WASHINGTON—Recent breaches in security in Illinois and Arizona of voter registration databases and the hacking of the Democratic National Committee and Democratic Congressional Campaign Committee have alarmed many Americans that our national election on Nov. 8 may not be secure.
On Sep. 22 Senator Dianne Feinstein (D-Calif.) and Rep. Adam Schiff (D-Calif.), the ranking members, respectively, of the Senate and House Intelligence Committee, issued a joint statement that said, “Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the US election.” They concluded that the orders for the hacks came from senior levels of the Russian government.
The Administration has refrained from accusing Moscow for the hacking of the DNC, but U.S. intelligence officials have “high confidence” that Russia is the source, according to the NY Times. Also, several security firms have identified Russia as responsible for the perpetrators, according to Politico.
On Sept. 28, the Committee on House Oversight and Government Reform held a hearing to ascertain the nature and extent of cyber threats to the U.S. election system.
The consensus of the expert government and academic witnesses is that the public has little to fear that national election voting in the 50 states could be interfered with from internet-based cyber-attacks. The consensus was that these recent attacks, however, tend to undermine public confidence.
The witnesses felt that all the talk about the cyber breaches was overblown and mostly misdirected. A much more serious concern is the outdated voting machines that are more likely to malfunction with the passage of time. That can cause long lines and people not voting as a result.
“A massive attack against the infrastructure as a whole is not the biggest cyber vulnerability in our election process. Rather, it is the individual voting machines that pose some of the greatest risks,” said Ranking Member of Subcommittee on Information Technology Robin Kelly (D-Ill.).
The non-government computer experts on the panel were adamant that the “touchscreen” voting machines still being used in 14 states are potentially very detrimental to the integrity of the vote.
Because the American election administration system is not a single, uniform national system, the integrity of elections in the event of an attack is assured. With over 10,000 election jurisdictions in the United States, it means “in a federal election, there are essentially more than 10,000 separate elections being run, with different voting machines, ballots, rules and security measures,” said Lawrence Norden, from the Brennan Center for Justice at NYU School of Law. The decentralization means it is impossible to attack the nation’s voting machines in one location.
Citizens cast their votes at voting machines that are not connected to the internet, said Thomas Hicks, Chairman of the U.S. Elections Assistance Commission (EAC). Local election officials “collect the votes from the voting machines and physically transport, not electronically transmit, them to the election headquarters where they are tallied. This physical transportation ensures that a hacker cannot alter the tally during transportation.”
It would take an immense amount of manpower and time to carry out an attack on the American election system. Because voting machines are not connected to the internet, the criminals would have to physically access hundreds of voting machines that collect the votes, and penetrate a “vast array of differing security systems and protocols [that] protects each of these voting machines,” Hicks said.
Threats to Voter Registration Systems
The intrusion into Arizona’s voter registration system was noticed before the hacker could access the data. In Illinois, the intruder was able to read personal data but apparently did not change the information or delete anyone in the database.
“We can’t just disconnect voter-registration computers from the internet, said Dr. Andrew Appel, Professor of Computer Science, Princeton University. A poll worker who checks the name, address, and signature of a voter coming to vote, may be using an electronic device that runs on laptop or tablet computers.
“I’m particularly concerned that hacks could disable these on Election Day, causing chaos,” he said.
Norden testified that “election officials should create regular backups, including paper copies, of their registration databases.” Norden has done extensive work in the last decade on voting technology and security and has authored numerous studies on election system security.
The threat is that if a hacker deleted or altered voter information, it could conceivably prevent someone from voting. The U.S. Elections Assistance Commission provides a useful checklist for securing voter registration data, he said in written testimony. The FBI and DHS also have expertise in this area.
Biggest Integrity Threat: Outdated Voting Machines
After the attacks on the DNC email server and state registration databases, concerns were raised about whether our voting machines could be hacked. The biggest threat to the integrity of this November’s election is not attacks against the voting machines. They are not connected to the internet and so can’t be hacked—a point made by the witnesses repeatedly.
The biggest threat are “attempts to undermine public confidence in the reliability of that system,” said Norden.
“Any attempt to attack our voting systems is far more likely to sow doubt about results than it is to change a large number of votes,” he said. The problem is that as the machines age, the likelihood of malfunction increases, such as calibration problems on touch screen machines, or screen freezes.
Norden testified that in a 2015 Brennan Center reported that 42 states will use voting machines in the upcoming election that are at least 10 years old. These machines are near the end of their lifespan, especially machines designed in the late 1990s and early 2000s.
“Using aging voting equipment increases the risk of failures and crashes—which can lead to long lines and lost votes,” he said.
Dr. Appel said that studies by Massachusetts Institute of Technology and Harvard researchers estimate that in 2012 between 500,000 and 700,000 eligible voters did not vote because of long lines.
Moreover, replacement parts for older systems can be hard to find. “In several cases, officials have had to turn to eBay to find critical components like dot-matrix printer ribbons, decades old memory storage devices, and analog modems,” Norden said.
The newer machines can also be vulnerable, according to Congressman Gerald E. Connolly (D-Va.). He prepared a statement for the Subcommittee and the press that said that in April 2015, the Commonwealth of Virginia decertified 3,000 voting machines that an audit discovered contained a wireless capacity for hackers to alter vote tallies.
Easy to Hack Machine in Person
The touchscreen voting computers, paperless machines most of which are at least a decade old, are especially vulnerable to manipulation by an intruder, who is physically able to change the software operating the machine. These machines do not produce a record that the voter can see. Nor do they permit election officials to confirm that the electronic vote total matches the record calculated by hand independently of the software, according to Norden.
Voters in 14 states will use the paperless machines to some extent. Five states—Delaware, Georgia, Louisiana, New Jersey, and South Carolina—will this November use paperless electronic voting machines almost exclusively statewide. If there is fraud committed, “there is no paper ballot to recount,” writes Dr. Appel.
Each voting machine is a computer that runs a computer program that counts the votes. Whether it does it accurately depends on the software installed. Dr. Appel said he demonstrated that he could write “a fraudulent, vote stealing computer program that would shift votes from one candidate to another.” He said it was not hard to do, that any competent computer programmer could write the same code.
Appel described at the hearing how a voting machine could be hacked “by removing 10 screws from the panel motherboard and replacing the memory chip from its socket and installing a cheating program.” He wrote it takes about seven minutes per machine with a screwdriver. Dr. Appel said in his written testimony, “In 2009 I demonstrated in open court, in the Superior Court of New Jersey, how to hack a voting machine.”
At the hearing, he said that researchers from many universities have demonstrated the hacking of voting machines: Princeton, University of Connecticut, John Hopkins, University of Michigan, and others.
Dr. Appel, who has been on the faculty at Princeton for 30 years, has written several articles in scientific journals on election machinery.
He says the solution is to vote on optical-scan paper ballots, which are the choice of most states. It provides a “ballot of record, and it can be recounted by hand, in a way we can trust,” he said.
“I strongly recommend that the Congress seeks to ensure the elimination of Direct-Recording Electronic, that is, ‘touchscreen’ voting machines, immediately after this November election.”
‘Voter Suppression Laws’
While the focus of the hearing was on cyber threats, “efforts to hinder eligible voters’ access to the ballot box also pose an urgent threat to our elections … and to our democracy,” said Congressman Elijah Cummings (R-Md.).
Cummings was incensed that Elections Assistance Commission Executive Director Brian Newby, whom he accused of lacking valid authority, unilaterally changed the federal voter registration form. He said this action has had a disproportionate impact of persons of color in the state of Kansas, whereby tens of thousands have been disenfranchised, as well as possibly voters in Alabama and Georgia.
Cummings said, “Fourteen states will have new voting restrictions in place this fall for the first time in a presidential election.” The photo ID and other requirements will be an extra burden for the young, women, the elderly, people with disabilities, low-income voters, and the homeless, he said.