It’s Election Day: Do You Know Where Your Votes Are?

NEWS ANALYSIS: Security has been a constant question since the Russians were shown to have attempted interference in the 2016 general election. It's still an issue in today's midterms.

Voting.machine

Imagine, if you would, that your organization’s security was being handled as well as election security in the United States before the 2018 elections. Now, once you’ve wrapped your head around that, imagine adding the concept of “flogging” to your employee handbook.

The reason these two things go together is that if a corporate board handled security as poorly as the groups moving ahead with election security, the only proper response would be to be flogged. In public.

Since the 2016 election, when many of the holes in the U.S. election systems were uncovered until now, on election day 2018, the security of the electoral process has been much discussed, but remarkably little has been done to ensure its security. This starts with state election systems that refuse to allow the Department of Homeland Security to help them secure their election process.

No Paper Trail in Many Voting Jurisdictions

Those same state officials are also responsible for buying and continuing to use voting machines that are wide open to hacking and that can’t be audited. Because there’s no paper trail, there’s also no way to ensure that votes are recorded as cast.

Many of those voting machines are based on versions of Windows that have never been updated because there’s no way to update them. But in many cases, those machines are stored in unguarded warehouses where manipulation between elections isn’t out of the question.

Meanwhile, the integrity of the vote is only part of the problem. Election interference has been rampant since before the 2016 general election. Only now are we seeing the beginnings of attempts to cut back on fake news and fake Facebook and Twitter accounts used to spread dissention. It’s also taken two years since it was clear that Russian military intelligence agencies, especially the Internet Research Agency (IRA), were playing a major role in interfering with the U.S. elections.

But it doesn’t stop with state and local election officials. There have been bills tied up in Congress that would allocate money to the states so that they could afford to buy voting machines that could be audited and that are safe from hacking. Those bills haven’t gone anywhere, partly because the party in power hasn’t felt the need to do anything, apparently believing that the Russians are on their side.

Politicizing Voting Security Instead of Fixing It

But it gets worse, as unlikely as that seems. Some of the people responsible for conducting those elections are playing a major role in confusing the issue. For example, on the day before the election, Georgia’s Secretary of State, who administers the election process but who is also running for governor, was alerted to a security vulnerability in the state’s voter database. But instead of working to implement a fix, he immediately charged the Democrats with hacking Georgia’s election system. The only evidence he had was a warning of that vulnerability from some computer scientists; instead, he chose to politicize the issue instead of fixing it.

At least part of the problem is that election security is hard and has a lot of moving parts. The challenges include: a) disinformation in the time leading up to the vote; b) interference with the registration process; c) interference with the actual voting and with recording the vote; d) counting the votes as cast; and e) ensuring that the count is correct. Security needs to be in place each step of the way to ensure a fair election.

Disinformation ahead of the election is the most visible problem. The IRA has been, and continues to be, very active. Fortunately, Facebook and Twitter are at least aware of their part of this problem. They say that they will be on alert, so tweets saying that the election has been moved to Wednesday probably will be killed.

The registration process is a vulnerability that’s not well-addressed. Because voter registrations are public, stealing the list is only marginally a problem, so the real vulnerability lies in making subtle changes to the registration database that can prevent votes from being cast. Done properly, one could swing an election if that person decided to tamper with voter records from one party. The problem here is to make the registration data public but to prevent access that would allow changes. This can be done, but it requires money and people with the required knowledge.

Why Interfering With the Actual Voting Process Is Least Likely Problem

Interference with the actual voting process is probably the least likely problem for two reasons. One is that voting in the U.S. is highly decentralized, so you’d need to figure out how to hack thousands of individual machines that aren’t connected to the internet during the process. Making a substantive difference would be extremely difficult, and detection would be fairly easy, since all but five states back up the electronic results with a paper ballot.

Finally, there’s the counting process. Every state will have its vulnerabilities here, but those paper ballots can be used to retrieve the true number in states where they’re used.

Clearly, the actual real-world vulnerabilities aren’t as extensive as they may seem at first, and the fixes are well within the capabilities of today’s technology. So why aren’t they being implemented? There are two reasons. One is the mistaken belief that the lack of security is providing a political advantage; the other is the refusal to allocate money for repairs to those voting machines that need it and to the databases that contain the data that’s needed to conduct the election.

Private industry has been handling database security successfully for years. Perhaps it’s time to take the politics out of election security, then ask for help securing the election system from companies that already know how to do it. It still won’t be a trivial task, but at least security would be in the hands of companies that know how to do it.

And if a few politicians keep wanting to inject politics, just remember that flogging is still an option.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...