America’s voting machines are a patchwork of systems spread across thousands of districts, with widely varying degrees of accountability. It’s a mess. One that the Department of Homeland Security has finally committed to helping clean up.
This week, DHS chief Jeh Johnson held a call with state election officials to outline, very roughly, the kind of assistance that DHS will provide to help prevent cyber attacks in this fall’s elections. For now, details are vague, and whatever DHS plans to do will need to happen quickly; election day may be November 8, but in some states, early voting starts in just six weeks. That’s not enough time to solve all of America’s voting machine issues.
Fortunately, there’s still plenty DHS can accomplish—assuming the districts that need the most help realize it.
The problems with America’s electronic voting machines are extensive, but also easily summarized: Many of them are old computers, and old computers are more vulnerable to disruptions both purposeful (malware) and benign (bugs).
In the most extreme case to date, a security expert found that one particular type of electronic voting machine, used in Virginia elections, was so insecure that a novice hacker would have been able to sway results without much difficulty. That device was decertified, but researchers have demonstrated that other models, still in use around the country, are also vulnerable.
The reason so many machines are so out of date is also simple; replacing them would require money, and few districts are willing or able to pay for them. It’s often not even clear who would pick up the bill.
“Our elections are sometimes federal elections, sometimes state, sometimes local. The way we run elections is very decentralized,” says Pamela Smith, president of Verified Voting, a group that promotes electoral accountability. Authorities at each of those levels have had years of experience passing around responsibility. Until and unless voting systems are designated as “critical infrastructure,” a move DHS has considered, and which would give the federal government more direct authority over the process, that will remain the case.
What the DHS is offering, according to a release put out by the agency, is “support and assistance in protecting against cyber attacks.” That may sound vague, but it could actually prove to be quite useful.
“An election official could go to DHS and ask for a vulnerability scan” of their voting machines, Smith says. “There could be time between now and election day to do some vulnerability scans on things like the online voter registration database, to make sure that how they’re doing that is secure.”
Individual districts could take on that responsibility themselves, but not all of them have the means by which to do so. And most certainly don’t have the cyber capabilities of the DHS. Making sure electronic equipment isn’t vulnerable to attack or malfunction sounds like it should be a given, but it’s not. DHS resources will help remedy that.
There’s also still ample time to accomplish some straightforward checks.
“There’s nothing stopping jurisdictions from doing better pre-election testing and doing post-election audits,” says Lawrence Norden, deputy director of NYU’s Brennan Center for Justice and a voting machine authority. “We know that those things catch problems. They could catch hacking, but also glitches and other mistakes that are made on election day.”
There are limits to what DHS can do. Districts have to approach the agency for help, and not all might appreciate that they need it. And while some potential issues may have fixes as simple as making sure the machines aren’t internet-connected (to prevent a denial of service attack, or other remote tampering), it’s likely too late to swap out systems that are beyond help.
“I don’t think it would be a good idea to replace systems right now,” says Norden, citing how close we are to the early-voting kickoff. “Making big changes in equipment doesn’t make a lot of sense. There’s a potential for much bigger problems if you try to do that.”
There’s enough time to make the most of what you have, but not to install and learn an entirely new system. Besides, there’s still the issue of who would pay for it. “This is an area where changes don’t happen in a minute,” says Verified Voting’s Smith. “There are of places that would like to replace their voting systems, but they can’t, because they have to find the funding.”
Hopefully the DHS announcement signals that it will give more serious consideration to counting our voting systems as critical infrastructure going forward. For now, a patch job may be enough. Norden notes that increased cyber protections at the polls could be a strong deterrent to potential bad actors. More importantly, it should help voters feel more confident in the legitimacy of the electoral process.
“I think it’s very important, for the same reason it’s important that election officials are as transparent as possible with the public,” says Norden. “The more that they can do… to make sure that the public can trust the vote, the better.”