November 5, 2019: In Northampton County, Pennsylvania, a candidate for judge, Abe Kassis, came up with just 164 votes out of 55,000 cast — a statistical absurdity. After hand scanning the ballots from the county’s new ESS ExpressVoteXL machines, Kassis emerged as winner. This was no case of “disinformation warfare” — so what happened?
February 3, 2020: In Iowa, a smartphone app for reporting caucus results debuted. It did not go well.
Our elections have been menaced by social media deception, voter registration scandals, conspiracy theories, and polarization of the electorate. While these issues must be confronted, we can’t ignore the growing threat posed by security gaps in the election equipment that records, counts, and transmits votes.
Even if we could solve the complex social engineering problems, we should all ask, “How secure are the physical machines being used in the 2020 American elections?”
Vulnerability of Election Technology
Let’s start with some common problems presented by modern-day election machines.
- Single point of failure. A compromise or malfunction of election technology could decide a presidential election.
- Between elections. Election devices might be compromised while they are stored between elections.
- Corrupt updates. Any pathway for installing new software in voting machines before each election, including USB ports, may allow corrupt updates to render the system untrustworthy.
- Weak system design. Without clear guidelines and thorough, expert evaluation, the election system is likely susceptible to many expected and unexpected attacks.
- Misplaced trust. Technology is not a magic bullet. Even voting equipment from leading brands has delivered wildly wrong results in real elections. Election administrators need to safeguard the election without relying too heavily on third parties or technologies they don’t control.
It takes a lot of work to lock down a complex voting system to the point where you’d bet the children’s college fund — or the future of society — on its safety. Has that work been done? Not entirely, as shown by these not-so-fun facts about election devices in the US.
- Many voting machines are 10 to 20 years old.
- Voting machine manufacturers are not subject to any federally mandated security standards.
- Federal testing standards have not been updated since 2005, when few machines were digital.
- Many voting systems connect to the Internet or have open USB ports.
- Some newer voting machines have failed to record voter choices correctly and have features that actually defeat accuracy tests.
A Quick Look at Modern Voting Systems
There are — in the typical case — four classes of election machines. The chain usually begins with the device where each election’s new ballot is designed, usually as a set of instructions to the legions of voting machines, which print out each voter’s ballot.
The ballot is then placed in a scanner, which reads the bar code/Qcode on each ballot and sends the results upstream. After voters make their choices, the ballots are printed and then scanned. Finally, the scanners send their results to a tabulator of results. The tabulator is usually situated outside the polling place at a central location
Critical Security Needs
A few years ago, there was much excitement about ditching paper ballots in favor of new, digital-only voting machines. The deficiencies of paperless voting became evident, and in 2019 Congress passed the SAFE act, which mandates the use of paper as a backup. Many counties and states have recently purchased new voting machines, and some of these products have security gaps.
In evaluating election technology, officials need to consider these critical security needs:
Every ballot on paper. Digital-only election systems make it hard to detect when counted votes don’t match what the voters selected.
Paper ballots must match digital results. Many voters do not scrutinize their paper ballot to be certain all their choices show up correctly. Some voting machines print the paper ballot too faintly to verify easily. Incorrect ballots (whether intentional or accidental) could go unnoticed if the distortion of results is subtle. If the paper ballot appears correct but the scannable code does not match, a hand recount of all ballots would reveal the hack.
Stop unauthorized device modification. Many election committees use tamper-proof seals to protect hardware in storage. That’s not foolproof, according to Professor Steve Bellovin of Columbia University, who told us, “Even the seals used on nuclear devices can be non-destructively removed and replaced.”
Check every election device. We asked J. Alex Halderman, a noted election cybersecurity expert, if election machines are checked when they are brought out of mothballs. He answered, “To my knowledge, no state has done rigorous forensics on their voting machines to see if they have been compromised.”
What About Judge Kassis and his 164 votes?
In that 2019 Pennsylvania election with preposterous results, 30% of the touchscreens were deemed “misconfigured,” but there’s no explanation of how an eventual winner was credited with just one-third of 1% of the votes cast in over 100 precincts. Possible causes include defective ballot design, scanning bugs, and/or final tabulation. The county’s election board issued a no-confidence vote in the machines, but time is too short to replace them. The same machines will be used in other cities and key swing districts that will affect the outcome of the 2020 presidential election.
Ives Brant, former editor in chief of Tornado Insider and Oracle Integrator magazines, and head of marketing at TrustiPhi, also contributed to this article.
Stay tuned for Part 2 in this series: “5 Measures to Harden Election Technology.”
Ari Singer, CTO at TrustiPhi and long-time security architect with over 20 years in the trusted computing space, is former chair of the IEEE P1363 working group and acted as security editor/author of IEEE 802.15.3, IEEE 802.15.4, and EESS #1. He chaired the Trusted Computing … View Full Bio