“If there has ever been a clarion call for vigilance and action against a threat to the very foundation of our democratic political system, this episode is it,” former Director of National Intelligence James Clapper told senators in May.
Clapper’s warning about the impact of Russian interference in the 2016 election and the potential damage from future cyberattacks around the world packed a particularly powerful wallop.
Over the next few days in Las Vegas, a group of white hat hackers will run a “Voting Machine Hacking Village,” using real U.S. voting machines to back up Clapper’s alarm with a demonstration of the vulnerability of some of our voting systems.
This private effort, part of DEF CON, the world’s largest hacker convention, highlights a serious public problem: our election infrastructure was attacked and will be again; our federal and state governments must do much more to protect our most cherished right as Americans, our vote.
Voting machines that produce no voter verified paper record of each ballot are in use in at least part of 15 states. With no paper record, it’s impossible to audit electronic tallies to detect malware that can alter votes or vote totals.
Just as bad, even in states using machines with voter verified paper records, most don’t have voting machine audit processes that could detect malware designed to flip the outcome.
Well-resourced hackers, whether funded by foreign governments or criminal syndicates, have the access and ability to infect computerized voting machines and tallying systems across the United States. This can occur even if the machines are not connected to the internet. Attackers can, for example, deploy software like Stuxnet and Brutal Kangaroo to target “off line” voting machines.
Our collective failure to address this situation is a national embarrassment. Every eligible American – Republican, Democrat, and independent – deserves convenient access to the ballot box and to have their votes counted as cast.
Unfortunately, unclassified U.S. intelligence community assessments and reports of recent hacks make it clear that foreign nations are bent on demolishing this bedrock freedom. The assessment of the U.S. intelligence community is that hackers working for the Russian government gained electronic access to state and local election boards across the country last year. An official of the Department of Homeland Security has testified that the Russians targeted 21 states’ election systems in 2016.
Other countries have responded much more quickly than the United States to the threat of cyberattacks. Their leaders understand that this is a new day – a paradigm shift. When the Netherlands found evidence this year that the Russians would try to interfere with their elections, Dutch leaders switched from machine counting to hand counting their ballots. The French have stopped all internet voting (which was only in use for parliamentary elections) and the British already count ballots by hand, as do the Germans.
The United States has not taken such measures. The Department of Homeland Security’s designation of our election systems as “critical infrastructure” is a step forward but far from adequate. In every state, we also need:
- Voting machines that produce a voter-verified paper record for every vote. The ballot counted must be the ballot that the voter marked.
- Robust, risk-limiting post-election audits of electronically tallied outcomes. To detect malware altered electronic tallies, election officials must hand count enough ballots to confirm the electronic outcome. Colorado will begin using these sophisticated auditing methods this November.
- A ban on the use of electronic mail (email, web based platforms) in the voting process. We must listen to security experts who have shown that votes cast via email or a web-based platform can be hacked, altered and deleted. Because voters have no way to “check” whether their ballots were recorded correctly, ballots sent by this process are especially at risk.
The hacker community at DEF CON is shining a much needed light on the weakness of our voting machines. But where is the leadership of our government in thwarting the next foreign attack? The good news is that we know what must be done. The attacks on our election infrastructure are high tech, but much of the defense is low tech. Everything that needs to be done countrywide is already being done in some states. Getting all 50 states to adopt the machinery and practices needed to counter the next round of cyberattacks, is the next step. But it will require resources and commitment.
If there was ever a situation that demanded leaders who put country over party, this is it. At every critical juncture in our history, Americans have found and empowered such leaders. We can do it again, but we don’t have a moment to waste.