The Real Crisis of US Election Security
Neil Johnson
The ballot box is the foundation of any democracy. It’s not too grand to say that if there’s a failure in the ballot box, then democracy fails.
– The Crisis of Election Security, by Kim Zetter, New York Times
With the United States midterm elections less than a month away, it’s now abundantly clear that the US election systems are vulnerable to attack, despite previous, laudable cybersecurity efforts. In fact, the US midterm elections are already under attack, via false or misleading stories posted and shared on social media, known as disinformation attacks. As the election date approaches and these systems are subjected to further scrutiny, it’s obvious that the US election infrastructure is also vulnerable to more serious subversion attacks, where digital components of the election systems (such as voting machines, voter registration databases, vote tabulation and reporting servers) are targeted and compromised to alter or manipulate the actual casting of ballots and tabulation of results.
How did the US reach this crisis point, where this critical infrastructure is now so vulnerable that every election now seems like a gamble on the very integrity of democracy? Why does the security of these critical systems seem so poor and unreliable? Is there any way to remedy this threat to the most fundamental building block of a healthy democracy, a secure and reliable voting system?
A brief history of digital voting vulnerabilities
In the recent feature article in the New York Times, The Crisis of Election Security, author Kim Zetter traces the history of electronic voting in the US, from the controversial 2000 presidential election between Bush and Gore to today, and illuminates how the problems developed over the last two decades to reach the current crisis:
“The real problems were the machines used to cast and tally votes and the voter-registration databases the Russians had already shown interest in hacking. The entire system — a Rube Goldberg mix of poorly designed machinery, from websites and databases that registered and tracked voters, to electronic poll books that verified their eligibility, to the various black-box systems that recorded, tallied and reported results — was vulnerable.”
The US Federal government has not been idle in the face of these threats, but the response to date has been inadequate, “largely Band-Aid measures [that] don’t address core vulnerabilities in voting machines or the systems used to program them,” says Zetter.
Fixes inhibited by proprietary election software
These problems aren’t new in US election systems, nor are they limited to the US. Why haven’t election officials been able to fix them? Even if they could, is it their responsibility to do so? The primary reason, says Zetter, is proprietary election software:
The voting machines are made by well-connected private companies that wield immense control over their proprietary software, often fighting vigorously in court to prevent anyone from examining it when things go awry.
Presidential candidate John Kerry ran headlong into this after he lost the 2004 presidential race, “following numerous election irregularities,” notes Zetter, notably in Ohio. Determined to find out what exactly had happened, Kerry’s team asked to audit Ohio’s voting-machine software, but were denied access. Kerry explained in a recent interview on WNYC’s “Brian Lehrer Show.”
We were told by the court that you were not able to get that algorithm to check it, because it was proprietary information … the purview of privately owned machines, where the public doesn’t have the right to know whether the algorithm has been checked or whether they’re hackable or not. And we now know they are hackable.
Problems with current voting machines
Today, three privately held commercial companies — Dominion, ES&S and Hart InterCivic — control 80% of the approximately 350,000 voting machines in use in the US.
The voting machine industry is profitable, with around $300 million in annual revenue, but the industry “has long been as troubling as the machines it makes, known for its secrecy,” explains Zetter.
Not only do these companies fight every effort to audit the software that runs their machines, but they continue to sell the same flawed machines with the same security holes. These voting machines fall into one of two categories: optical-scan machines or direct-recording electronic machines. Each of them suffers from significant security problems.
Zetter identifies the problems with the current optical-scan machines, where voters fill out paper ballots, which are fed into the optical scanners that create a digital image of the ballot and records the votes on a removable memory card. This approach seems pretty secure, since “the paper ballot, in theory, provides an audit trail that can be used to verify digital tallies,” says Zetter.
But there are serious problems with optical scan machines. Zetter explains:
- “Not all states perform audits, and many that do simply run the paper ballots through a scanner a second time”
- “Fewer than half the states do manual audits, and they typically examine ballots from randomly chosen precincts in a county, instead of a percentage of ballots from all precincts”
At least optical scanners require a paper ballot to function. Direct-recording election machines (DREs) use touch screens so voters select from digital-only ballots. DREs store votes electronically; many will also print a “voter-verifiable paper audit trail — a scroll of paper, behind a window, that voters can review before casting their ballots,” says Zetter. Sounds secure, but she points out the many security holes:
- “a hacker could conceivably rig the machine to print a voter’s selections correctly on the paper while recording something else on the memory card.”
- “Five states still use paperless DREs exclusively, and an additional [thirteen] states use paperless DREs in some jurisdictions.” (see the Notes, below, for a list of the 18 states that use some kind of paperless DRE machines.)
In fact, even with an extensive paper trail of printed ballots,
states don’t conduct robust post election audits — a manual comparison of paper ballots to digital tallies is the best method we have to detect when something has gone wrong in an election — and there’s a good chance we simply won’t know if someone has altered the digital votes in the next election.
Problems with the US voting infrastructure
Not only does each type of voting machine come with its own set of security flaws (made much worse because the companies block security audits of their code) but there are other vulnerabilities that all of the commercial voting machines share. Zetter notes that hackers can:
- “access voting machines via the cellular modems used to transmit unofficial results”
- “subvert back-end election-management systems … and spread malicious code to voting machines through them”
- “design their code to bypass pre-election testing and kick in only at the end of an election … and erase itself afterward to avoid detection”
- “produce election results with wide margins to avoid triggering automatic manual recounts”
She continues:
many voting machines that elections officials insist are disconnected from the internet — and therefore beyond the reach of hackers — are in fact accessible by way of the modems they use to transmit vote totals on election night.
If an attacker wanted to alter election results, they would most likely focus on these critical points in the election process: the computers that tally votes.
Once again, the voting machine vendor’s insistence on protecting their proprietary code from scrutiny, security audits, and testing means the chances of these types of hacks increases, and there’s no way to even tell if their voting machines have been compromised.
Voting machine companies already potentially compromised
We already know that these commercial voting machine companies have made many security mistakes. For instance,
Last year a security researcher stumbled across an unsecured ES&S server that left passwords exposed for its employee accounts … a malicious actor able to get into ES&S’s network could conceivably corrupt these files.
But even when these security problems come to light, Zetter continues, “researchers face hostility and sometimes even legal threats from vendors, who want to prevent them from finding and exposing problems with the machines.”
What’s the solution?
Some people have advocated the idea of banning digital voting machines altogether. But Zetter notes,
computers had been used in elections ever since the 1960s, when punch cards and computerized card readers and tabulators were introduced. And experts had been warning for just as long about the danger of placing too much trust in them.
Since then, the use of machine readable paper ballots has proven again and again to be an essential part of a secure backup and paper trail that facilitates audits of election results.
Despite all the difficulties and security holes that digital voting machines have introduced, these machines have also demonstrated clear benefits. “Even the problematic DRE machines offered many advantages,” says Zetter:
With direct recording, counties no longer had to print hundreds of thousands of paper ballots or store them for 22 months after a federal election, as federal law required. And the machines could be adapted to voter needs, by displaying digital ballots in multiple languages and font sizes. They also satisfied the accessibility requirement … offering Braille keyboards, audio instruction and other aids for physically impaired voters.
Is there any way to realize the benefits of electronic voting systems without undermining the reliability and integrity of a country’s election system?
Public software: open source; open for audits
The biggest problems with proprietary voting machines are related to the fact that they are proprietary:
- Commercial voting machine companies don’t want outsiders, like security researchers, viewing or auditing their proprietary code.
- Because their voting machines run on proprietary software, the machines are expensive, difficult to service, and again, the commercial vendors are reluctant to allow audits or reviews of their hardware.
There is a simple solution, and it’s the idea behind the TrustTheVote™ Project: build voting systems on a foundation of public (open-source) software. Public software is simply a computer program that opens its source code for review and audits, often available to use, modify or extend free of charge.
Most public software is licensed in a way that ensures that any enhancements or repairs added into the original code is available to use under the same “open source” license. This means that anyone, at any time can analyze, review, or scrutinize the quality, reliability, and security of the open source (public) software.
By using public software to run election administration and voting machinery, election officials ensure that security researchers and computer experts can audit every aspect of public voting system software — and in most cases, the associated hardware.
The OSET Institute argues that, given election technology is now designated as critical infrastructure by the Department of Homeland Security, there is no logical business advantage to hiding the software from auditors, or to use expensive and proprietary hardware to build the voting systems.
Furthermore, using proprietary (instead of public) software for critical election infrastructure effectively makes it impossible for the public, who depends on the integrity of these systems, to verify that the proprietary software works correctly and has not been compromised.
Advantages of public software for voting systems
What are the advantages of the public (open source) software approach of the TrustTheVote Project?
- Security researchers, election officials, and concerned citizens can audit and verify the integrity of public (open source) software used in election systems and voting machines.
- Other public (open source) software projects, like Linux™, already run a significant portion of enterprise computing networks today and the vast majority of the global Internet’s critical infrastructure. This means that the open source software (OSS) model is proven and continually tested. There are many examples of OSS projects that are commercially viable, well supported, and offer demonstrated security advantages. Some examples include the Apache™ web server deployed for a majority of web sites worldwide; the Android mobile operating system powering a significant portion of smartphones; and thousands of other OSS projects.
- Governments all over the world use OSS for information systems, including mission-critical applications within aerospace, finance, and national defense systems.
- When security flaws are detected in open source software, fixes or patches can be published as soon as possible. With proprietary software, on the other hand, there can be business reasons and risks for the companies that produce and sell the software to obscure — and in some cases even deny — the existence of any such problems.
- There are many examples of companies that have published flawed proprietary software, and then attempt to make internal fixes to protect sales, before their customers learn about these software flaws. In some cases, this reluctance to publicize problems with proprietary software creates a significant security risk for the customers who paid to license the software. OSS presents no such incentive to hide its flaws, since the source code is already open for scrutiny (of course, this assumes, but is often the case, than many eyes are scrutinizing).
There’s nothing more critical to defending democracy than ensuring the security and integrity of its election administration and voting systems. Public election software is the best way to ensure that critical election technology infrastructure can be robust and reliable. This is precisely because public software is open to the scrutiny required to ensure the integrity of the voting machines and election systems that are the foundation of a trustworthy election.
As Kim Zetter observes, however, the commercial voting system manufacturers have lobbied for their proprietary election solutions, replete with their hidden vulnerabilities, to become the standard for US elections. And of course, it would be in their best business interest to pursue such. However, there’s no reason this should be the case, and there’s a better option: projects like the TrustTheVote™ Project, based on public, open source election software, subjected to peer-review, the scrutiny of security and software experts, and the very public this software serves.
Learn how you can support the TrustTheVote Project and make a difference in the integrity of your election system. Get involved, or donate now.
Sign up now to receive updates and new articles about voting security delivered to your inbox:
End Note
Five (5) states use DRE machines with no paper trail whatsoever: Delaware, Georgia, Louisiana, New Jersey and South Carolina; 13 states use DREs with no paper train in some jurisdictions: Arkansas, Delaware, Georgia, Indiana, Kansas, Kentucky, Louisiana, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee and Texas.