As America heads toward the 2018 midterms, there’s an elephant in the voting booth.
Despite improvements since Russia’s attack on the 2016 presidential race, the U.S. elections infrastructure is vulnerable — and will remain so in November.
Cybersecurity expert Bruce Schneier laid out the problem to an overflowing room full of election directors and secretaries of state — people charged with running and securing elections — at a conference at Harvard University this spring.
“Computers are basically insecure,” said Schneier. “Voting systems are not magical in any way. They are computers.”
Even though most states have moved away from voting equipment that does not produce a paper trail, when experts talk about “voting systems,” that phrase encompasses the entire process of voting: how citizens register to vote, how they find their polling places, how they check in, how they cast their ballots, and ultimately how they find out who won.
Much of that process is digital.
“This is the problem we always have in computer security — basically nobody has ever built a secure computer. That’s the reality,” Schneier said. “I want to build a robust system that is secure despite the fact that computers have vulnerabilities, rather than pretend that they don’t because no one has found them yet. And people will find them — whether it’s nation states or teenagers on a weekend.”
Sen. Marco Rubio, R-Fla., who sits on the Senate intelligence committee looking into Russia’s attack on the 2016 election, warned elections officials in his state not to be complacent.
“I cannot emphasize enough the vulnerability,” Rubio said, according to the Tampa Bay Times. “I don’t think [election officials] fully understand the nature of the threat.”
Talking in public about these dangers is a tough balancing act. Transparency in elections is a key component to a working democracy — but election officials want citizens to vote, so they have to portray confidence in the system.
There remains no evidence, as lawmakers and election heads often point out, that any votes were actually changed in the 2016 election.
But the Department of Homeland Security says Russian hackers did break into the registration system in one state, Illinois, and steal the username and password of an election official in another, Arizona — and targeted or probed the voting systems of at least 21 states.
So in the span of just two years, officials have gone from arguing their systems are completely secure, to talking openly and clearly about the specific issues that exist and working to fix them.
But a lack of time and resources means heading into the 2018 midterms, American voting systems remain vulnerable, and as Rubio noted, there’s no synchronicity among states and jurisdiction about where the country is in terms of security.
The Doomsday Scenario
Voter registration databases were being breached. Pundits were loudly questioning the integrity of the election. Americans’ confidence that their votes would be counted fairly and accurately hung in the balance — with widespread chaos looming just on the horizon.
Elections officials from more than 35 states huddled in groups; every time they decided to fund a new resource or deploy a new strategy, news of a new vulnerability sprouted. Reporters hounded for answers, as government employees received highly targeted phishing emails designed to coax their passwords. Simultaneously, a virus penetrated government devices by coming through the printers, which were connected to the internet.
It was voting problem whack-a-mole. The way the election directors handled the pandemonium would determine the future of American democracy.
Luckily, this time, it was only a drill.
The 150 or so officials gathered at Harvard University for a worst-case scenario exercise meant to push the officials’ abilities to prepare and react in the case of a broader attack than America saw from Russia leading up to 2016.
Arizona director of elections Eric Spencer, an Iraq war veteran, compared the preparations he and his team are making to his training as an infantry officer.
“We always trained harder in the United States for combat to make it easier when we got overseas, and I see this as the same thing,” he said. “[Crisis scenarios] were nearly non-existent a few years ago. In 2016, before we got information that elections were subject to foreign interference, it was in the back of our mind but now it’s probably the number one item in our mind.”
Most of the focus so far has been on the more than dozen states still using electronic voting machines that don’t provide a paper backup trail; experts say these machines could allow potential hacks or even technological glitches to go undetected.
In its most recent spending bill, Congress has allocated $380 million for voting security, but the funding will be allocated across all 50 states by population in a way that won’t necessarily address the vulnerabilities of electronic voting machines anytime soon.
In fact, it isn’t clear how much of a dent that money might make overall because no one, including the federal government, knows for sure how much American elections cost in the first place.
“Figuring out the true cost of election administration in this country is the white whale of the discipline,” said Doug Chapin, an elections researcher at the University of Minnesota. “I don’t think we even have a really good estimate …. which is why it can be difficult when policy makers, say ‘OK, how much do you need?’ Usually the answer is: ‘more.'”
The Needs Are Not equal
“Some states are much better off when it comes to protecting their elections systems. And remember, the Russians in particular don’t have to attack every state, they’ll go to the weakest link,” said Eric Rosenbach, director of the Belfer Center leading the security exercises, to the Senate Homeland Security Committee. “All they have to do is undermine trust in the system and confidence in the outcome.”
But these issues are bigger than the security of the machines that voters use.