Last month, when Congress authorized three hundred and eighty million dollars to help states protect their voting systems from hacking, it was a public acknowledgement that, seven months out from the midterm elections, those systems remain vulnerable to attack.
America’s voting systems are hackable in all kinds of ways. As a case in point, in 2016, the Election Assistance Commission, the bipartisan federal agency that certifies the integrity of voting machines, and that will now be tasked with administering Congress’s three hundred and eighty million dollars, was itself hacked. The stolen data—log-in credentials of E.A.C. staff members—were discovered, by chance, by employees of the cybersecurity firm Recorded Future, whose computers one night happened upon an informal auction of the stolen passwords. “This guy—we randomly called him Rasputin—was in a high-profile forum in the darkest of the darkest of the darkest corner of the dark Web, where hackers and reverse engineers, ninety-nine per cent of them Russian, hang out,” Christopher Ahlberg, the C.E.O. of Recorded Future, told me. “There was someone from another country in the forum who implied he had a government background, and he wanted to get his hands on this stuff. That’s when we decided we would just buy it. So we did, and took it to the government”—the U.S. government—“and the sale ended up being thwarted.” (Ahlberg wouldn’t identify which government agency his company had turned the data over to. The E.A.C., in a statement, referred questions about “the investigation or information shared with the government by Recorded Future” to the F.B.I. The F.B.I., through a Justice Department spokesperson, declined to comment.)
Another case to consider: the Department of Homeland Security recently discovered a number of rogue cell-phone simulators—technical tools that are commonly called “Stingrays”—in Washington, D.C., and has been unable to identify who was operating them. Stingrays are typically used in this country by police or intelligence agencies to surveil suspects and intercept their communications, but D.H.S. officials suspect that the ones they found may have been part of a foreign government’s spying arsenal. As a pair of Princeton computer scientists, Andrew Appel and Kyle Jamieson, have pointed out, cell-phone simulators, which mimic legitimate cell towers, happen also to be handy and inexpensive vote-hacking devices. On the Freedom to Tinker blog, Appel and Jamieson have posted easy-to-follow diagrams showing how the transmission of voting information from polling places could be intercepted by a Stingray and surreptitiously altered before being sent on to its intended destination, a central tabulating computer.
The voting machine that Appel and Jamieson picked to illustrate this hypothetical “man-in-the-middle” attack was the DS200, a popular optical-scan voting machine that reads marked paper ballots, made by a company called Election Systems & Software. The DS200 machine is not connected to the Internet, a feature that offers a great deal of protection from hacking—but not absolute protection. As the Princeton professors demonstrate, trusting this “air gap” when there are other points of entry into the system—such as, in the DS200’s case, a modem that sends data over phone lines—is both naïve and dangerous. When I contacted Election Systems & Software for a comment on the machine’s susceptibility to hacking, I was sent an explanatory leaflet called “Modeming as It Relates to Unofficial Results Transmission.” That document catalogues a number of security features that, on their face, would appear to prevent interception. “Only unofficial results are ever transmitted via modem,” the document says, and, even then, all transmissions are encrypted. The company says these safeguards make the Stingray-aided hacking of their machines “highly unlikely.” But, as Appel told me, there is nothing stopping poll workers from sending official results via modem, and encryption only works if the software of the sender and that of the receiver are implemented perfectly. That, he said, rattling off the many ways an encrypted system could be penetrated, rarely happens. And, despite the security features of the DS200, the danger posed by sending voting data over phone lines has convinced several states—including New York, Maryland, Virginia, and Alabama—to prohibit the use of modems for the transmission of election results.
One of the enduring myths about American elections, and one that persists even after the revelations of 2016, is that they are largely insulated from hacking because we have no centralized voting system—elections are overseen by roughly nine thousand counties, and voting takes place in over a hundred and fifty thousand polling places—and because most voting occurs offline. “Our diverse and locally-run election process presents serious obstacles to carrying out large-scale cyberattacks to disrupt elections, and that standalone, disconnected voting systems present a low risk,” the National Association of Secretaries of State wrote last year, in a briefing paper titled “Key Facts and Findings on Cybersecurity and Foreign Targeting of the 2016 US Elections.” Yet the intelligence community, computer scientists, and hackers themselves have found that while decentralization may be a deterrent, it is not a defense.
In their briefing paper, the secretaries of state—twenty-four of whom are their state’s chief election official—also contend that “the November 2016 election was not hacked.” Though Russian agents attempted to breach the voting systems of at least twenty states and, in one of them, Illinois, lifted thirty-five hundred complete voter files and parts of ninety thousand more, “compromising voter registration systems,” the secretaries say that did “not affect election results.” This extremely limited understanding of hacking fails to take into account that compromising voter-registration systems—eliminating voters from the rolls, deleting voting histories in ways that cause voters to be purged from the system, or creating discrepancies between a state’s voter registry and the poll books used on Election Day—can disenfranchise voters, and disenfranchising voters can change outcomes.
Even without foreign interference, elections in recent years have been marred by software glitches, clerical errors, and machine failures that have prevented people from voting, caused long lines at polling places, and prompted some voters to give up and walk away. (In 2006, for instance, it has been estimatedthat twenty per cent of voters in Denver were dissuaded from voting after a software failure led to long lines.) If these bugs were to be turned into features and deployed systematically by malicious actors, as Michael Daniel, the Obama Administration’s “cyber czar” pointed out recently, on “60 Minutes,” chaos would ensue. On the same program, Senator Kamala Harris, a Democrat of California, said, “We have to be prepared for wars without blood.”
The last time Congress sent money to the states to upgrade their voting infrastructure was in 2002, when it passed the Help America Vote Act (hava). That law set aside $3.6 billion to replace the punch-card voting machines that nearly caused a constitutional crisis in the 2000 election. The three hundred and eighty million dollars that Congress recently authorized come from unspent hava grants, and are intended to replace the replacement machines purchased a decade and a half ago, most of which have outlived their use-by date. Some of these machines are so old that their manufacturers have gone out of business; according to the Brennan Center, as of 2015, forty-three states and the District of Columbia were using machines that are no longer in production. Some of these machines are so old that their operating systems can’t be patched when security flaws are found, and replacement parts must be scrounged up on eBay.
Significantly, hackers were not responsible when, in November, 2016, voters in Shelby County, Tennessee, pulled the lever for Hillary Clinton and found that they had chosen Donald Trump. Nor were hackers behind flipped votes reported in a number of precincts in Georgia, Pennsylvania, Nevada, Texas, and North Carolina. These kinds of mishaps become more common as machines age. The glue used to affix voting screens degrades, resulting in screens that are no longer in alignment with ballots. When that happens, as it did to a woman in Davidson County, Tennessee, during the 2008 Presidential election, you get this: “A poll worker directed me to a touch screen voting machine and instructed me how to use it. I touched ‘Obama’ for president and nothing lit up. I touched 2 or 3 more times and still nothing lit up. … I tried it 2 or 3 more times more lightly with the poll worker watching and still nothing lit up. The poll worker then touched it for me twice—nothing lit up. The third time he touched the Obama button, the Cynthia McKinney space lit up! … The poll worker just kind of laughed and cancelled the vote. He hit the Obama button again and it finally lit up. I continued on to cast the rest of my votes. After completing the process and reviewing my votes, I went to the VOTE page, hit the VOTE button and nothing happened. Again, after several tries, I called the poll worker over and he finally got the machine to register my votes. Hurray—I voted!—or did I?”
But it’s not just decrepitude. Software vulnerabilities, unreliable tabulators, and unprotected memory cards have left voting systems open to exploitation ever since electronic machines were introduced. Most problematic have been machines known as D.R.E.s (direct-recording electronic devices), which do not provide voters with a paper record of their choices. Like that woman from Tennessee, maybe their votes are counted, and maybe they aren’t, and there is no way to know.
This not knowing was the catalyst for a class-action lawsuit brought against the Pennsylvania secretary of state in 2006. “Because there is no permanent, independent physical record that can be used to audit the DRE, either in random audits or following an accusation that the machine has been tampered with or has malfunctioned,” the plaintiffs wrote, “there can be no assurance that either the Petitioners’ votes or the votes of any other Pennsylvania voter have been properly counted or weighted.” Nine years after that suit was filed, the Pennsylvania Supreme Court ruled against the plaintiffs, and the machines at issue remain in use. This past March, after the special election between Conor Lamb and Rick Saccone to represent Pennsylvania’s Eighteenth Congressional District, which Lamb, the Democrat, won, by a few hundred votes, Republican officials in Washington demanding a recount might have wished the lawsuit had gone the other way.
Pennsylvania is one of thirteen states that continue to use D.R.E.s. Counties all over the country have been slow to move away from first-generation electronic machines, despite their problems, since new voting systems are prohibitively expensive. The hava money—which will be doled out according to a formula based on the voting-age population of each state, rather than the condition of election infrastructure—is meant to help defray these costs. Yet only two states, Delaware and Arkansas, will be getting enough money to retire their entire fleet of D.R.E.s. Pennsylvania, which is getting somewhere between fifty and seventy-nine million dollars, will at most be able to swap out twenty-seven per cent of its equipment. New Jersey, which votes exclusively on D.R.E.s, can expect to replace fewer than twenty-five per cent. And none of these machines are likely to arrive in time for the 2018 midterms, which, according to the director of national intelligence, Dan Coats, is likely to be a “potential target for Russian influence operations.”
Three hundred and eighty million dollars is not enough to change the threat landscape. Without a commitment from the federal government, the states, and counties to do whatever is necessary to establish and maintain secure elections, our greatest strength as a nation, the regular accounting of the vox populi, will remain susceptible to abuse, subversion, and other dark arts.