election fraud vote graphic
© Washington Examiner
When it comes to the midterm elections, security has already lost.

Elections security experts say that it is too late to do much to protect our voting systems against tampering for the midterms. The Department of Homeland Security's efforts to spur ballot integrity upgrades are focused on 2020, but being future-minded is only an illusion: The hackers will always be ahead.

When you're talking about a set of processes as varied as how different states and districts vote — whether they still use outdated and vulnerable machines that leave no paper trail, or store their registration data insecurely online — there's really no way to either prevent — or detect — ballot interference with anything like absolute certainty.

Russians allegedly hacked Illinois and Arizona's voter databases mere months before the 2016 presidential election. When DHS first detected these attacks it was too late to prevent them, only soon enough to seal up the vulnerabilities. Except that, even if elections officials had wanted to secure their online voter registration rolls in response to the attack, the law wouldn't have let them.

Neil Jenkins, who was then director in the Office of Cybersecurity and Communications at DHS, witnessed intrusions into these states' voter registration databases underway that summer. He saw what was happening, but there was only so much he could do. "If we had given advice to state and local election officials to take your voter registration database offline because they are susceptible to attack," Jenkins says, "that's not advice that election officials could use." States that allow online registration are legally required to keep their databases online, he explained, so that people can continue to register.

DHS requested a significant parcel of funding for needed upgrades and distributed billions in grant money to states who'd requested it, for projects they'll need several years to complete. The Election Assistance Commission parcelled out funding based on what individual states determined they most needed. Georgia, for example, requested funds to replace its entirely paperless touch screen voting machines with machines that print a paper ballot, a sort of receipt for the voter to double-check.

But, as Georgia's secretary of state announced this fall, the funds came too late for them to replace their machines in time for the midterms. But it's not just Georgia, where voters recently filed suit against elections officials. Our election systems aren't, experts say, any more secure overall than they were this time two years ago.
Rebecca Mercuri vote fraud analyst
© Robert H. Smith School of Business/University of Maryland
Computer forensic analyst Rebecca Mercuri, PhD. in 2014
Or ten years ago, for that matter. Computer scientist Rebecca Mercuri has been, for 16 years, a vocal opponent of the highly hackable paperless voting machines — called direct-recording voting systems, or DREs — which are still in use in several states. Louisiana, Georgia, South Carolina, New Jersey, and Delaware exclusively use DREs despite their well-known weaknesses. (Some districts use DREs in 12 states, including Indiana, Kentucky, Pennsylvania, Texas, and Virginia.)

At this year's DEF-CON, the annual hacker conference, researchers set up a "Voting Village," recounts elections security expert Camille Fischer of the Electronic Frontier Foundation:
"They got a bunch of these DRE machines that they use in 18 states — and they were able to hack into them within two minutes."
You read that right: Within two minutes, white-hat hackers had gained access to the machines' card readers. On Election Day, such a two-minute breach would let the hacker change ballots that had already been cast and alter how the machine was recording future votes.

By contrast, if you want to see a sector that takes machine hacking seriously, look at the gambling industry. Mercuri notes that from slot machines to lottery tickets, gaming systems are far-and-away more secure and better regulated than our voting systems.

Consider slot machines: Casino control commissions require routine testing of slots. But at some polling places, only one out of a fleet of DREs will receive rudimentary maintenance testing. In some cases the DRE machines are so outdated that the Microsoft software running on them isn't even being updated anymore. "Casino folks who attended IEEE-USA [an engineering conference] to talk on a panel about how they examine slot machines were just laughing at how voting machines were examined," Mercuri recalled. "They do very very little testing."

With the Mega Millions drawing at an all-time high Tuesday, tens of thousands of tickets were being sold per minute in some states. Lottery players waited in long lines to play their numbers and, not so surprisingly, the $1.6 billion jackpot was more popular over the weekend than early voting. The tickets were more secure than players' ballots would have been, too. "The security codes we have on lottery tickets are far better than anything we have on the paper ballots that are used in any of the states," Mercuri said. It is much more difficult, she explained, to defraud the lottery than it is to fake a ballot or alter vote totals.

Still, testing and replacing these vulnerable machines was not a priority for DHS in the wake of the breaches, Jenkins told me. The agency took a "risk-based approach," he says — and determined that the organizational challenge of carrying out a coordinated voting machine hack "without getting caught" made these machines a less likely target than voter registration databases. When it came to securing registration databases, however, the law stood in the way: They can add protections and print off daily audits of the rolls to detect tampering, but states where online registration is the norm still have no choice but to keep their voter rolls live and online.

These voter registration databases, as Fischer pointed out, aren't just a draw for hackers seeking personal data. The prospect of identity theft may well discourage registration and tampering with them could also affect the outcome of an election. "It is entirely possible that a bad actor could delete names from the registration rolls," Fischer said.

And the current federal guidelines don't even address voter registration systems. Existing oversight of these systems, according to veteran elections security scholar and University of Iowa computer science professor Douglas W. Jones, is "extraordinarily weak." The guidelines currently in place, he said, "are written without reference to how the machinery is actually used. This is like requiring a lock on the door without discussing who has the keys or whether the door should actually be shut."

Jones sees recent progress, however, in that elections officials have begun heeding warnings like his. Many have "moved beyond denial," he says. But "this does not mean that they are taking effective action."

And Mercuri argues that, despite DHS's acceptance-stage efforts, the state of our election systems is actually worse now than in 2016.

It's worse, partly because of articles like this one: "At least before we knew that there were flaws, we knew there were these insane problems that could occur. But there wasn't a proof of concept." Since then — amid an appropriate but long overdue degree panic and yet, per Mercuri, too little action — computer scientists and security engineers' making a game of hacking voting machines, and reporters covering it, haven't helped secure the vote.

Heightened attention to the flaws in our voting systems might have pushed elections officials to recognize pre-existing flaws. But they've also made those flaws — and the easiest means of their exploitation — more widely known than ever before. The insecurity of DREs and internet facing registration databases aren't new, Mercuri tells me — far from it. She's been sounding the alarm about weakness elections security standard since long before even the widespread adoption of these machines and systems in the wake of Bush v. Gore.

Nothing much has changed, systematically. "What's new is the availability of it, the access to the information about how to exploit them, and how widespread it is now," she says. Even so, "no one's doing anything to stop it, to really make secure voting systems happen."

And the risks, meanwhile, are only greater across the board. Like antibiotic-resistant bacteria, the bad actors who instigated these and other attacks will be back. And they'll know where — and when — to strike. "They're going to take what they learned and there's going to be a future attack where they put it to use," said Larry Norden, of NYU Law School's Brennan Center. "2016 shows the first instance of knowing who to target. If you have a year or two or three to plan your attack you can do a lot more damage."