As if the nation didn’t need anything else to raise its anxiety level about this election, we now have hacking to worry about. Voter registration systems in at least two states have been intruded on, according to public reports. Three weeks ago the distributed denial of service attack against Dyn shut down Internet access to millions of users.
Do these suggest that Tuesday’s election is seriously threatened?
The answer depends on two things: first, the strength and persistence of any attacks that might be directed at the nation’s elections systems; and second, how those systems are defended. We’ve worked with state and local election officials for more than a decade, and we believe that they are properly defended against virtually any cyberattack they’re likely to meet.
The U.S. election systems include distinct subsystems have varying vulnerabilities
An election system is comprised of at least five major subsystems: voter registration, election preparation, ballot casting, vote counting, and vote reporting. Each has distinct vulnerabilities, both of degree and kind.
The most critical of these subsystems, ballot casting and vote counting, are walled off, or air-gapped, from the Internet, and surrounded by interlocking layers of physical and procedural security controls. That means cyber intrusions can’t really reach them.
On the other hand, voter registration systems and the systems that report results to the public on election night are connected to the Internet — which means they’re vulnerable to attack.
Election preparation, such as designing ballots, may be done on office computers that are connected to the Internet. But because what gets prepared — say, a ballot — can be inspected before it’s used, there’s probably no need to fear widespread hacking of ballot preparation.
The highly decentralized nature of U.S. elections is the first line of defense against widespread voter fraud
Before wading into the special worlds of high-tech cyberattacks, it is important to remember that the primary safeguard against widespread voter fraud is the radically decentralized management of U.S. elections.
Approximately 8,200 local jurisdictions administer elections in the U.S. No national agency runs elections, as happens in many countries. Nor are elections run from centralized state agencies. Not only are elections decentralized, but the make, model, and version of voting systems vary from state to state and even county to county.
The voting machines used on Election Day are not connected to the Internet
Capturing voter intent and counting ballots are the most critical elements of the voting system — and the least vulnerable to cyberattacks. Voting machines and tabulation computers are not connected to the Internet, so they can’t be disrupted by widespread cyberattacks. Before voting, data does need to be loaded into voting machines so that the ballots can be properly interpreted by the machines. However, local election officials typically do this one machine at a time, following strict procedural and security protocols.
The most disconcerting network-related issue with voting machines was uncovered in 2015 when it was discovered that Virginia’s old WinVote machines could be breached through its WiFi connection. These machines were immediately decertified by the state. As far as we know, no remaining machines have the capability of connecting directly with the Internet.
The use of purely electronic voting equipment without paper backups is controversial because of concerns about the accuracy, transparency, auditability, and reliability of these machines. Vulnerability to cyberattacks is not one of them.
Voter registration systems can potentially be disrupted by cyberattacks, but citizens can still vote through backup procedures
The voter registration system is the most vulnerable election system that faces outward. A state’s VR system relies on the Internet and other networks to interface with voters, other state agencies, local election offices, and sometimes with individual precincts on Election Day.
Potentially a hacker could take control of the VR system to change voter registration records, though we’ve never heard of this occurring.
Two major systems guard the VR system from hacks that would prevent registered voters from voting. First, VR data are typically backed up regularly; states keep change logs to track system updates. A compromised VR system could be rebuilt, though it would take time.
Second, and more relevant to most voters, states require polling places to have a paper copy of the electors’ list. All states have provisional voting procedures, except for those with election-day registration. Thus, if a voter’s electronic record was destroyed, she could cast a provisional ballot, which could be counted during the postelection period when registration problems are dealt with.
Election night reporting systems are also vulnerable to cyberattacks, but these are not official election returns
The second-most vulnerable part of the election system is the one that reports the preliminary results to the public. Virtually all states now have websites that offer up-to-the-minute vote totals on election night. State election departments often receive local results via the Internet. All these connections are vulnerable, especially to DDoS attacks.
But the results announced on election night are unofficial. Final, certified state counts are based on official returns that are sent from localities days or weeks after Election Day, after tallying physical ballots or paper reports of vote tallies from electronic machines. These results are checked many times and the various data streams are reconciled against each other before being transmitted to the state.
In other words, even if someone hacked into the election night reporting system or ran a DDoS attack, the counties’ and states’ official results would still be tallied by hand, based on physical records that could be examined. What’s more, most election-night reporting systems have an intermediate subsystem that lets state election officials test data uploaded from counties before that data is aggregated and reported publicly.
The biggest cyberthreats are voting disruptions, not vote stealing
U.S. history shows that it is possible, but hard, to steal an election. Because the U.S. electoral system is so dispersed and the physical evidence of votes cast is stored redundantly, it’s hard to imagine how widespread vote-stealing or vote-rigging over the Internet would go undetected.
To be sure, a cyberattack on the registration or vote-reporting subsystems would be very disruptive. Fail-safe procedures like provisional ballots could seriously inconvenience voters and even disrupt polling places by slowing down voting dramatically. If the U.S. saw widespread cyberattacks, no doubt rumors would fly. And if someone maliciously used social media to spread rumors, that too could be a disruptive cyberthreat.
But simply stealing an election via the Internet would require a lot of effort for little effect. If there’s a cyberattack on the election systems, its goal would be to encourage Americans to doubt the election’s legitimacy. It might temporarily disrupt certain processes, forcing us to wait to find out who won. But it would not change the election’s results.
Charles Stewart III is professor of political science at the Massachusetts Institute of Technology and co-director of the Caltech/MIT Voting Technology Project.
Merle King is associate professor emeritus of information systems and executive director of the Center for Election Systems at Kennesaw State University.