"Researchers assembled over 100 voting machines. Hackers broke into every single one."
That was the finding of a cybersecurity exercise in early August by friendly hackers in "Voting Machine Hacking Village" in Las Vegas — an annual foray intended to highlight both new and unaddressed vulnerabilities riddling U.S. election systems in every state.
The yearly DefCon conference is one of the world's biggest information security gatherings frequented by hackers, government officials and industry workers. The "Hacking Village" began in 2017 on the heels of our 2016 election interference realizations. Its aim was and is to improve voting machine security.
Oddly, it hasn't made all election officials very happy. Some, including Georgia's Secretary of State Brad Raffensperger, have criticized the effort's utility as a testing ground, deriding it as a "pseudo environment."
Perhaps that's because at the DefCon conference, hackers were able to use a screwdriver to get inside a ballot-scanning machine similar to what will soon be used across Georgia. Once they were in, they also were able to replace a memory card and effectively take control of the machine that counts votes.
Raffensperger recently told the Atlanta Journal-Constitution that the hackers examined an "old, outdated system" that didn't match the ballot scanners that will be rolled out statewide starting with the March 24 presidential primary. He also said the hacks didn't account for real-life election security protocols.
DefCon's resulting 47-page report warns that without continued efforts to increase funding, upgrade technology and adopt of voter-marked paper ballot systems, "we fear that the 2020 presidential elections will realize the worst fears only hinted at during the 2016 elections: insecure, attacked and ultimately distrusted."
Did we mention that House Democrats have introduced two bills that would require paper records to back up voting machines, mandate post-election audits and set security standards for election technology vendors? Senate Majority Leader Mitch McConnell, R-Kentucky, has, however, repeatedly blocked votes on the bills. McConnell says election security is the province of the states.
And did we mention that in July, the Senate Intelligence Committee released a report detailing how Russian hackers probably targeted all 50 states between 2014 and 2017? While the report did not find evidence that Russian actors tampered with vote tallies on Election Day, the committee's report said hackers "exploited the seams" between federal and state authorities and that states weren't sufficiently prepared to handle such an attack.
But McConnell is fine leaving this up to "the province of the states."
To see how this province of the states works, let's look at Georgia's Raffensperger "real-life election security protocols."
In mid-September, about two weeks before Raffensperger fussed to the Atlanta Journal-Constitution about DefCon's August findings, two machines used to check voters into their voting location as part of Georgia's election system were stolen from an Atlanta precinct just hours before local elections were to begin the next day. The password protected machines contain voter names, addresses, dates of birth and driver's license numbers.
What's more, about a month before that, the Atlanta paper had reported the mystery of voting machine No. 3 at the Winterville Train Depot outside Athens, Ga. On machine No. 3, Republicans won every race on Nov. 6, 2018. On each of the other six machines in that precinct, Democrats won every race. The odds of an anomaly that large are less than 1 in 1 million, according to a statistician's analysis in court documents. The strange results would disappear if votes for Democratic and Republican candidates were flipped on machine No. 3. Raffensperger's office refused to open an investigation. That was the same election in which the then-Georgia secretary of state and election system czar was Brian Kemp, who barely edged out Stacy Abrams to become governor after repeated controversies over voting irregularities in the Peach State. On Aug. 15, a federal judge ordered Georgia to stop using its outdated voting machines after 2019. New machines with paper backups are being tested now.
Meanwhile, back to the DefCon report, in which authors noted that every piece of assembled (and hacked) equipment is certified for use in at least one U.S. jurisdiction. In most cases, the hackers had no previous knowledge of or experience with the machines they broke into. What's more, they were placed in challenging settings and given less time and resources than attackers would be assumed to have.
Specifically, the friendly hackers had lock-pick kits, ethernet cables, curiosity and a mandate to "Please break things."
The report warns that supply chain issues continue to pose significant security risks. Think machines with hardware components of foreign origin, or foreign-based software, cloud or other remote services — all flaws that have been known and talked about for more than a decade.
Most of all, DefCon says all of our election systems need some form of paper ballots that allow for auditing. Take Hamilton County, for instance. We mark paper ballots by using pens to black out circles by the candidates we choose. We then carry those ballots to a scanner and watch the long page disappear into the box. Along the way, the computer scanner reads and tallies the marked votes.
Yes, the DefCon hackers found that they could alter how the scanners read and count those ballots. But at least with paper ballots, if there is a question, the paper ballots can be reviewed and tallied by hand.
Assuming, of course, that your state's secretary of state will OK an investigation.