Russian hackers targeted US electoral systems during the 2016 presidential election. Much has been done since then to bolster those systems, but J. Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society, says they are still worryingly vulnerable (see “Four big targets in the cyber battle over the US ballot box”). MIT Technology Review’s Martin Giles discussed election security with Halderman, who has testified about it before Congress and evaluated voting systems in the US, Estonia, India, and elsewhere.
Lots of things, from gerrymandering to voter ID disputes, could undermine the integrity of the US electoral process. How big an issue is hacking in comparison?
Things like gerrymandering are a question of political squabbling within the rules of the game for American democracy. When it comes to election hacking, we’re talking about attacks on the United States by hostile foreign governments. That’s not playing by the rules of American politics; that’s an attempt to subvert the foundations of our democracy.
How much has election security improved since the 2016 US presidential election?
One thing that’s improved is awareness. States are taking the first necessary steps to protect their systems—things like making sure they run vulnerability scans on software, and that electoral staff have security clearance to receive threat intelligence from the federal government. Progress accelerated in March when Congress allocated $380 million in new funding that will help states afford to upgrade insecure equipment and make other improvements, but there’s still a lot more work to be done.
What element of the voting process worries you the most?
The part that keeps me up at night is the electronic voting machines. Every machine has to be programmed with the ballot design, and that programming is copied in by election officials on a USB stick or memory card. If someone can infect that programming, they can spread an attack to the machines and potentially tamper with a fraction of the votes without anyone detecting it.
So what can be done to address this risk?
We need to make sure that every vote is recorded on a piece of paper, too. Without paper, there may be no evidence we can go back and look at that would reveal vote tampering. We also need to make attacks as difficult as possible by making sure systems used to program ballot design are locked down and never accessible from the internet.
What other areas beyond voting machines are vulnerable?
Voter registration systems connected to the internet are a major concern. In 2016, one of the most worrying cyberattacks was Russian attempts to probe, and in some cases hack into, voter registration databases. We also need to worry about electronic poll books that many states use to check voters in on Election Day. This equipment is often networked, and if it fails it could lead to chaos at the polls.
How can we bolster defenses here?
The main thing is to apply the same good security practices developed for protecting other government and industry databases. We also need to have backup procedures in place in case the technology fails.
Auditing results can catch vote manipulation. Are post-election audits in the US sufficiently robust?
No. Some states don’t check ballots at all; others examine them in a fixed fraction of precincts, but in a close contest, that might not catch vote tampering concentrated in precincts that aren’t checked. We need “risk-limiting” audits. Here you agree in advance the probability you’re willing to tolerate of an election outcome being manipulated and not detected. You then look at enough paper ballots so the odds of someone getting away with fraud are lower than the target percentage.
Why don’t we have these audits everywhere?
States have been slow to adopt new ways of countering cyberthreats. Fortunately, risk-limiting audits don’t have to be particularly expensive. When an election isn’t close, you might be able to confirm the result with high statistical confidence by examining a few hundred ballots across a state; in extremely close elections, you often have to do an automatic recount anyway.
Would it be better if the US had a federally mandated, nationwide voting system rather than many different state and local ones?
It might be easier to secure a single, unified voting system, but election administration in the US is the responsibility of state and local governments, and I don’t see that changing soon. What we can do is to set national standards for election cybersecurity that states should meet or exceed.
Could one tie federal money for securing elections to the adoption of those standards at the state level?
That could be quite effective, and there’s a bipartisan draft bill in Congress called the Secure Elections Act that would do just that.
What would have to happen for online voting, Estonia-style, to become broadly viable in the US?
Online voting carries extremely big risks. You need to protect internet-connected servers running the election from sophisticated adversaries and protect voters’ own devices from malware. That’s why Estonia is the only country where national elections are largely online, and its system is unlikely to withstand a concerted attack. It may be decades before we’re able to secure online systems to the same level we expect from voting in polling places today.
Some people have floated the idea of blockchain-based voting systems. Are you a fan?
Blockchain doesn’t fix the hard parts of securing online elections. It’s just another form of recording votes. If attackers compromise voters’ devices or the servers that record votes and log them to the blockchain, they can still manipulate election outcomes. There are no easy solutions here.