democratic candidate won by a narrow margin. That news is seized on by liberal bloggers, who accuse Republicans of acting in bad faith.

To top matters off, there is no paper record of votes for an audit. Amid suspicion and mistrust, neither candidate concedes.

It turns out this one district can tip the balance of power in Washington. Yet no one will budge.

This scenario isn’t far-fetched, says Jake Braun, executive director of the Cyber Policy Institute at the University of Chicago Harris School of Public Policy. Braun, who co-authored a report on vulnerabilities in U.S. voting systems earlier this year, says each element of the election-tampering tale above has occurred in recent years. And if such a stalemate were to arise in today’s hyper-partisan political climate, it would amount to a crisis of democracy beyond anything the country has witnessed in generations.

“It would make Bush v. Gore look like a walk in the park,” Braun says.

From Hanging Chads to Computer Hacks

That 2000 dispute centered on election irregularities that now seem quaint—hanging chads and butterfly ballots. Today, elections officials face a host of challenges that dwarf those from 18 years ago in complexity and geopolitical significance. Many of the threats arise from electronic systems that were meant to replace paper ballots for greater efficiency and voting ease. But experts say our voting process today is highly vulnerable to domestic and foreign hackers, that public officials have not done nearly enough to safeguard the integrity of elections given recent attacks, and that one of the most important reforms is to reduce our dependency on dicey computer systems.

“We need people to trust elections results for the peaceful transfer of power,” says Anthony Fowler, Associate Professor in the Harris School of Public Policy “We definitely need low-tech solutions. We need paper records, and we need those paper records to be preserved.”

Fowler helped lead a recent study of Americans’ attitudes regarding the security and trustworthiness of elections. The survey from the Harris School of Public Policy and The Associated Press-NORC Center for Public Affairs Research discovered that nearly 8 in 10 Americans are at least somewhat concerned about potential hacking of the nation’s voting systems. Overall, 45 percent say they are extremely or very concerned about hacking.

The level of apprehension is roughly similar to American opinions prior to the 2016 presidential election, yet Republicans and Democrats have swapped positions on the topic. Two years ago, Republicans were far more worried than Democrats about the integrity of elections. In this year’s survey, 58 percent of Democrats say they are very concerned about hackers affecting U.S. election systems, compared to 39 percent of Republicans with the same level of anxiety.

Despite widespread unease about the prospect of hacking, Americans aren’t panicking about the election system. Just 22 percent have little or no confidence that votes will be counted accurately, the UChicago Harris / AP-NORC Poll found.

The Security – Participation Trade Off

Fowler believes Americans are right to be worried about election security. He also believes we should balance efforts to ensure elections integrity with experiments to increase participation in voting. In most presidential elections over the past several decades, fewer than 6 in 10 eligible American voters actually voted. “We know that the people who vote are not representative of the eligible voting population,” Fowler says, noting that voters tend to skew old, wealthy and white.

One of the experiments Fowler and others will be watching closely is in West Virginia. Next month, the state plans to allow for voting via smartphone app. The app is based on blockchain, the technology behind bitcoin, and is designed to allow overseas resident and members of the military stationed abroad to cast votes remotely.

Earlier this year, West Virginia’s Secretary of State Mac Warner dismissed concerns that the technology was at risk for vote tampering. “To date I’m not aware of anybody who’s been able to hack blockchain,” Warner said.

While Warner and West Virginia push the envelope with voting by phone, other observers are raising serious questions about the security of existing elections technology. Some of the voices are public officials themselves.

“Threats to the integrity of our elections are constantly evolving. Not too long ago, a primary focus for election officials was securing voting machines. Today, cyberattack vectors have expanded — and so must our defenses,” California’s secretary of State Alex Padilla wrote in an August op-ed for the publication The Hill. “This includes protecting our state voter registration databases, county election management systems, election night reporting websites, state and local government social media accounts and ensuring the information voters consume is accurate.”

Also sharing concerns is Noah Praetz, director of elections for Cook County in Illinois. Praetz told Wired in August that more resources are needed to safeguard our elections systems. "Most election officials have one or two people in their office," Praetz told the publication. "They outsource most of the work they do, and it's really difficult" to keep up with election system-related vulnerability warnings.

It Takes a Voting Village

Praetz and Padilla were among the public officials who attended the computer hacking conference known as DEFCON earlier this year. For the second year, DEFCON featured a Voting Village—a portion of the conference devoted to identifying weaknesses in elections equipment and systems. The event made headlines when an 11-year managed to hack into a replica website for the Florida Secretary of State and alter election results—in a mere 10 minutes.

But in some ways, more disturbing voting system vulnerabilities surfaced at the conference. These are detailed in a report titled DEFCON 26 Voting Village: Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure. The study, for example, alleges various flaws in the ES&S M650, an electronic ballot scanner and tabulator made by Election Systems & Software and used in more than 20 states. In under a minute, a researcher at the conference was able to pick the lock on a M650 and gain access to its computer systems and electronics. The report also faulted the M650’s reliance on obsolete Zip Disk data storage technology, claiming it could allow a malicious actor to spread malware across a network of election machines.

Asked to respond to the allegations about vulnerabilities in the M650, a spokeswoman for Omaha, Nebraska-based ES&S said the company is “very focused over the next several weeks on helping jurisdictions prepare for elections.” The company did not provide responses to a set of written questions.

Jake Braun was a co-author of the DEFCON report and helped organize the Voting Village events the past two years. Braun’s interest in elections security dates to his work as a campaign manager for John Kerry in 2004 and later for Barack Obama in 2008 and 2012. “I got, unfortunately, a first-hand look at how under-resourced and poorly run our elections are in many parts of the country,” Braun says.

In particular, Braun was shocked to see that in disenfranchised communities like parts of Detroit people had to wait in poll lines for up to three hours. That meant that some had no choice but to forego voting, because they had to get to work or meet family obligations. Braun also points to the 2012 election, when some 25,000 voter registration applications in Pennsylvania were not processed in time and the delay led some voters to be turned away at the polls.

For Braun, all the snafus suggest that many government leaders are overconfident in their electronic systems. “After 2016,” he says, “I was hearing all these elections officials say, ‘There’s no evidence the Russians hacked our voting systems.’ You don’t even have the resources to register voters.”

Cyber Policy Meets Polarized Politics

That led Braun to connect with DEFCON leaders about putting America’s elections systems to the test. Braun, who served as White House liaison to the U.S. Department of Homeland Security under President Obama, also was inspired to help launch the Cyber Policy Initiative at the Harris School of Public Policy. The CPI aims to study vulnerabilities in voting systems and other issues at the intersection of national security, technology and politics.

Part of the equation today, for example, is President Trump’s downplaying of Russian interference in the 2016 elections. That has led observers to question whether his administration and the Republican-led Congress have devoted enough energy and resources to safeguarding American votes.

The Department of Homeland Security has taken some steps to strengthen cyber defenses related to voting systems. This summer it hosted its own three-day exercise on elections cyber security. Officials from 44 states participated, along with a variety of federal agencies. In addition, U.S. officials have warned Russian operatives against meddling in elections.

In the wake of such pro-active measures Americans should feel confident, argues David Becker, executive director of the non-profit Center for Election Innovation & Research and a former trial attorney in the voting section of the Justice Department’s Civil Rights Division.

“Thanks to the efforts of election officials around the country, the 2018 midterms will be the most secure elections we’ve ever held,” Becker wrote in a recent Washington Post op-ed.

Not everyone shares this sunny view. Braun, for his part, says the state of American elections cyber security is “spotty.” Some jurisdictions, such as Cook County, have taken wise measures to prepare for attacks and their aftermath, Braun says. But in his view many counties and states are susceptible to threats.

Russia, for example, penetrated the voter registration rolls of several U.S. states before the 2016 election—though there is no evidence that the registration rolls were altered. Russia also hacked Ukraine’s election system to declare a pro-Russian candidate the winner. And in October, federal officials alleged that Russians working for an ally of President Vladimir Putin are engaging in a campaign to interfere with the U.S. midterm elections. 

In light of this evidence, deterring Russia and other international adversaries from hacking our elections is critical, Braun says.

“The number one thing is this issue of making the Russians feel they have more to lose by being caught than they do to gain by successfully interfering in our elections,” he says.

The DEFCON report Braun co-authored also has three main policy recommendations for elections security: safeguard voting equipment, protect voting networks and databases and have government agencies coordinate efforts. Among the specific suggestions is verifying voting results through “risk-limiting audits”—postelection checks of a statistically representative number of ballots before results are certified as final.

The report also calls for the universal use of paper ballots marked by hand, enabling a voter-verified paper audit trail.

This low-tech, high-trust tactic could prevent the nightmare scenario laid out at the beginning of this article. And allow public officials to sleep a bit more soundly come election night.