Paperless voting systems, routine audits and increased funding for state and local election officials are essential components needed to ensure the cyber security of voting infrastructure in the face of continued interference in elections, according to witnesses at a House hearing Wednesday.
The House Subcommittees on Information Technology (IT) and Intergovernmental Affairs discussed election system integrity at the hearing, focusing on preventable steps to secure voting machines from attempts to alter ballots or manipulate vote counts.
“Just because Russia did not tamper with ballots or reporting of election results during the last election it doesn’t mean they, or other adversaries, won’t try to do so in the next election or the election after that,” said IT Subcommittee Chairman Rep. Will Hurd (R-Texas) during his opening statement. “It was an issue then, and it remains an issue now.”
A January Intelligence Community report confirmed Russia conducted information operations campaigns to undermine confidence in election results, and in September the Department of Homeland Security (DHS) notified 21 states of attempted breaches by Kremlin-associated hackers to their voting infrastructure.
At the DEF CON Hacking conference in July, participants were able to successfully infiltrate five different direct recording electronic (DRE) voting machines. During the 2016 election, 42 states used DRE systems, which often utilize outdated software.
Dr. Matthew Blaze, an associate professor of computer & information science at the Univ. of Pennsylvania and a witness at the hearing, helped put together the DEF CON conference.
Many of the vulnerabilities discovered at DEF CON have been known since 2007 and are able to exploited by non-specialists, according to Blaze.
“It’s difficult to overstate how vulnerable our voting infrastructure is that’s in use in many states today,” said Blaze during his testimony. “Paperless voting machines should be immediately phased out from U.S. elections.”
Blaze also recommended to the House panel that Congress seek legislation to mandate statistical risk-limiting audits be conducted following elections to detect software failures and additional resources and training be made available to state and local election officials.
The other witnesses on the panel made similar recommendations to the panel, and echoed the need for an urgent move away from paperless voting systems.
Edgardo Cortes, commissioner of Virginia’s Department of Elections, cited his state’s full transition to paper-based systems in the recent November general elections.
He urged Congress to ensure states have sufficient federal funding to procure new paper-based voting systems ahead of the 2018 mid-term elections.
IT Subcommittee Ranking Member Rep. Robin Kelly (D-Ill.) also pushed for new voting systems that remove the reliance on legacy systems vulnerable to hacking.
“Updating our voting machines to auditable, paper-based machines, such as optical scanners, is a step we need to take right now,” said Kelly. “If we’re going to withstand a coordinated attack, it’s going to take a coordinated defense.”
Louisiana Secretary of State Tom Schedler voiced his precaution to moving forward with full adoption of paper voting systems.
“We are not naive to the likelihood of future cyber attacks, but we also know that the use of paper ballots can just as easily open up fraud vulnerabilities unless strong protocols are followed by election officials,” said Schedler.
For future election election cycles, Schedler hopes to see improved information sharing with DHS on potential threats and a greater role for the National Association of Secretaries of State’s Election Cybersecurity Task Force.
The Under Secretary of DHS’ National Protection and Programs Directorate Christopher Krebs testified that his team is aiming to lead the effort to provide voluntary assistance to state and local officials related to potential threat issues.
DHS is also seeking to formalize partnerships with the private sector through its Sector Coordinating Council to bolster information sharing capabilities, according to Krebs.