Voting machine security: What to look for and what to look out for

US state election officials have got to be stressed out. Almost none are cybersecurity experts, and they find themselves pulled hither and thither by partisan politicians on the one hand, and non-partisan security experts on the other hand. The good news is the US Senate just approved a second tranche of funding — this time for $250 million — to help the states secure their election systems.

So how are you supposed to spend that money? The $250 million does not include any security requirements or guidance for the voting machines states buy. Is this secure? Is it not? What should you buy? You can’t trust the voting machine vendors either, as they have not been forthcoming on potential vulnerabilities in the past.

Senator Ron Wyden (D), one of the few cybersecurity-savvy members of either house of Congress, was critical of the funding bill. “This proposal is a joke,” he said in a statement. “This amendment doesn’t even require the funding be spent on election security — it can go for anything related to elections. Giving states taxpayer money to buy hackable, paperless machines or systems with poor cybersecurity is a waste.”

If you’re a state election official trying to do the right thing—or a citizen who wants to know if your election officials are doing the right thing, this guide is for you.

How to secure our elections

Before we get into the nitty-gritty, let’s be clear: There is widespread agreement among security experts on how to secure elections. A new report on voting machine security from the National Academies of Science, Engineering and Medicine lays out the consensus opinion of dozens of leading experts. Voting machine security expert Matt Blaze’s 2017 testimony before Congress painted the solution in vivid colors: use paper ballots, counted with optical scanners, and double-checked with risk-limiting audits. Oh… and avoid online voting and anything that uses the word blockchain.

Ready to put some nitty in your gritty?

Avoid DRE voting machines

Direct recording electronic (DRE) voting machines are touchscreens that record the results of the ballot to disk, and might print out a receipt for the voter. These machines are just hackable computers that offer no way to audit or recount a vote in case the result looks suspicious. The overwhelming consensus by experts is that these machines are unsuitable for voting and should be junked as soon as possible. “Paperless DRE voting machines should be immediately phased out from US elections,” Blaze highlighted in his testimony to Congress.

Spending federal funding to purchase new DRE voting machines would be a major waste of taxpayer money, and make our elections less secure, not more.

Hand-marked paper ballots

Are you using hand-marked paper ballots? A lot of vendors have started talking nonsense about “paper ballots” but really mean machine-marked paper ballots that produce bar codes that can then be scanned. These are not hand-marked, and the touchscreen itself can be hacked. How can voters verify their intentions by looking at a bar code? If your vendor is proposing anything other than hand-marked paper ballots, then you should run away screaming.

There is an exception to this rule. Disabled people have a right to vote, too, and special machines for people who require accommodation may be the right way to solve that problem. Using machine-marked paper ballots for all voters, however, makes your election hackable and should be avoided.

Spend federal funds on good ol’-fashioned paper ballots and consider how best to accommodate disabled voters.

Optical scanners

A small chorus of alarmists have begun demanding “paper ballots only,” but they are only half right. Ballots in the United States can be extremely complex, and counting paper ballots by hand is a lengthy, error-prone process. Automating that counting helps mitigate the risk of human error.

For this reason, experts argue that using paper ballots, counted via optical scanners, is the safest way forward. The voter completes a paper ballot, scans it once using an optical scanner, and then deposits the ballot into a locked box. Optical scanners to count hand-marked paper ballots is widely viewed by security experts as the best way to have both a faster and more accurate vote tally.

The great thing about hand-marked paper ballots counted by optical scanners is that it’s very easy to hand count those ballots if necessary. Some hand counting should take place after every election, which brings us to risk-limiting audits.

Risk limiting audits

Trust but verify.

Using optical scanners raises the specter of what happens if someone hacks the optical scanner. The way around this problem is to hand count a statistically significant portion of the hand-marked paper ballots.

To ensure that the optical scan results have not been hacked or otherwise tampered with, risk-limiting audits should be performed after every election on a statistically significant sample of the paper ballots. A risk-limiting audit should be mandatory immediately after every election and before the results are certified.

A really easy way to prevent attackers from hacking election systems and changing election results is to double-check the results by hand—maybe not all of them, but a statistically significant sample of them. A landslide victory might lead to a smaller number of votes counted, a close race might lead to most, or even all, of the ballots being recounted by hand.

“States should mandate risk-limiting audits prior to the certification of election results,” the National Academies report warns. “With current technology, this requires the use of paper ballots. States and local jurisdictions should implement risk-limiting audits within a decade. They should begin with pilot programs and work toward full implementation. Risk-limiting audits should be conducted for all federal and state election contests, and for local contests where feasible.”

The combination of paper ballots and risk-limiting audits is more secure than either alone. One might argue that there’s nothing more secure than paper ballots. Yet, a history of 19th- and 20th-century ballot stuffing in the US makes clear that corrupt political machines can steal an election. Political machines, like those led by Boss Tweed in 1870s New York City, bribed and stole elections. Ballot stuffing has also frequently occurred around the world, where the façade of democracy was more important than a free ballot, for instance in Soviet Russia.

Does your voting machine vendor support hand-marked paper ballots, counted by optical scanner, and checked via risk-limiting audits? If so, you’re on the right track. For any vendor who doesn’t tick those boxes, however, you should shred their response to your RFP.

Avoid internet voting, and anything involving blockchain

Paper ballots, optical scanners, risk-limiting audits. Gotcha, some say, but that means we have to vote in person. It’s like, 2018, duh. I can bank online, how come I can’t vote online from my smartphone?

If there is one thing voting security experts agree on, it’s that online voting is not secure, cannot be secured, and will probably never be secure. “Insecure internet voting is possible now,” the National Academies report dryly observes, “but the risks currently associated with internet voting are more significant than the benefits. Secure internet voting will likely not be feasible in the near future.”

What about blockchain? Utter the “b”-word around voting security experts and watch their faces turn purple. Avoid unless you really want to provoke another Vesuvius.

“While the notion of using a blockchain as an immutable ballot box may seem promising, blockchain technology does little to solve the fundamental security issues of elections, and indeed, blockchains introduce additional security vulnerabilities,” the National Academies conclude. “In particular, if malware on a voter’s device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration.”

Chasing unproven, insecure voting technology is what got us where we are today. Ensuring elections are trustworthy requires taking a conservative, security-first approach if we care about ensuring trust in our election results.

Security is not partisan

The security of voting equipment is not, and should not be, partisan. We can’t have fair elections if we can’t trust voting machines to give us an honest — and verifiable — count. Election officials’ buying decisions today will affect how much we trust the outcome of the 2020 presidential election.

“Without such [cybersecurity] guidelines, states and counties could use taxpayer dollars to purchase outdated DRE machines that we know are vulnerable to hacking and malfunction, leaving our elections at risk for years to come,” Justin Vail of ProtectDemocracy.org tells CSO.

Whether or not the Senate and House will agree on a final funding bill that includes such minimal security provisions remains to be seen. With or without strings, election officials are still free to do the right thing and spend federal funds on purchasing secure voting machines.