The Washington PostDemocracy Dies in Darkness

Opinion The best safeguard against election hacking

Voters cast their votes during the U.S. presidential election in Medina, Ohio, on Nov. 8, 2016. (Aaron Josefczyk/Reuters)

This week, the U.S. government confirmed that Russian hackers infiltrated voting systems in several states, having targeted 21 of them. While there is currently no evidence suggesting any votes were changed, a hostile foreign power did gain access to voter registration databases — the vital foundation of election integrity. After all, if you control who can and cannot vote, you control a democracy.

America’s foolish experiment with digital voting processes must end. The Kremlin — or other hostile foreign actors — will certainly strike again. It’s time for good old-fashioned paper to make a comeback.

Researchers at Princeton University have shown that they can pick the lock on voting machines in seven seconds. In minutes, they could have replaced the machine’s chip with a malicious one, ensuring that voters who voted for candidate A were recorded as having voted for candidate B. Thankfully, their demonstrations were just for research. But they could have been real.

All Direct Recording Electronic (DRE) voting machines are vulnerable to local (in-person) hacking. Some can also be hacked remotely, over the Internet. These vulnerabilities are particularly glaring for machines without a voter-verified paper audit trail, which enables voters to see their vote choice on a piece of paper and verify that their vote was recorded correctly.

DRE voting machines without any paper trail whatsoever are in use in 15 different states. About 1 in 5 voters cast a ballot without any sort of verified paper trail. Even if foul play were suspected, it would be virtually impossible to audit the tally, because the only recorded votes would be on the compromised machine itself.

The least secure models, such as WinVote, can be hacked remotely over WiFi. In recent investigations, researchers found that some administrator accounts had a password that was “admin.” Many machines were found to be running outdated Windows XP software. In some cases, software hadn’t been updated since 2004.

Recent illustrations of these vulnerabilities have been darkly comic. One research team hacked into a voting machine to have it play the Pac-Man game. Another programmed the system to play the University of Michigan fight song every time a vote was cast. Last summer, a group of hackers “Rick-rolled” a voting machine, programming it to play Rick Astley’s iconic 1980s hit “Never Gonna Give You Up.” These tweaks were simple. They took minutes. And they were virtually undetectable, despite manufacturers’ claims that the machines are secure and feature “tamper-evident” seals.

If a few amateur hackers could turn a voting machine into a game, think of how Russia, Iran or a nonstate group of hackers could play with our democracy.

In U.S. elections, there are three main areas of digital vulnerability: the voter registration database (who can vote); the voting machines themselves (who people vote for); and the tabulation (the government’s count). Malicious hackers or agents could delete groups of voters from registration databases. They could program DRE machines to switch votes. It is even possible to tamper with optical scan machines, which scan paper ballots and record tallies, so they miscount. Malicious agents could change election outcomes by manipulating official result tallies on government websites.

Donald Trump is president because a small number of voters — so few that they could fit in a single football stadium — were the deciding factor in just three states. It’s not hard to imagine how easy it would be to change a small number of votes in several strategically located precincts and steal an election.

Worse, a hostile foreign actor wouldn’t even have to change the result to severely damage U.S. democracy. Imagine if evidence emerged that even a handful of voting machines had been hacked in Michigan, Pennsylvania or Wisconsin in 2016. If that happened, it wouldn’t be necessary to show that the result changed; it would destroy Americans’ confidence in the electoral process regardless. A cloud of illegitimacy would hang over the U.S. government for years. And all it would take is a single cunning Kremlin agent visiting a few unguarded precincts in a swing state and installing new chips or a bit of malware.

Virginia rightly took 2016 as a wake-up call and retired its vulnerable DRE machines. But that’s not good enough. The federal government should mandate that all elections must, at a minimum, be able to produce an independently verified paper trail for every election held at the state and local level.

Moreover, only 32 states mandate post-election audits (of varying quality and rigor). It must be 50.

Thankfully, a bipartisan group of six senators is championing legislation to secure our elections. There’s no time to waste. The politicians that Americans choose in elections make decisions that affect the lives of billions of people. Do we really want to cede that choice to the Kremlin or Iran or even a cyberterrorist group?

President Trump’s response to Russian attacks on American democracy has been to praise Russian President Vladimir Putin, thank him for purging U.S. diplomats from Moscow and float the idea of forming a joint cybersecurity venture between Moscow and Washington. Trump has made clear that he is more interested in kowtowing to the Kremlin than safeguarding our republic.

Congress and state legislatures must not make the same mistake. Twenty-first-century elections require a return to a 1st century B.C. technology: paper.