Hacking into voting machines remains far too easy.
It is too soon to say for sure what role cybersecurity played in the 2020 Iowa caucuses, but the problems, which are still unfolding and being investigated, show how easily systemic failures can lead to delays and undermine trust in democratic processes. That’s particularly true when new technology – in this case, a reporting app – is introduced, even if there’s no targeted attack on the system.
The vulnerabilities are not just theoretical. They have been exploited around the world, such as in South Africa, Ukraine, Bulgaria and the Philippines. Successful attacks don’t need the resources and expertise of national governments – even kids have managed it.
Congress and election officials around the U.S. are struggling to figure out what to do to protect the integrity of Americans’ votes in 2020 and beyond. The Iowa caucuses are run by political parties, not state officials, but many of the concepts and processes are comparable. A look at similar problems – and some attempts at solutions – around the world offers some ideas that U.S. officials could use to ensure everyone’s vote is recorded and counted accurately, and that any necessary audits and recounts will confirm that election results are correct.
As a scholar researching cybersecurity and internet governance for more than 10 years, I have come to the conclusion that only by working together across sectors, industries and nations can the people of the world make their democracies harder to hack and achieve some measure of what I and others call cyber peace.
Electronic tampering is not new
As far back as 1994, an unknown hacker tried to alter the results of an election – but the effort failed, and Nelson Mandela was elected president of South Africa.
A similar effort played out in 2014 when Russian-backed hackers targeted Ukraine, attempting to fake vote totals for the presidential election. They were caught just in time, but the sophistication of the attacks should have been seen as a shot across the bow for future elections in the U.S. and around the world.
How has the US government responded?
More than two-thirds of U.S. counties are using voting machines that are at least a decade old. Because many of these machines are running outdated operating systems, they are vulnerable to exploitation.
The multi-pronged strategy used by the Kremlin to undermine the 2016 U.S. presidential election shared parallels with the election in Ukraine back in 2014, including the probing of insecure voting machines, compromising voter-registration lists and weaponizing social media to spread misinformation.
To date, the U.S. response has been weak. True, the threats are complex, and partisan rancor hasn’t made it any easier for officials to unite against them. Still, local, state and federal government agencies have made some progress.
For instance, in 2018 Congress agreed to spend US$380 million to help states buy more secure voting machines. In December 2019, Congress and the president agreed to spend a further $425 million on election cybersecurity, which is in line with estimates for how much it would cost to replace digitally vulnerable paperless voting machines across the nation.
These funds will allow more states to upgrade their voting equipment, and conduct post-election audits. But this is still less than a quarter of the amount Congress appropriated – nearly $4 billion – to upgrade U.S. voting systems after the confusion of the 2000 election.
U.S. Cyber Command has been sharing information with local officials, as well as becoming more active such as by shutting down a Russian troll farm on Election Day 2018.
Lessons from other nations
Like the United States, the European Union has also faced hacking attacks on election systems, including in the Netherlands, Bulgaria and the Czech Republic.
In response, the EU has increased cybersecurity requirements on election officials and infrastructure providers requiring things like more robust authentication procedures to help confirm voters’ identities. It has also urged its members to use paper ballots and analog vote-counting systems to help ward off concerns over compromised voting machines.
Nations around the world – including Germany and Brazil – that have used electronic voting machines are going back to paper ballots in part due to security and transparency concerns, while a 2019 court order requires paper trail audits in Indian elections.
Other mature democracies, like Australia, do far more than the U.S. to protect the vote. Australians all use paper ballots, which are hand counted, and voting itself is mandatory so there are no issues over voting rights. The country’s powerful Electoral Commission also sets nationwide standards and oversees the entire voting process, as opposed to the more decentralized U.S. approach.
The problem is global, and in my view would benefit from an internationally coordinated solution among both advanced and emerging democracies. Many nations and interested businesses and organizations around the world say they want to join the fight. The G7 and the U.N. have issued statements emphasizing the importance of protecting democracy and securing voting machines.
The Paris Call for Trust and Security in Cyberspace – which specifically calls on its backers to “cooperate in order to prevent interference in electoral processes” by sharing intelligence – has more than 550 supporters, including 67 nations. The U.S. is part of the G7 and the U.N., but hasn’t joined the Paris Call. Nevertheless, U.S. election officials could learn from other countries’ experiences.
Time is growing short
In the U.S., states are already trying approaches that have worked in other countries, but federal rules have not yet caught up. Congress could encourage states to follow Colorado’s example by banning paperless ballots, and requiring risk-limiting audits, which double-check statistically significant samples of paper ballots to check if official election results are correct. That would increase voter confidence that the outcomes were correct.
Congress could similarly require the National Institute for Standards and Technology to update its standards for voting machines, which state and county election officials rely on when deciding which machines to purchase.
The U.S. could also create a National Cybersecurity Safety Board to investigate cyberattacks on U.S. election infrastructure and issue reports after elections to help ensure that experts and the public alike are aware of the vulnerabilities and work to fix them.
Democracy is a team sport. Scholars can also help federal, state and local governments secure the country’s election system, by devising and testing possible improvements.
Different approaches around the country may make the overall system more secure, but the diversity of potential problems means the election officials on the ground need help. There’s still time to avoid a replay of South Africa 1994 or Ukraine 2014 in the 2020 U.S. elections.
Scott Shackelford is a principal investigator on grants from the Hewlett Foundation, Indiana Economic Development Corporation, and the Microsoft Corporation supporting both the Ostrom Workshop Program on Cybersecurity and Internet Governance and the Indiana University Cybersecurity Clinic.
His article first appeared in The Conversation on February 4, 2020.