Election security continues to be an issue of national security. Russia attacked the United States in 2016, and it is doing so again now.
I am from Georgia, and my home state is one of the most vulnerable in the nation. It is so bad that citizen activists filed a lawsuit to try to force Georgia to take action and secure its outdated and insecure voting machines that lack a paper trail. But in September, U.S. District Judge Amy Totenberg ruled that, despite valid and serious election security concerns, Georgia can continue using touchscreen voting machines for the midterm elections this year. These machines are known to be vulnerable to hacking—an ever more serious concern following Russia’s 2016 attacks and the assaults it continues to wage today, none of which have been sufficiently addressed.
Russia’s role as an aggressor is not debatable. In January 2017, the U.S. intelligence community unanimously concluded that Russia interfered throughout the 2016 election season to help then-candidate Trump. This interference took the form of extensive propaganda campaigns carried out by Russian agents, including thousands of political ads on Facebook that reached a total of 126 million users, 1.4 million tweets on Twitter, and 1,100 videos on YouTube containing Russia-linked content. Moscow also hacked about 20 U.S. state election systems and, though no evidence has yet emerged to confirm that vote tallies or voter information were manipulated, Russia undoubtedly was “in a position” to do so, according to the U.S. Senate Intelligence Committee.
As Director of National Intelligence Dan Coats confirmed earlier this year, this threat from Russia has not gone away. He recently re-emphasized this fact, saying, “The warning signs are there. The system is blinking.” And each day brings new stories about these ongoing attacks and our vulnerable election infrastructure, with the Justice Department just the other week charging a Russian woman with conspiracy to defraud the United States for her current acts to manipulate voters on social media.
In order to push states to improve election security in the midst of such a clear foreign threat, Congress in March passed a funding bill that included $380 million for states to, for example, purchase more secure machines, conduct audits, and improve training on election cybersecurity. Yet, the majority of states have failed to use the funds to fix glaring security concerns: Most states conducted no post-election audits to search for signs of interference, and only 13 states said they would buy new voting machines. Meanwhile, only 18 states have taken the Department of Homeland Security (DHS) up on its offer for risk and vulnerability assessments. This inaction is largely due to states requiring additional funding in order to conduct these comprehensive security risk assessments and build or update expensive voting infrastructure, as well as prepare for the future. But then, during the summer, congressional efforts to provide further funding failed, leaving the U.S. Election Assistance Commission without important grants that would have helped to improve the security of our election systems.
Known Vulnerabilities
Georgia, in particular, demands a closer look due its failure to bolster election systems despite known vulnerabilities; the state is a case study in what not to do in order to carry out a secure election. Georgia’s Secretary of State Brian Kemp — the only state election official to refuse security assistance from DHS prior to the presidential election — insisted that the state’s election systems were not vulnerable to Russian interference in 2016 and that Georgia was not even targeted. However, paragraph 75 of the July 2018 indictment against 12 Russian intelligence officers revealed that Russia did, in fact, target Georgia.
Kemp’s failure to take the cyber threat from foreign adversaries seriously during his time in office was characterized by Judge Totenberg in the September ruling as elections officials having “buried their heads in the sand.” Now, Kemp stands as the Republican nominee for Georgia’s governor, meaning he is overseeing the very election in which he is a candidate, a fact that prompted former President Jimmy Carter, a global advocate for election transparency, to call for Kemp’s resignation. At the very least, Kemp should recuse himself from the vote-counting process — just as Kansas Secretary of State Kris Kobach did in the state’s primary — and appoint an unbiased person in his stead.
Evidently, Georgia has in place an especially vulnerable centralized election system, leaving the door essentially wide open for Russian hackers, and the state, with Kemp at its helm, has done little to nothing to secure and upgrade its system. Georgia is one of five states—alongside Delaware, Louisiana, New Jersey, and South Carolina—that relies on paperless electronic voting computers, which top cybersecurity experts say are a serious vulnerability. These touchscreen computers do not have a paper component; therefore, it is impossible to conduct a recount or audit of election results, given that no independent record (or paper) to double-check accuracy exists.
The vulnerabilities in these machines became very clear in August 2016 when Logan Lamb, a cybersecurity researcher, discovered that, due to a misconfiguration on a server, he could easily download records for all of Georgia’s 6.7 million registered voters. He obtained data such as voters’ birth dates, driver license numbers, and partial Social Security numbers, as well as county documents with instructions and passwords for workers to use to log in to a central server on election day and software files for the devices used by workers to verify a voter’s registration. Lamb also gained access to databases used to prepare ballots, count votes, and summarize vote totals. The misconfigured server, Lamb determined, could easily be exploited by hackers in order to manipulate Georgia’s centralized election system.
The takeaway from Lamb’s discovery is that any minimally competent hacker could easily have gained access to a server that was wide open to the internet and not only see the private information of every Georgia voter, but also change, steal, or manipulate software that operates the entirety of Georgia’s election system, from registration to casting ballots on electronic machines to counting the votes. Even worse, when Lamb told the state of the vulnerability, they did nothing, as was made evident when, several months later in February 2017, another cyber security researcher repeated exactly what Lamb had done and was still able to download all the aforementioned information.
Clearly, this type of system requires, at a minimum, vigilance and sophisticated oversight. Georgia currently has nothing of the kind—and that may be true in other states as well.
Targeted by Moscow
We do not know with certainty if vote tallies or voter registrations were changed in Georgia, or in the approximately 20 other states surveilled by Russia in 2016. Yet, we know the risk is real and vulnerabilities may have been exploited. For Georgia and the seven other state election systems known to be more than surveilled, but compromised by Moscow — Alaska, Arizona, California, Florida, Illinois, Texas, and Wisconsin — the ability to audit election results is crucial. Election security experts warn that these systems could be manipulated by malicious software designed to remain resident and undetected until triggered. Essentially, that means that hacking that occurred in 2016, or later, could compromise this year’s election as well as future elections.
To ensure the security of the United States from foreign interference in our elections, the electronic voting machines, particularly the ones that do not leave a paper trail, should be eliminated, and states should turn back to a paper-based system. According to experts, hand-marked paper ballots with optical scanners to read the ballots and tally the results are the most secure method: hand-marked to guard against the “hanging chad” problems of past elections; paper ballots to ensure an accurate audit can be conducted regularly; and scanners to mitigate human error in counting.
Direct-recording electronic machines (DREs), such as the touchscreen machines used in Georgia, that do not leave a paper trail are, as already shown, far too risky, and must be retired. While some DREs do leave a paper trail, the machines themselves remain open to local as well as remote hacking over the internet and still pose a security risk. Online voting, meanwhile, is also very risky, given that ballots are transmitted over the internet, where hackers can manipulate election results much more easily than if they had to gain access somehow to paper ballots, and that there is no paper record for audits. Online voting also opens up a host of issues related to the constitutional requirement of voter confidentiality, since online activity can be tracked and mapped back to specific locations, including a voter’s home.
Despite continued doubt from the White House, it is indisputable that Russia attacked our 2016 presidential election and is doing it again now. We must do better to secure our democracy from these attacks by foreign adversaries. That starts with states, supported by the federal government, taking action. Specifically, states should be vigilant in safeguarding their elections, and all states should use paper-based systems (preferably with ballots that are hand-marked by voters) and robust, post-election audits.
As has been said, democracy isn’t in the casting of the votes — it’s in the counting. We need to ensure that our system is secure and every ballot is counted correctly.