5 Steps To Make U.S. Elections Less Hackable

As shadowy actors work to hack U.S. elections, a few simple steps could make electronic voting more secure, says one expert.

AP / JEFF CHUI

AA Font size + Print

As shadowy actors work to hack U.S. elections, a few simple steps could make electronic voting more secure, says one expert.

As shadowy actors work to hack U.S. elections, a few simple steps could make electronic voting more secure, says one expert.

Voting machine vulnerabilities go well beyond what most voters know, warns Dan Zimmerman, a computer scientist who specializes in election information technology. There probably is not time to fix all of those vulnerabilities by November. But there are still things election officials could do to reduce the hack-ability of the U.S. presidential election. Here are his five steps for making the U.S. election less hackable.

1. More federal oversight (and not just on Election Day)

This week’s report sophisticated actors in Russia trying to penetrate voter databases sounded alarm bells about the U.S. election being hacked.

Zimmerman, who works with Free & Fair, a company that provides election-related IT services, says that because most electronic voting machines are not connected to the internet, the threat of remote hacking from Russia is small. The machines are far from secure, however.

“I haven’t observed anything in particular that would make me think somebody is developing some new attack against these machines. Some of these machines were so terribly easy to attack in the first place, essentially, my concern is that some of these machines have been designed in way such that somebody with an eighth-grade level of knowledge of computer science and a little bit of time could hack them.”

It’s an issue that’s been around for years, but lawmakers haven’t done much about it. Bottom line, there’s no federal standard for physical security around voting machines and that makes them very vulnerable. “They could be in a broom closet in a city clerk’s office. There is no federal level oversight other than there is something called the Election Assistance Commission, or EAC. The EAC was established in the early 2000s, basically as a response to the 2000 debacle, and has until recently effectively been a joke,” he says.

The first step could be more federal oversight of how voting machines are stored when not in use, complete with remote monitoring via cameras and other means.

2. Change laws to allow researchers to investigate voting machines

To protect against bugs or vulnerabilities researchers need to be able to investigate the machines for design flaws in code, but that means researchers poking around in code that is deemed proprietary under the Digital Millennium Copyright Act. Zimmerman calls the act “the blanket legislation that companies hide behind when they want to hide their source code.” Some recent exemptions exist for research into voting machines, but they are too recent and too few to have an impact in this election, says Zimmerman.

“Understandably academic and other interested parties are reluctant to do this sort of work in large numbers because of the threat of being sued into oblivion is pretty compelling,” he said.

3. Fix certification

The small handful of certification laboratories in the U.S. for electronic voting machines are not running serious cyber tests, says Zimmerman. “The level of testing that they do is not really sufficient to ensure that there aren’t any vulnerabilities in the voting machines. They will take a voting machine and they will test it to make sure that it counts votes correctly under their laboratory conditions. They will test it to make sure that it functions at different temperatures, that it can run for a certain amount of time on battery power, that the screen operates properly within certain tolerances.”

It’s not exactly Russia proofing.

4. Get a paper trail

If an electronic voting machine doesn’t print out a paper receipt then there’s just no way to be certain that the machine or the results have not been tampered with. Regardless, many states and jurisdictions, including certain parts swing states such as Pennsylvania and Florida don’t require voting machines to have a paper trail, according to data compiled by Verified Voter. Having a printed record allows for what Zimmerman calls a risk-limiting audit. After the votes are in, officials doing such an audit match a small random sample of printed receipts with what’s in the machines, since each ballot has a number.

“It’s been done Colorado, California, a couple of other places to very good effect. It’s quite an affordable thing to do for election officials,” says Zimmerman.

5. When all else fails send in a strike force

This year’s presidential election presents, if not a high likelihood of voter fraud and disenfranchisement, certainly a high chance of those allegations. In jurisdictions or polling places where vote tampering is suspected, Zimmerman recommends the rapid deployment of what he calls an Election Strike Force, a group of technical experts capable of solving problems and answering questions before the angry masses resort to chair throwing. “Think about the way that FEMA responds to natural disasters, only in this case it’s responding to electoral disasters. If there is a jurisdiction where something goes wrong with the machines, or where you have reason to believe that something is going wrong with the machines, there would be a team of cybersecurity experts,” he says.

Of course, before you can make electronic voting more secure, you first have to admit it’s less than secure right now. Not every state is excited to allow in the feds to help with electronic voting. As Nextgov reported recently, Georgia recently rejected an offer from the Department of Homeland Security to help secure the state’s voting machines.  

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download
  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

    Download
  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download

When you download a report, your information may be shared with the underwriters of that document.