Security, Technology, Innovation

Vulnerabilities in Cybersecurity: U.S. Election Infrastructure

By  | 

Individual putting a ballot into a box with a transparent overlay of a technology web on top.

This year’s DEFCON Voting Machine Hacking Village conference proves yet again that the growing vulnerabilities in cyberspace continue to be a threat to the most basic tools of democracy -- fair and free elections -- highlighting the need for further research and investments towards safeguarding U.S. elections. Estimated costs for bolstering election security are to the tunes of billions of dollars, and lawmakers in Washington are increasingly unwilling to allocate funds.

Last summer, hackers and cyber security experts from around the world gathered in Las Vegas, NV, for DEFCON’s Voting Machine Hacking Village, the largest international hacker conference. Defense officials attended as well, and encouraged hackers to try to penetrate the Pentagon’s prototype secure hardware program. The department’s $10 million SSITH project, run by the Defense Advanced Research Projects Agency (DARPA), aims to modernize how Americans vote and create an open-source platform for companies -- or in this environment, election officials -- to protect themselves from cyber attacks.

When put to the test, however, the hackers won.

The Voting Village laid out its findings a few months later in a report, noting that some of the issues had already been discovered during past conferences. But while DARPA’s program is not ready to be used for election administration, the report’s findings also suggest that election equipment manufacturers have failed to fix the security flaws discovered in previous years -- leaving open the possibility that voting machines around the country remain vulnerable without stronger cyber security investments.

Alarming security flaws in U.S. cyber space

DARPA officials encountered technical difficulties when they set up the prototype for the Voting Village. So, hackers lost the opportunity to examine the new hardware during the first two days of the conference due to a bug in the machines, leaving open the possibility that other serious security flaws went unnoticed.

Unsurprisingly, hackers discovered that the touchscreen ballot-marking device (BMD) voting machines contained an internal network that could be remotely hacked. These machines, originally built to assist voters with disabilities under the Help America Vote Act, allow an individual to mark their vote on a screen and then print a ballot to be fed into an optical scanner that counts the votes. As early as 2010, however, federal election officials have been aware of memory card failures with the AccuVote OS, a popular optical scanner used to record, count, and store votes.

The scanning process is where hackers discovered the security flaw. Malicious actors could, in theory, manipulate the coding of the BMDs to “subtly mis-record voter choices” -- which would change the outcome of an election without officials realizing the error. Hackers also succeeded in carrying out distributed denial-of-service (DDoS) attacks that would disrupt the internal networks and require poll workers to restart the machines, thus creating long lines at polls and discourage voters from waiting in line. The software installed on widely-used electronic poll books (e-poll books) could also be compromised and turned into monitors for video games — making it difficult for poll workers to confirm voters’ eligibility as they arrive at a polling place. Moreover, it did not take long for children as young as 11 years old performed SQL injections -- a popular attack used to access online databases -- after an introductory walkthrough. One child completed a hack in less than 10 minutes.

Policy implications of roadblocks in election security

The Voting Village identified three priorities for lawmakers to consider: implement post-election risk-limiting audits, require voter-marked paper ballot systems, and dramatically increase federal funding to prevent foreign actors from interfering in future elections. Lawmakers that attended the event in Las Vegas saw what individuals with minimal knowledge on hacking could achieve. Sen. Ron Wyden (D-OR), a member of the Senate Select Committee on Intelligence and gave the keynote speech on the first day of the event, called this the equivalent of “putting our military out there to go up against superpowers with a peashooter.”

Congress has since allocated an additional $250 million in September for election security spending, providing states with more than $600 million since the 2018 midterm elections to upgrade decades-old election equipment. Another push by lawmakers has been to require some form of paper ballots in the event that technology fails. While most states moved toward hand-marked paper ballots as the primary voting method, a number of states and counties still rely on partial or paperless voting systems. One bipartisan bill by Sens. Amy Klobuchar (D-MN) and James Lankford (R-OK) would require states to have back-up paper ballots if they use partial or paperless voting machines, but the Senate has yet to consider it.

Notwithstanding the recent investments to bolster election security ahead of the 2020 elections, lawmakers in Washington apparently cannot decide on how to secure future elections. The fact that hackers succeeded once again presents the question of whether the federal government can truly safeguard the voting process.


About the Author: 

Dongmin (Dan) Lee is a graduate student in the School of International Service at American University. He is currently working towards his masters degree in the Foreign Policy and National Security program.  


*The views expressed here are strictly those of the author and do not necessarily represent those of the Center or any other person or entity at American University.