11 Oct Election Security in the United States
To make an already intriguing (that’s the best euphemism we have) election cycle even more dramatic, there’s been talk of a “rigged” election and reports of hacked voter registration and campaign email systems. It’s all enough to make one want to hide under the covers until November 9th or maybe 2020. But, if we value our democratic process, we should not retreat because of election security rumors. Before we give in to scary rhetoric, let’s step back and try to assess the realities of the voting system and what the risks of mischief truly are.
In the wake of hacks of voter registration databases in two states (AZ and IL) and of the Democratic National Committee’s (DNC) email system, there is new concern about efforts to influence and change the results of America’s elections. This has led to a more public discussion and focus on the security of our election process, including two congressional hearings held by the House Committee on Science, Space and Technology and the House Committee on Oversight and Government Reform to examine the threat. The key points made by the nine expert witnesses during the hearings give insight into how elections are run, what protections against mischief currently exist and where some vulnerabilities remain. We’ve summarized the facts and testimony for you on election security:
- Hackers breached voter registration databases in Illinois and Arizona, but the hackers did not change any voter information. No information was deleted or added, only copied (in IL). Arizona detected and stopped the breach.
- Voter registration systems are attractive hacking targets due to the personal information they house that may be used for identity theft, not just because they are election-related.
- In the case of the DNC email compromise, it’s important to note that campaign offices are not part of the voting system. Campaigns are private, not public, entities. While a hack of a campaign might allow access to sensitive information that could be shared to sway public opinion or alter election strategies, it does not affect the integrity of the voting system.
- States are on high alert given the recent hacking attempts on voter registration databases. They are reviewing their systems and asking for assistance. States are learning from these incidences.
- The Department of Homeland Security (DHS) offers assistance to states to assess vulnerabilities and provide suggestions to address potential problems.
- Voter registration databases are regularly backed up (in most states daily), so if tampered with, there is a recent record of registered voters to fall back on.
- Anyone that shows up to vote and has an issue with their voter registration status still has an option to cast a ballot.
- The voting system is decentralized and run by states and localities. There are about 10,000 election jurisdictions and more than 100,000 polling locations. There is no single point of entry for a hacker to create widespread disruption.
- Voting machines are not connected to the internet, so they cannot be hacked remotely. Tampering with voting machines requires physical access to each machine.
- Voting machines are tested before elections and physically secured, according to state law.
- The Election Assistance Commission (EAC) establishes voting machine testing and certification standards that 47 states use.
- The EAC has distributed best practices information to all state election directors that addresses issues like malware, ransomware, and secure data.
- Most voters (75-80%) will cast their ballot in a way that creates a paper record that can be used as a backup or in an audit to match electronic records.
- Post-election audits of vote results are required in 60% of states (e.g., matching paper votes to digital).
- Votes are certified prior to becoming official. While unofficial tallies may be transmitted via the internet, those results still need to be certified.
- Precincts normally announce vote totals publicly, on site before they are transmitted, so a discrepancy can be identified if the transmission were to be compromised.
- No system is 100% hack proof.
- Voter registration systems that are web-based are vulnerable.
- There are older voting machines still in use that may rely on older software that does not have current updates or security patches.
- Malware could be introduced into voting machines when software is loaded.
- A large scale disruption caused by voter registration tampering could create long lines at polls and discourage voting.
- Any mischief — whether a small scale attack or equipment malfunction — even if it doesn’t affect election results, could undermine confidence in the election process.
- There are still some voting machines that rely solely on a digital vs. paper record, so if tampering occurs, a paper backup wouldn’t be available for votes cast on those machines.
- Military and overseas voters in 31 states may cast ballots via fax, email, or internet.
The integrity of elections in the United States has the attention of many individuals and organizations who are working to prevent tampering and ensure contingencies are in place if anything does go awry. There is room for improved election security, and states and localities should review their systems to ensure they have the best defenses against malicious activity and well-thought-out back-up plans. The decentralized nature of the United States’ system and its independence from the internet make widespread tampering difficult. As one congressional witness noted, there is a difference between what is “probable, possible, and conceivable but not likely.”
If you have any questions about security, get in touch!