US Election Security: Is Your Vote Protected?
By Daria Bahrami, Contributing Editor
April 17, 2020
According to the Organization for Economic Cooperation and Development (OECD), the United States places 26th out of 32 developed, democratic nations in a recent measure of voter turnout based on the voting-age population. With regards to the US voting population, voter confidence—a term coined during the 2000 Florida election recount—has remained steady through the last few elections. However, conversations around election security have sparked concerns regarding electoral integrity and whether polls have been influenced by third parties.
In the 2016 US presidential elections, hackers paid off by the Russian government targeted the election systems in all 50 states. Two and a half years into this investigation, the US still does not know the extent of Russia’s influence on local, state, and national elections. With elections underway and Congress wrestling with the intelligence community (IC) amidst an ongoing investigation, security analysts from both the private and public sectors suggest that Russia’s cyberattacks could be far worse in 2020 than they were in 2016.
The reality of existing budget constraints stacked against the urgency of election security threats suggests a government-sponsored solution cannot be the first line of attack.
Voter registration systems, voting databases, and voting machines are all vulnerable and in need of stronger defenses. The Mueller report lists such deficiencies across US federal and state election infrastructure. Russia has been cited as pursuing access to state election infrastructure, researching the election process, observing polling results, targeting voting machine companies, and being tied to misinformation campaigns. Mueller also goes so far as to list paper backups as an effective way to accurately track every vote in the event of voter data interference.
The Evolution of Election Security
US voting systems have just barely begun to modernize in the wake of the American digital revolution. When elections operated on smaller scales, Americans used to shout out their votes in public forums with their names on display for whichever opinion they shared on a particular issue. As the scale of each election grew, ballots began to make an appearance. The US election system then progressed from public to private voting due to an increase in political tensions, as well as the introduction of lever machines and punch-card technology. By the 2000 elections, most states used a combination of electronic devices and paper ballots at voting polls. Only Delaware, Georgia, Louisiana, New Jersey, and South Carolina went completely paper free. And with these changes, most of the US election infrastructure has come to depend on private vendors, rather than election officials.
With the decline of voter confidence came the issuance of the Help America Vote Act (HAVA). HAVA is a block grant towards election security that sprouted in 2002, two years after the Bush vs. Gore hanging chads issue prompted a recount. Since then, more states have invested in paperless voting mechanisms, which have exposed entirely new forms of national security threats.
At one point, security had been one of the main motivations for maintaining a largely paper-based voting system, since the Internet’s design promotes open communication and most digital platforms lack the security parameters to confidently defend against today’s cyberattacks. At least six states—Arkansas, Delaware, Georgia, Kansas, North Dakota, and Pennsylvania—have shared that they will incorporate a voter-verified paper backup, in case anything goes wrong with the existing election software.
But enhanced security measures require heftier budgets. From opting for paper backups to investing in new voting machines and maintaining software security updates, state budgets typically cannot cover these costs. Congress used the Omnibus Appropriations Act in 2018 to increase the HAVA budget by $380 million, and by another $450 million in the December 2019 budget approvals, in order to give states the resources to prepare for the 2020 elections. While most states have invested in cybersecurity and voting equipment with their HAVA funds, they have shared it isn’t enough to perform the necessary system updates.
The Power of Public-Private Partnerships
This is where the private sector can come into play. For those using electronic voting systems, Microsoft’s Windows 7 has been the software of choice from 2009 through 2014, up until Windows 10 made its debut. However, election machine vendors and local governments have been slow to make the switch, due to the high cost of security updates, the lengthy bureaucratic approval process, and the general lack of incentive to change established systems and processes. The July 2019 announcement that Microsoft would be sunsetting Windows 7 by January 2020—and thereby retracting any security support—stirred concerns amongst leaders in both the private and public sectors.
The Associated Press found that across all 50 states, battleground states including Pennsylvania, Wisconsin, Florida, Iowa, Indiana, Arizona, North Carolina, as well as Michigan and Georgia, are being impacted by the end of Windows 7 support. According to the Associated Press, “The vast majority of 10,000 election jurisdictions nationwide use Windows 7 or an older operating system to create ballots, program voting machines, tally votes, and report counts.”
Further reports have identified that Election Systems and Software LLC and Hart InterCivic Inc, two of the three major election equipment vendors, will also be running on outdated software by the close of 2020. The third vendor, Dominion Voting Systems Inc, is suspected to be using systems acquired from companies that are no longer handing out security updates. These three companies collectively control 92 percent of election systems in the country.
In response, “Microsoft will be rolling out the free, open-source software product called ElectionGuard, which it said uses encryption to ‘enable a new era of secure, verifiable voting.’ The company is working with election machine vendors and local governments to deploy the system in a pilot program for the 2020 election.”
In 2019 alone, Microsoft alerted 10,000 customers that they have been targeted or compromised by nation-state attacks, all pointing to the significant dependency nation-states place on using cyberattacks to gain intelligence or influence geopolitics. The Microsoft Threat Intelligence Center has conducted and shared research pointing to nation-state election interference stemming from the actors Holmium and Mercury from Iran, Thallium from North Korea, and Yttrium and Strontium from Russia. The reality is that private companies will inevitably interact with matters of US national security and, as such, play a role in steering public policy. A company like Microsoft has longstanding involvement with issues impacting US national security; by choosing to acknowledge this interplay, Microsoft is stepping further into a responsible public-private partnership that can bolster their reputation and further strengthen US national security infrastructure.14
Beyond the private sector, nonprofit organizations can also play a role in improving election security. For example, US CyberDome is a 501(c)(4) that provides cybersecurity to protect presidential campaigns against foreign influence, at no cost to political parties. It leans on a high profile advisory board and depends on donations to operate. The Federal Election Commission recently ruled that nonprofits may provide free or discounted election security service. Enter the Harvard Defending Digital Campaigns and US CyberDome. With the support and leadership of DHS chiefs Jeh Johnson and Michael Chertoff, former DNI James Clapper and Francis Taylor, an ex-DHS undersecretary for intelligence and analysis, these organizations are well positioned for success. But the clock is ticking and it is unclear whether they will be able to acquire the technical prowess necessary to tackle today’s election security threats.
Fighting Against the War on US Election Security
The details around international influence on US elections are still muddy, but the more important question is: when are we going to stop playing defense and commit to a stronger risk mitigation platform?
Past examples of election security threats have spanned a wide spectrum of vulnerabilities. For one, the Kremlin’s campaign has targeted state and county electoral boards. Mueller indicted 13 Russian officials for conducting information warfare through the Internet Research Agency (IRA). This indictment includes social media campaigns, which were used by the IRA to influence voting with misleading pro-Trump and anti-Clinton advertisements, as well as associated “bot” accounts that targeted and discouraged minority groups from voting at all. Other charges held over a dozen Russian actors responsible for hacking the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and other liberal political groups, as well as aides to Hillary Clinton’s presidential campaign. The hacks involved malware that stole employees’ passwords, transferred gigabytes of data and emails to a Russian server in Arizona, and published private conversations to influence public opinion.
The US government has executed a handful of traceable mitigation efforts. In July, before leaving his role, former DNI Dan Coats appointed Shelby Pierson as the first election threats executive within the intelligence community. She was “crisis manager” for election security at DNI during the 2018 election and served in leadership positions at the National Geospatial-Intelligence Agency.
While the US Election Assistance Committee (EAC) requires each state to submit a plan of action in order to receive HAVA funds, the EAC does not offer guidance on how to bolster election security and does not require states to follow up on their expenditures to prove how they have spent their HAVA money. Beyond the EAC, there are no other governing authorities that are advising states on how to tighten election security. Further, Congress has not been able to agree on how to provide policy guidance with election security funds.
The House passed the Securing America’s Federal Elections (SAFE) Act to place cybersecurity requirements on vendors. Similarly, Senate Democrats are looking to pass the Elections Systems Integrity Act, mandating that election companies reveal any foreign ownership. This would address issues similar to the 2018 FBI finding that the state of Maryland’s voter software vendor, ByteGrid LLC, was financed by an organization with ties to one of Russian President Vladimir Putin’s wealthy allies. The centrist Blue Dog Coalition has also been endorsing a series of bipartisan election security bills, intended to empower NIST and the National Science Foundation to defend elections from hackers. These examples of legislation are ideal first steps towards securing the electoral framework, but there is little to no follow up to ensure compliance. In order to hold any weight, these acts must be supplemented with policy enforcers.18
The Brennan Center has released a recommended framework for election security oversight that places an agency like the EAC in charge of setting election vendor operating standards, performing certification checks, as well as ongoing review and enforcement of guidelines. Part of this recommendation involves the reinstatement of the EAC’s Technical Guidelines Development Committee (TGDC), which sets the certification standards for voting systems. This would incorporate more technical experts and representatives from relevant agencies and grant them decision-making power to expedite any pending changes or updates to the voting guidelines framework.
Although both parties can agree that election security is a threat to the nation that must be addressed, Congress has been caught in a stalemate in issuing effective legislation that can ensure consistency in safeguarding the 8,000+ local election jurisdictions. Perhaps the main weakness with any election security recommendation geared towards government action lies within the inefficiencies that line federal action, which is no match for the rate at which cybersecurity threats tend to evolve.
Conclusion
The reality of existing budget constraints stacked against the urgency of election security threats suggests a government-sponsored solution cannot be the first line of attack. For immediate action, private election vendors have to step up and be willing to take ownership of their business operations and credibility in this market. ByteGrid LLC failed to do so and lost the state of Maryland as a customer by compromising the state’s trust and failing to disclose that one of ByteGrid’s investors had been a Russian oligarch. Companies that have already stepped into this business by creating election software must be willing to maintain their competitive edge, particularly by verifying their integrity as vendors.
In the meantime, the US government must be willing to reallocate resources to bolster digital election security infrastructure. The initial boost of $380 million allocated towards HAVA, referenced above, is equal to the cost of one F-22 Raptor fighter jet. The defense budget needs to tilt more towards proactive, preventive measures on the domestic front, and less towards reactionary moves on foreign soil. Funding paper backups for state and local elections is just the first step. The federal government must also coordinate with election vendors to maximize available resources and strive to stay steps ahead of cyber security threats, especially when the integrity of US elections are at stake.
Without voter confidence and electoral integrity, the foundation of US democracy would be fragile at best. And while the US government might present policy recommendations before the 2024 presidential elections, current election security threats will only evolve and become more complex with time. Waiting for budget approvals and bipartisan policy recommendations in today’s political climate is not an option. Election vendors must be willing to take the lead on protecting this pillar of democracy, while the US government comes to an agreement on how it wants to lead this country.
About the Author
Daria Bahrami is a Net 39 Fellow at the Military Cyber Professionals Association and also serves as a Communications Officer for the Cyber Security Forum Initiative. Having studied International Security at Georgetown University’s School of Foreign Service, she is particularly interested in using strong communication and public-private partnerships to empower communities and to serve our national security interests. She’s published in Newsweek and currently works on the National Geographic Society’s Strategic Partnerships team.