Geek out with me for a minute: In the two-part mini-series that starts off the reboot of Battlestar Galactica, the show opens with a surprise coordinated attack by the Cylons, a race of humanoid robots originally created by humans. The attack wipes out nearly the entire population and destroys all 12 planets that make up the Colonies. In hopes of disabling the military response, the Cylons infect the Colonies’ ships with malware–easily spreading since the ships are networked together. Unfortunately for the Cylons, the show gets its name from the lone military spaceship that survives the attack—the Battlestar Galactica. The saving grace of the Battlestar Galactica is that it isn’t networked together with the rest of the fleet. It’s a relic—a ship due to become a museum at the time of the attack. This old, seemingly outdated ship that everybody has written off is able to escape the Cylons and—Spoiler Alert—save the human race in the end.
The point here is that a) Battlestar Galactica is wonderful and should be sought out, but really, that b) sometimes the old-school ways of doing things are still the most effective depending on the circumstances. Which brings us to U.S. election security circa 2019.
In July 2016, various groups directly associated with the Russian government hacked into critical election infrastructure as well as key systems associated with both the Democratic and Republican parties and attempted to influence the presidential election through the release of information obtained in these hacks. Among other things, a unit of the Russian military attempted to hack into voter registration rolls and key voting infrastructure throughout the US in 21 states. In Illinois, they were successful in gaining access and began extracting data on a few thousand voters before election officials terminated the unauthorized access.
In November 2016, two counties in Florida had key government infrastructure compromised by the same group of Russian hackers. Unfortunately, these two counties may not be alone, but we may never know for sure. What’s worse is that in 2018, the FBI confirmed that the Russian government attempted to hack into critical election infrastructure yet again. And while both of those elections continued on as anticipated, and voting-specific irregularities did not appear to be a problem, the risk and potential disaster we now face to something as fundamental as voting and elections is unacceptable for a country as capable and technologically advanced as ours.
Ever since the US learned of the attempts to interfere in our elections by the Russian government, numerous groups and interested individuals have been looking into the state of our election system. Groups such as Verified Voting, the Electronic Frontier Foundation, the Brennan Center for Justice, and the Stanford Cyber Policy Center have put together a set of guidelines for election systems across the US to help safeguard our elections and further bolster American trust in our voting system. Among the proposed guidelines, the Electronic Frontier Foundation has arrived at three baseline best practices: the use of paper records, the implementation of risk-limiting audits, and the absolute ban on online or phone-based voting.
Now, while some of these rules may seem counterintuitive for a 21st-century voting system, they are actually based on realities of the world we live in and the state of information security. Ironically, even Russia is having trouble with an online, blockchain supported system developed for the Moscow City Duma elections where the private keys used to encrypt votes were broken within 20 minutes. Even the most technologically advanced voting system is at great risk in this modern age.
So I’m here to promote and advocate for the old-school ways of doing things with a short list of rules, and I’m going to call these the Battlestar Galactica rules.
Rule 1: The paper trail
A paper-based voting system records votes on paper and is maintained as a permanent record that can be used to audit and review elections to ensure accuracy. This mechanism also includes a way for voters to verify that their ballot is correct before they cast their vote. This may mean that the voter marks the ballot themselves or that a machine marks the ballot and allows the voter to explicitly acknowledge it is correct.
Luckily, in Utah, all but two counties (Carbon and Emery) now have vote by mail options. Voting by mail is a form of paper-based voting that has the added benefit of being accessible, convenient, and secure. It makes it possible to sit at home or the office, look up various voter guides (like the Better Utah voting guide!) and campaign websites as you’re voting to make the most informed decision possible. You never have to worry about presenting the wrong type of identification or taking off work to stand in line at your polling place.
What’s more, our vote by mail program has increased voter participation. But more importantly, the system is accurate and safe because a malicious actor would have to “hack” into many different, complex, and time-tested physical systems including the US Postal Service. That’s an incredibly tall task even for the most well-funded foreign government adversaries. And even further, there is a record of your vote and you can track the counting process of your ballot online to ensure your vote matters.
The problem, of course, is that not all voting systems throughout the United States offer vote by mail, and a few states don’t even have voting machines that use paper-based backups to record votes. The promise of the electronic voting machine was that it would allow for totals to be calculated quickly, saving time and potentially money in clerks’ offices around the country. The reality is that electronic voting machines record votes digitally, often on memory cards or other removable media allowing votes to easily be manipulated or altogether deleted by a bad actor without a physical record to fall back on.
The machines typically run proprietary software and have a history of being wildly out of date or vulnerable to well-known security exploits, especially when they are connected to the Internet or networked together. You know that old computer you have sitting around the house running Windows XP that you haven’t updated in two years? Yeah, even that is safer than many electronic voting machines.
The best solution for a municipality that wants the convenience of an electronic voting machine and its ability to calculate vote totals quickly with the security of a paper-based voting system is to use an electronic voting machine with a verified paper audit trail. This is the system Utahns across the state use when they opt to vote in person, and it’s the system found in Carbon and Emery counties in lieu of voting by mail. Good job, Utah!
But the voting systems in Louisiana specifically have no form of paper backup or audit trail, and many systems across the country use a mix of machines with and without paper-audit trails. This patchwork of states and counties using either paper-backed or exclusively electronic machines puts voters in each of those states at risk as well as the rest of us across the country. If we have no means of auditing vote totals and elections, how do we know if an outcome is accurate? They say the proof is in the pudding, but what if we don’t have any pudding?
Rule 2: Risk-limiting audits
Risk-limiting audits are a relatively new take on the traditional post-election audit and they rely heavily on statistics, sampling, and humans. Currently in Utah, a post-election audit requires a percentage of mail-in ballots or voting machines to be reviewed, comparing the paper record with the electronic record produced by those machines or ballots. The same number of ballots or machines are inspected regardless of how close an election is. However, with a risk-limiting audit, the exact number of ballots or machines would change based on the margin of victory in a race. If the margin were wider, fewer ballots would be reviewed; inversely, more ballots would be reviewed if the margin were narrower.
This method has the benefit of reducing the amount of time required to verify a result even though the ballots are being reviewed and counted by hand. As a result, risk-limiting audits can be conducted more frequently and even automatically to help ensure the accuracy of the election and the integrity of the voting system without relying on a machine recount. Even better, the auditing process can be viewed by the general public, further adding transparency to the process. So far, Colorado and Rhode Island require risk-limiting audits with seven other states debating or working to implement the use of risk-limiting audits going forward.
Rule 3: Internet-based voting
Finally, security professionals and researchers virtually all agree that we should not be conducting elections online in any form. This method of voting is typically billed as more inclusive and accessible, especially for members of the military who are actively deployed, and for anybody seeking a traditional absentee ballot such as a missionary or employee overseas. Since 2009, states have been required to send electronic ballots to servicemembers 45 days before Election Day, and in 22 states these ballots are permitted to be sent back via email. This is incredibly risky. If you need proof, just ask John Podesta, the chair of Hillary Clinton’s 2016 U.S. presidential campaign.
In an attempt to address these risks and pilot a program that may be used in the future for the general election, Utah County this year is trying their hand at an online voting program that allows a subset of voters to cast an absentee ballot via a phone app called Voatz that relies on the blockchain (just like that Moscow City Duma election) and, well… trust. This being 2019, I’m sure we’re all super eager to trust another tech company with something so important and sensitive as our vote.
After November 2016, many of the voting machines used throughout the country in that election that we had been repeatedly told were not connected to the internet were discovered to actually have been connected all along, employing a method to quickly report vote totals. Earlier this year, researchers discovered 36 systems used to support the rapid reporting of vote totals in ten states, made by the largest voting machine provider, Election Systems & Software, that were connected to the internet. Many of the municipalities using the systems were not aware this infrastructure was online and a few of these systems were in key swing states. These machines were only supposed to be connected to the internet briefly before and after the election, but many of the systems were left online far longer. The machines also had connections to critical systems used to tabulate official vote totals. So, you know, just the worst-case scenario.
The bottom line is that no matter the amount of technology or security controls we implement, there will always be a high level of risk for any internet-connected system. If we vote online or connect our voting machines to the internet, our elections will absolutely be hacked, manipulated, and invalidated. It’s just a matter of time.
The good news
In the midst of all of this chaos and concern, there is reason for hope. States have started to take concerns seriously by updating the most vulnerable machines. California alone has committed to spending $268 million. Utah received $4.1 million through the 2018 Help America Vote Act to “purchase new voting equipment, replace the state’s voter registration database and implement additional security measures and training for both counties and the state.” Risk-limiting audits are now being implemented in some form in 12 states in time for the 2020 election, and the DNC has decided to not move forward with allowing Iowans and Nevadans to caucus online in 2020 after listening to the concerns of security experts.
Los Angeles County in California is doing electronic voting the right way: they’ve invested heavily in rebuilding their entire voting infrastructure for all 5.2 million registered voters. Along with increasing the number of days, voters are allowed to vote (now 11 days), L.A. County also built touchscreen machines that allow voters to feed in a paper ballot and then watch the machine physically record those choices (remember the importance of the paper backup). The machines are more accessible for people with disabilities and people who speak languages other than English. But the coolest part (humor me) of this whole new system is that the machines themselves use open-source software and interchangeable hardware. This means the entire world can come take a look at the software running the machines, find weaknesses, help the developers review and fix them, and make us all safer come election day. And when technology improves, the county can just replace one part rather than debate the cost of replacing the whole machine delaying vital updates.
Part of the system that powers LA County’s new voting system was created using technology funded by a $10 million DARPA grant to build secure machines that use open-source software that can be offered to existing election system companies that supply the rest of the country. Not every county can afford to build their own machines, so this arrangement allows the new machines to show up in front of more voters, faster. And even better? These voting machines have been vetted, prodded, pushed, and poked by ruthless Def Con hackers in Las Vegas and by various university researchers across the country in an effort to ensure they are secure and safe. That’s a stark difference from the closed-off world we’ve lived in where voting machine companies build proprietary machines in labs and lock them away in high towers guarded by dragons or something.
The bad news
We still have 31 states that desperately need new voting machines before the 2020 election because their current machines can no longer be maintained or updated, and we still have a Congress unwilling to provide any additional money beyond the initial $380 million handed out through the Help America Vote Act (HAVA) in 2018. We’ve improved from roughly 20 percent of voters using machines that don’t produce any paper record in 2016, to 12 percent of voters. That’s an improvement, surely, but that’s still 16 million voters voting without a paper backup!
And then there’s Moscow Mitch 🇷🇺
Senate Majority Leader Mitch McConnell has vowed to disallow a vote on any legislation that would increase funding for election security, despite the best efforts of Representatives–mostly Democrats–in the House, who passed a $775 million election reform bill. Meanwhile, the threat of foreign interference grows while the days until the presidential election shrink. This challenge is made more difficult by powerful voting machine manufacturers refusing to open their doors to researchers seeking to verify the security of our voting infrastructure, and counties trying internet voting at exactly the wrong time.
There is still a lot of work to be done to make sure voting systems are secure, and time is running out. It’s high time we make up for our past security naivete and address the challenge of modern-day voting for all 153 million registered voters in the United States. The proposals to take a step back and embrace the old-school ways of voting may seem counterintuitive to our high-tech world, but just remember the lesson of the Battlestar Galactica. So say we all!