What's wrong with election security and what can be done?
In 2016, unpredictably the world’s most dominant democracy, the United States of America, had its election security sabotaged. According to the Associated Press, the U.S. special counsel indicted 13 Russians in an intricate plot to disrupt the 2016 presidential election. They were charged with running a massive social media trolling campaign aimed at undermining public confidence in democracy. This included hacking the Democratic National Committee, the Clinton presidential campaign, and attempting to break into several state elections boards’ infrastructure.
Beyond Foreign Interference, U.S. Voting Infrastructure Has Serious Flaws
Even more alarming than foreign interference, is how quick and easy it is to hack into U.S. voting systems. For example, at this year’s annual Def Con hacking conference, an 11-year-old boy demonstrated how he could hack into a replica of the Florida state election website and change voting results in under 10 minutes. Â
A large part of the problem is that there is no consistency among state election systems in either protocols or equipment. Voting equipment varies from paper ballots, to punch cards to electronic touch screens. Some states manually count votes while others use automation. Because of these many variables, each state has different security flaws and different vulnerability of being hacked.
There are about 350,000 voting machines used in the U.S. today, according to Verified Voting, a nonprofit that tracks voting equipment. There are two types of machines— direct-recording electronic (DRE) machines and optical-scan systems. DREs are digital and allow voters to touch a screen to make their selections.  Optical-scan machines allow voters to make their selections on a paper ballot, which gets fed into an optical scanner and can be used later to verify the digital results.
The DREs are of particular concern because all models have proven to be vulnerable to hacking. And because DREs do not provide a hard copy of the vote, it is difficult to double-check results for signs of manipulation.
In addition, voting machines need to be programmed with ballot information, which likely happens by direct connection to the internet. Precinct results are often centrally tabulated by state and local governments over their various local area networks, adding even more points of potential hacking and vote manipulation.Â
Multiple voting machines, multiple connection points, multiple network architectures, multiple tabulation systems. There is no consistent framework to secure thousands of potential different weaknesses.
We Need to Reboot
A report completed by the Brennan Center for Justice at New York University School of Law, Securing Elections from Foreign Interference, recommends that, at a minimum, states replace antiquated voting machines with new, auditable systems. The current voting infrastructure is aging, costly to maintain, vulnerable to crashes and most importantly, poses significant security risks.
As the midterm elections fast approach, it is estimated that 1 in 5 Americans will be casting ballots on machines that do not produce a paper record of their votes. In addition, the Associated Press reported that the Department of Homeland Security (DHS) identified election system hacking in 21 states last September. If left unaddressed, these vulnerabilities will continue to threaten national security and our democratic system. Our incongruous election system has now become a national security issue.Â
Currently, each state has the responsibility of overseeing its own local, state and federal elections. Yet, due to the highlighted national security issues, perhaps it’s time for a change. Congress has an obligation to ensure that federal elections are run with security and integrity.
What if legislation was introduced where the federal government managed all voting equipment; tabulation networks, post-election audits and threat analyses; and audits for voter registration systems? What if there was a single nationwide system for all elections to be run on a national, state and local level? With a consistent national election system on one infrastructure, it will be much easier to control hacking and corruption. If a vulnerability is found, a patch can be easily uploaded to all states’ systems at once.
Go Back to Stone Age
Until that day, we need to go backward to go forward. The U.S. election systems are not equipped to handle intricate cyber attacks and foreign interference. In May, the Senate Intelligence Committee issued a report that recommended all states go back to paper ballots or mandate that electronic machines produce hard paper copies that can be audited. Nearly two dozen states and the District of Columbia have said they will use only paper ballots in the upcoming November elections, according to Verified Voting. For those states not able to do so, it is important that their systems are air-gapped — disconnected from the internet and from other devices that might be connected to the internet. In addition, it is important to have some auditable way to double check votes post-election.
Educate State Workers on Hacking Issues
During this critical transition time, the federal government through DHS needs to help government and state workers minimize risk and become smarter about election hacking issues. In the short term, it should assist in helping municipalities and government workers with the following practical tips:
- Teach administrative staff about phishing scams, DDoS attacks, etc. Â While election officials and staff are trained on the proper procedures and deployment their voting systems, it is also important that be educated on cybersecurity events so that they are not as likely to fall prey to them and compromise local networks.
- Do not open any attachments without confirming the attachment came from a trusted source. Attachments are one of the biggest security risks, even attachments coming from a trusted sender.
- Use best practices for password protection such as two-factor authentication so that security is maximized. This method confirms users' identities through a combination of two different factors: something they know and something they have, like using an ATM bank card which requires the correct combination of a bank card (something that the user has) and a PIN (something that the user knows).
- Keep all software updated. Turn on auto-updates on your phone and laptops – don't wait to apply them.
- Check for firmware updates on all printer and network devices as part of your regular patch management schedule as these devices can be weaponized. Updates can add new or improved security features and patch known security holes.
- Do not conduct any non-government related activity while connected to the network – fantasy football, signing your kid up for soccer, etc.
The Future of Election Security
Looking forward, innovative technologies such as blockchain, digital IDs and electronic signatures should be considered on a national voting network. Some states, like West Virginia, have already deployed pilot programs enabling voting via a blockchain network to store and secure digital votes.
The threat of interference remains until we are on a secure nationwide election system. To preserve the democratic value of one person one vote, the U.S. must make the necessary security upgrades to prevent voter fraud, foreign influence campaigns and hacking of our election infrastructure. Federal legislation needs to be introduced to make this happen. Protecting our elections is a matter of national security, requiring immediate action and coordination at all levels of government.
About the Author:
Mike O’Malley brings 20 years of experience in strategy, product and business development, marketing, M&A and executive management to Radware. Currently, O’Malley is the Vice President of Carrier Strategy and Business Development for Radware. In this role, he is responsible for leading strategic initiatives for wireless, wireline and cloud service providers. O’Malley has extensive experience in developing innovative products and strategies in technology businesses including security, cloud and wireless. Prior to Radware, O’Malley held various executive management positions leading growing business units at Tellabs, VASCO and Ericsson.Â