Security of Electronic Voting in the United States

Posted: October 20, 2016 at 10:59 am

Charity King and Michael Thompson
Risk and Infrastructure Science Center, Argonne National Laboratory

Introduction

In the midst of numerous high-profile cyber attacks, the United States is considering whether to categorize the US electronic voting system as “critical infrastructure,” to be protected and invested in much the same way as the US power grid or waterways. While a single cyber attack is unlikely in the United States with a decentralized voting system broken down into approximately 9,000 distinct districts,[1] any possibility of a threat has the potential to erode public trust in the election cycle.

Repercussions from the 2000 Election

The current US election infrastructure is a direct result of the 2000 presidential election. The recounts in Florida finally ended in a Supreme Court decision, awarding President Bush the presidency by a margin of .0092% of the official votes counted, or about 537 votes. Ultimately, the United States was prompted to act due to uncertainty leading up to the election outcome.[2]

In 2002, Congress appropriated 4 billion dollars to pass the Help America Vote Act (HAVA), a broad bill that encompassed voluntary minimum state standards for election equipment, funding for maintaining those standards, replacement of all punch machines, and the creation of the Election Assistance Commission (EAC), an independent agency tasked with creating voting system guidelines and certifying new voting system equipment.[3]

This massive cash infusion to the states quickly changed the voting landscape with most states upgrading their equipment significantly to either Direct Recording Electronic (DRE) systems or Optical Scan systems that utilize paper ballots. However, HAVA was passed with no ongoing equipment replacement plan to deal with the aging technology originally purchased. EAC reported for FY15 that approximately 89% of the original $3 billion in HAVA funds have been spent, with most of remaining funds earmarked for ongoing operational costs.[4] With the federal government offering no long-term plan for equipment replacement, the burden of replacing these aging systems falls to each respective state.[5]

Vulnerability in Aging Hardware

Between 2002 and 2006, approximately $2 billion in HAVA funds were used to buy new systems—primarily DRE systems in which a vote is transferred from a user interface to computer memory, or Optical Scan systems which scan paper ballots.[6] The Brennan Center for Justice published a report last year citing that voting equipment manufactured during this time has a system lifespan of about 10 years.[7] Verified Voting calculated that as of 2016, approximately 43 states will be using some machines that are at least 10 years old, and 14 states will be using machines that are 15 or more years old (Figure 1).[8]

figure-1-machines-at-least-10-years-old
Figure 1 – Voting Machines at Least 10 Years Old by State

Many voting machine manufacturers no longer exist or no longer produce the machine models that are currently in use. In 2002, there were approximately 12 manufacturers, but the last decade has seen a series of mergers resulting in two main companies, ES&S and Dominion Systems, cornering approximately 70-90% of the US market.[9] The Brennan Center interviewed election officials from various states, many of whom admitted to hoarding key components that are no longer manufactured.

Outdated hardware problems are also paired with outdated software. Most precincts in California are using Windows XP software or earlier.[10] Microsoft only offers extremely costly custom support for Windows XP since the operating system was retired in 2012 with the latest security patches in 2014.[11]

Vulnerability to Hacking

There has been no shortage of voting machine hacking demonstrations or white papers showing inherent system vulnerabilities in recent years. Internet-connected threats are the most dangerous with the ability to have a devastating impact on a voting system from a remote location. Recent studies have led to the decertification of machines with egregious remote vulnerabilities, most notably the WinVote, which was decertified after a team of researchers revealed the poor security protocols on a Wifi vote tallying feature.[12]

Unfortunately, a voting system that is isolated from the internet is not immune to cyber threats (Figure 2).[13] A common misconception about the physical access threat is that a hacker would need to gain access to every machine in a voting district. Princeton University has developed a specialty around revealing voting system vulnerabilities, such as the Automatic Voting Computer (AVC) Advantage and Diebold Accuvote TS, and demonstrated with its Accuvote hack that physical access to one machine was enough to corrupt a voting network via their memory cards utilizing a viral propagation.[14]

figure-2-breakdown-of-voting-machine-characteristics
Figure 2 – Breakdown of Voting Machine Characteristics

Vulnerability in Lack of Transparency: Software and Auditing

The notion of transparency is necessary for ensuring public accountability and trust. The black box of proprietary voting software is a glaring vulnerability that is not a part of modernizing US infrastructure discussions, and yet most security experts agree that it is crucial to switch to open-source software.[15] The open-source model is the standard for modern cryptographic protocols that secure financial institutions and other networked critical infrastructures. Open-source voting infrastructure would allow for public auditing of the election process.

The federal accreditation process that certifies systems is pervaded by conflicts of interest. The Independent Testing Authorities (ITA) are private labs compensated by the voting manufacturers themselves.[16] If the only reviewers of proprietary code are the manufacturers and the ITA that is funded by the manufacturer, there is a clear and dangerous conflict of interest.

One of the most important factors in assuring the integrity of the democratic process is the ability to successfully audit post-election results. HAVA § 301 requires a paper record be made available for any official auditing including for a manual recount, but the clause is ambiguous on what type of paper trail is necessary to conduct a meaningful audit. Voter-Verified Paper Audit Trail (VVPAT) is the concept of having a paper trail even when electronic machines are used. These paper copies are what allow an audit; however, many come with their own risks. If the machines or software interfacing between the system in use and the VVPAT system are tampered with, the audit trail itself could be compromised. VVPAT systems that rely on a reel tape may allow for de-anonymizing of the voting process. Currently, there are five states in the United States that have DREs with no paper trail (Figure 3).[17] If any irregularities were to happen due to a software/hardware malfunction or malfeasance, there is no way to compare a difference in voter intent from tabulated votes.

figure-3-polling-place-equipment-by-state
Figure 3 – Polling Place Equipment by State

Conclusions and the Path Ahead

The 2016 election cycle in the United States has been an opportunity to see just how potentially vulnerable US election infrastructure is. Threats to the electoral system feel palpable and research shows that there is good reason to anticipate that at least local election tampering is plausible. Improving the infrastructure supporting such an important part of the democratic process in the United States is critical.[18] Robust physical security procedure of the current machines is a low-hanging fruit that should be enforced to the fullest extent possible. Likewise, the lack of a VVPAT paper trail for DRE systems is a significant system flaw that the EAC should address explicitly as long as there are states that continue to operate under such conditions, estimated for 2016 to include approximately 20% of US registered voters.[19] Security experts urge that all voting systems be software independent. Software independence, as defined by the National Institute of Standards and Technology, means that an undetected error in software cannot cause an undetectable change in the election outcome.[20] This usually means a hybrid software and paper solution, or according to many experts, a paper system that includes optical scanning.[21] For states that are in the process of purchasing new machines, optical scan machines that require a voter to mark the ballot themselves are considered more secure than DRE systems, as these machines both create a permanent paper record and make it more difficult to forge votes.

Cost will always be an impediment for upgrading election hardware and modernizing software. The United States should be investing in systems that use easily-replaceable hardware and open-source software. There are emerging technologies that are opportunities for increasing the transparency and security of our elections, such as end-to-end voter verification.[22] The future of voting equipment in the United States will need to be innovative, secure, inexpensive, and transparent in order to get public buy-in and protect the voting rights of Americans.

The work presented in this paper was partially supported by Argonne National Laboratory under U.S. Department of Energy contract number DE-AC02-06CH11357. The submitted manuscript has been created by UChicago Argonne, LLC, Operator of Argonne National Laboratory (“Argonne”). Argonne, a U.S. Department of Energy Office of Science laboratory, is operated under Contract No. DE-AC02-06CH11357. The U.S. Government retains for itself, and others acting on its behalf, a paid-up nonexclusive, irrevocable worldwide license in said article to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, by or on behalf of the Government.

If you would like more information regarding this paper, please contact Michael Thompson at thompsonm@anl.gov.


References

[1] “Hacker Demonstrates How Voting Machines Can Be Compromised,” CBS News, Aug. 10, 2016, http://www.cbsnews.com/news/rigged-presidential-elections-hackers-demonstrate-voting-threat-old-machines/.

[2] Samantha Levine, “As the Florida Recount Implodes, the Supreme Court Decides Bush v. Gore,” U.S.News, Jan. 17, 2008, http://www.usnews.com/news/articles/2008/01/17/the-legacy-of-hanging-chads.

[3] “Help America Vote Act,” U.S. Election Assistance Commission, https://www.eac.gov/about_the_eac/help_america_vote_act.aspx.

[4] Annual Grant Expenditure Report, Fiscal Year 2015 (U.S. Election Assistance Commission, 2016), https://www.eac.gov/assets/1/Documents/Final%20FY%202015%20Grants%20Report.pdf.

[5] Cory Bennett, “States Ditch Electronic Voting Machines,” The Hill, Nov. 2, 2014, http://thehill.com/policy/cybersecurity/222470-states-ditch-electronic-voting-machines.

[6] “Reports on State Expenditures of HAVA Funds,” U.S. Election Assistance Commission, https://www.eac.gov/payments_and_grants/reports_on_state_expenditures_of_hava_funds.aspx.

[7] Lawrence Norden & Christopher Famighetti, America’s Voting Machines at Risk (New York: Brennan Center for Justice, 2015), https://www.brennancenter.org/sites/default/files/publications/Americas_Voting_Machines_At_Risk.pdf.

[8] Ibid.

[9] Complaint, United States v. Election Sys. & Software, Inc., No. 1:10-cv–00380 (D.D.C. March 8, 2010), https://www.justice.gov/atr/case-document/file/494981/download.

[10] Norden & Famighetti, supra note 7.

[11] Arun Kumar, “Windows XP Custom Support Agreement Costs to Double for a Second Year,” TWCN Tech News, Feb. 20, 2015, http://news.thewindowsclub.com/windows-xp-custom-support-agreement-costs-double-second-year-71659/.

[12] Interim Report on Voting Equipment Performance, Usage & Certification (Virginia Department of Elections), http://elections.virginia.gov/webdocs/VotingEquipReport/2.pdf.

[13] Andrew Appel, “Which Voting Machines Can Be Hacked through the Internet?,” Freedom to Tinker, Sept. 20, 2016, https://freedom-to-tinker.com/2016/09/20/which-voting-machines-can-be-hacked-through-the-internet/.

[14] Stephen Checkoway, et al., “Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage,” USENIX, https://www.usenix.org/legacy/event/evtwote09/tech/full_papers/checkoway.pdf; Ariel J. Feldman, et al., “Security Analysis of the Diebold AccuVote-TS Voting Machine,” Proc. 2007 USENIX/ACCURATE Electronic Voting Technology Workshop (2006), http://citpsite.s3-website-us-east-1.amazonaws.com/oldsite-htdocs/pub/ts06EVT.pdf.

[15] Bruce Schneier, “The Problem with Electronic Voting Machines,” Schneier on Security, Nov. 10, 2004, https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html.

[16] “Who Tests Voting Machines?,” New York Times, May 30, 2004, http://www.nytimes.com/2004/05/30/opinion/who-tests-voting-machines.html?_r=0.

[17] “The Verifier – Polling Place Equipment – Current,” VerifiedVoting.org, https://www.verifiedvoting.org/verifier/.

[18] Bennett, supra note 5.

[19] Software Independence and Accessibility: A Report from the Human Factors & Privacy (HFP) Security and Transparency (STC) Subcommittees (National Institute of Standards and Technology, 2007), https://www.nist.gov/sites/default/files/documents/itl/vote/Pres-QuesRivest-SI.pdf.

[20] Ronald. L. Rivest, “Auditability and Verifiability of Elections,” Massachusetts Institute of Technology, March 16, 2016, https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf.

[21] Aviel D. Rubin, “Today’s Congressional Hearing,” Avi Rubin’s Blog, March 7, 2007, http://avi-rubin.blogspot.com/2007/03/todays-congressional-hearing.html; “Voter Verified Paper Record Legislation,” VerifiedVoting.org, https://www.verifiedvoting.org/resources/vvpr-legislation/.

[22] Josh Benaloh, et al., End-to-End Verifiability (Overseas Vote Foundation, 2014), http://research.microsoft.com/en-us/um/people/benaloh/papers/e2e-primer.pdf.

Write to the Editors at ciprpt@gmu.edu