Why Voting Systems Must be as Secure as the U.S. Power Grid

Authors: Karen Hobert Glynn and Pamela Smith

This oped was posted by Reuters on August 17, 2016.

Every American has the right to have their vote counted. The Department of Homeland Security is weighing steps to help safeguard that right. The agency is considering actions to secure the voting process against cyber-threats by designating voting systems as “critical infrastructure.” In a democracy, our voting systems are critical infrastructure like our power grids, hospital systems and nuclear power plants. The U.S. government maintains its authority based on the consent of the governed.

The revelation that hackers, possibly sponsored by Russia, illegally entered the computer system of the Democratic Congressional Campaign Committee, as well as that of the Democratic National Committee, and monitored email activity for more than one year shows the vulnerability of the U.S. political infrastructure. Emails of members of Congress were also hacked.

There have been other serious hacking episodes. Arizona’s statewide voter registration database, for example, was recentlytaken down for more than a week so that the FBI and the state could investigate a potential breach. Arizona Secretary of State Michele Reagan called the breach an“extremely serious issue.” The FBI described the threat as “8 out of 10” on its severity scale.

The question remains: If a nation wants to influence U.S. elections, would the hackers go directly after ballots and voting systems? If that’s the case, shouldn’t protecting these systems receive the highest priority?

In February 2013, the White House issued a multiagency directive on critical infrastructure security. Since then, the Department of Homeland Security has been identifying, monitoring and protecting such critical infrastructure as dams, the electrical grid, the chemical industry, emergency services, the financial sector, water and wastewater systems, nuclear reactors and more.

At that time, cybersecurity experts and election officials sent letters to the relevant government agencies to request that voting systems be included on the critical-infrastructure list. (Our organizations also sent letters with this request.)

If the Department of Homeland Security takes this crucial step, nonpartisan cybersecurity experts can start working with election officials and voting- equipment suppliers to identify vulnerabilities, protect vote counting systems from the Internet and plan for denial-of-service attacks. This should involve all levels of government.

We can already learn a lot from earlier election mishaps. E-poll books and voter registration databases have crashed; voting machines have failed to start up; vote tabulators have had defects that led to incorrect counts. Past mock Internet voting elections have been hacked and phantom candidates installed.

All these problems can either be prevented or planned for without massive expenditures. Here are some basic contingency plans that election officials have deployed over the years:

1) Have backup paper ballots on hand if voting systems fail to start up, as happened during the South Carolina presidential primaries in January 2008. Paper doesn’t fail to boot up. Nor can a paper ballot be hacked from a server abroad once it is marked by the voter.

2) Have paper copies of poll books, if e-poll books are used.

3) Have paper copies of voter registration lists.

4) Have provisional ballots available to voters if they don’t show up as registered for any reason. Be sure to have enough provisional ballots on hand to serve all voters.

5) Ensure that vote counting systems are not connected to the Internet. Some vendors have put wireless capacity in their voting systems to make reporting easier. These need to be turned off.

6) Curtail all Internet voting. Casting ballots by email or through an Internet portal are vulnerable to hacking.

7) Quarantine all ballots received through the Internet. These ballots should be assumed to contain malware. Manually add these tallies.

8) Run robust post-election audits, cross-checking vote tallies counted by computer with manual counts of paper ballots.

9) Conduct reconciliation procedures to ensure that the number of voters who cast ballots squares with the number of votes tallied.

The voice of every American deserves to be heard in our elections.