Voting system security: It’s broken and we should fix it
- By Jeannie Warner
- Oct 02, 2018
When you head to the polls this November, what will be the most pressing question on your mind? Will it be who to vote for or will it be whether your vote is secured? Both are fair and reasonable questions. However, only the answer about security is important enough to have a meaningful impact on the health of our democracy, and it should be a concern for every American of voting age.
Voting system security is subject to doubt and enormous scrutiny this year -- and for very good reason. Unfortunately, our collective and heightened awareness of the threat against our electoral process has yet to spur our government to produce solid security solutions, like a meaningful regulation or guidelines for good cyber health at the state level.
These problems did not just pop up during the last presidential election cycle. According to a recent report, more than half of our voting systems were left vulnerable to cyberattacks as far back as 2011 due to installed software that allows voting machines to be accessed and controlled from a remote location. If hackers remotely accessed an election management system, it is plausible that they could take control of the machine and introduce a malicious code that would either disrupt the election or alter the results. Why would we willingly allow something like this to happen?
The stark truth is that hacking a voting system happens in as easily and as undetected a way as any cyberattack we’ve seen make headlines. When a threat is underestimated and the need for security is taken lightly, we are sitting ducks. While we are blissfully unaware, bad actors have ample time and opportunity to accomplish to compromise credentials, identities, bank accounts or elections.
You’ve heard the saying, “If it ain’t broke, don’t fix it.” Well, America’s voting system security is absolutely broken, and it’s a major problem that our government must fix. To understand how to properly fix something, we must first understand the full scope of the problem, so let’s start there.
Currently, American elections are handled at the state level, meaning that individual states own the rules and processes for voting within their borders. Often, individual government officials are unfamiliar with the voting system technology they’re using because they don’t work with it frequently enough. While Election Day happens once every year or two, states either don’t have large enough budgets to proactively address security issues or they don’t have the desire to prioritize security because it carries a hefty price tag.
Add this financial strain to the fact that state governments often lack the personnel with technical expertise to protect the systems that store data on registered voters and tabulate votes, and you have a recipe for election vulnerability. It’s clear that many states are failing to take responsibility -- not only for how the machines work, but for their security. Sadly, the most pressing concern often involves storage of voting machines between elections.
Is there any hope that we can encourage a change? It's difficult, but we don’t have much choice. Our current defenses are so poor that it took an 11-year-old child less than 10 minutes to hack a replica of a Florida election website. That doesn’t bode well for Florida as an indication of the security work still to be done, and it’s just one example. It begs another question -- are we confident that any state is investing in security? Too many states are still running older applications on their systems, and some are also actively inviting new ways to corrupt the voting process. Take West Virginia -- this November, the state will become the first to allow military members stationed abroad to vote by smartphone -- a decision that gives security experts nightmares.
To address many of these vulnerabilities, application security must be prioritized and applied from voter registration systems through to the vote tabulation machines. To trust the outcome of our future elections, we must insist that security best practices are documented and upheld. The federal government could consider using regulations and inspections to enforce use of election security best practices. To be effective, the oversight program would have to be defined and funded, and the consequences or fines to non-compliant states would have to outweigh the costs to fix the problems.
Yet federal mandates struggle because of funding constraints and because every state’s priorities vary as much as its citizens. We know that voting systems security would require funding on multiple levels. The recent passage of the Secure Elections Act, with $380 million in funding to secure election systems, is just the tip of the iceberg -- and likely came too late to have a positive effect on this year’s midterms. We don’t need to look further than California for an example of how difficult and expensive this task is -- the state chose to return to paper ballots, even though it has the massive technical resources of the Silicon Valley.
So the burning question remains: Will states willingly prioritize their budgets to fund the needed security measures, or will it take a large-scale geopolitical event and a federal mandate to compel state governments to reorganize their priorities?
Jeannie Warner is a security manager with WhiteHat Security.