This article is a part of BG BrandLab’s Cybersecurity Special Report, meant to provide insights about today’s cyberthreats and the steps readers can take—as  individuals, employees, and decision-makers—to protect against them.

When Iowa’s Board of Examiners for Voting Machines and Electronic Voting Systems was reorganized by the Secretary of Statein 1994, the goal was to improve the evaluation of new voting machines which contained embedded computers. The reorganization plan required that one board member be familiar with computerized systems, so a call was made to the high-tech sector for expertise.

“It turns out I was the only volunteer,” recalls Douglas W. Jones, an associate professor of computer science at the University of Iowa.

Jones went on to devote the next decade to the Board of Examiners and was eventually recruited to join the federal Election Assistance Commission to establish technical guidelines as part of the Help America Vote Act (HAVA) of 2002. Over the years, he watched as a continued absence of technical proficiency grew into a dangerous vulnerability, even as HAVA allocated more than $3 billion in federal funds to update voting equipment and procedures in the wake of the 2000 presidential election controversy.

Most US election jurisdictions are small and have very little technical expertise, but they are administering systems where security is critical. “There’s an old dictum in the field of computer security: ‘Anything which a deliberate attacker can do can also be done by a well-meaning, but erroneous user.’ The incredibly brilliant attack can sometimes happen by accident by a naïve user making a mistake,” Jones says.

Back in 2003, across the west in Santa Clara County in California, another computer scientist was also calling for election fortifications. David L. Dill, professor of computer science at Stanford University, argued that the new wave of direct-recording electronic (DRE) machines should be equipped with a voter-verified paper trail.

His petition would lead to the creation of the Verified Voting Foundation, a nonprofit organization dedicated to the accuracy, integrity, and verifiability of elections by advocating for the responsible use of technology in them. “Computer scientists were the first to understand that the transition to computerized voting systems was opening up a set of vulnerabilities,” recounts Marian Schneider, president of Verified Voting Foundation and deputy secretary for elections for Pennsylvania in 2016.

These weaknesses came into stark focus when Volume One of the Senate Intelligence Committee’s “Russian Efforts Against Election Infrastructure” report revealed that the “Russian government directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against US election infrastructure at the state and local level.”

Finally, those sounding the alarm since the early aughts were being heard. Schneider explains how after 2016, “it became clear that the risks we were talking about for years and years were not hypothetical, but actually real and persistent.”

The committee’s report concedes that cybersecurity for electoral infrastructure at the state and local level was “sorely lacking” in 2016, highlighting that antiquated voting equipment that did not have a paper record of votes was particularly “vulnerable to exploitation by a committed adversary.”

Threats have not dissipated. Boston-based cybersecurity firm Carbon Black’s November 2018 Global Incident Response Threat Report found cyber attacks increased before the 2018 midterm elections. Many of these attacks were politically motivated and included attacks tailored to specific targets and intended to cause system outages and destroy critical data. China and Russia were responsible for 41% of incident response investigations.

Tom Kellermann, Carbon Black’s chief cybersecurity officer, explains the dark web exasperates the threat to election security as perpetrators can use it to sell stolen election-related data and connect with hackers willing to conduct espionage campaigns.

Paper ballots

Part of our cyber defense just may be paper. According to Schneider, paper ballots are crucial because they cannot be altered by software, thus they can serve as a reliable reference for a risk-limiting audit, a method of randomly sampling paper ballots to ensure the computer software operated properly.

As deputy secretary for elections in Pennsylvania, Schneider increased the frequency of backups for the voter registration database, storing them offsite in addition to on the network. Her electoral administration was prepared to recover from an event in a matter of hours. Jones proudly remembers how Iowa rolled back the use of touchscreen devices to paper ballots in the early 2000’s, reserving their use for assistive support only.

Since Schneider defines the collecting and auditing of paper ballots as a critical “disaster recovery system for voting systems,” she calls out the wide variability of voting systems on a state by state basis, noting only Rhode Island, Colorado, and New Mexico perform risk-limiting audits.

Elections range from the federal to municipal, but the jurisdictions that control the voting procedures on the ground level are always local. Without sustainable funding on behalf of every branch of government, poorer communities suffer an outsized lack of technical personnel and resources to protect their process.

Bracing the weakest links

In the race to leverage internet networks to manage voter registration databases, expand access to voters, and disseminate election results, modern voting machines have purposefully remained without a direct connection to the internet. However, this does not guarantee immunity. “The one thing to remember,” Jones cautions, “is that viruses came into existence before the internet,” meaning there are other means for malware to be transmitted to voting machines.

For example, inserting a USB into a voting machine’s port to extract and transmit voter tallies introduces opportunities for unwelcome interference. Jones emphasizes the simplicity of such tactics: “Someone sticks a flash drive in a machine that is attached to the internet, writes some files onto that flash drive, carries it over to the machine that’s not attached to the internet and copies those files onto that machine.”

In fact, any technology with a USB drive has an insoluble security problem. Jones also notes that it is hard to tell when a USB device has been tampered with. “Some of them are even vulnerable to reprogramming on the fly.”

Lurking just outside the perimeter of precinct voting devices lies another, even more direct path for election tampering: electronic absentee voting. Thirty-one states and the District of Columbia allow select absentee voters to vote over the internet, including military members and overseas citizens.

Schneider thinks that is a bad idea. “If I’m a candidate in a close race and you can’t guarantee that those votes aren’t altered on route, I’m not going to be very comfortable with that,” she says. Schneider adds that military and overseas voters face enormous challenges in voting while away from home—we need to find ways to make it easier for them to cast their ballots.

Every state is required to have one central voter registration database for the entire state. But these online voter registration databases, along with polling place lookups and election night return websites, are internet-facing. These peripherals afford more than enough influence to sway a tight election outcome if manipulated, regardless of whether the core voting machines are successfully siloed. Perhaps election results are offset to portray a race as already won, suppressing turnout for the other side. Maybe voting location details are switched in swing counties.

“Imagine what would happen,” Jones considers, “if Russia or North Korea or Iran filed absentee ballot requests on behalf of a bunch of people and had those ballots mailed to the middle of nowhere. Suddenly you show up at the polls on election day and you can’t vote because you already requested an absentee ballot. That could be a devastating attack.”

Schneider reminds that the risks above are just that—risks, not certainties. Fear-mongering is not productive, but there is value in discussing, and implementing, ways to mitigate threats.