Election Systems Are Vulnerable But Not How You Think

American election systems face threats, but the most vulnerable part isn’t technical, electoral and cybersecurity experts told a House subcommittee.

“The biggest threats to the integrity of this November’s election and our democratic system are attempts to undermine public confidence in the reliability of that system,” Lawrence Norden, deputy director of the Brennan Center for Justice at the New York School of Law, testified Sept. 28 before the House Oversight and Government Committee’s IT subcommittee.

Rep. Will Hurd, R-Texas, convened the hearing to determine what cyber threats elections systems face and directly asked whether a cyberattack would affect the outcome of the November presidential election. All five panelists—a Homeland Security Department official, a state secretary, an Election Assistance Commission official and two academics—agreed the answer is no.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

But undermining citizens’ confidence in the election outcome has been a side effect of conspiracy theorists, campaigns and recent headlines, Georgia Secretary of State Brian Kemp told lawmakers. As an example, Kemp named Sen. Diane Feinstein’s recent letter stating Russian officials are trying to influence U.S. elections.

Doubts that votes wouldn’t count could keep voters from polls, according to a recent Carbon Black survey. The survey found 56 percent of respondents are concerned the presidential election will be affected by a cyberattack.

“The foundation of our republic rests on the trust that Americans have in the way we elect representatives to the government," Kemp said. "If that trust is eroded, our enemies know they have created fissures in the bedrock of American democracy."

Experts clarified the differences between the three primary parts of elections systems: campaign systems, which are not maintained by state governments; registration and reporting systems, which are maintained by states and often connected to the internet; and voting machines, which are not connected to the internet.

“Headlines are not representative of our voting machines,” said Thomas Hicks, commissioner of the U.S. Election Assistance Commission. Anyone interested in manipulating voting machines would need to do it in person, he explained.

Andrew Appel, a computer science professor at Princeton University, suggested eliminating direct reporting machines for the 2020 election and instead encourage auditing. He suggested using optical-scan paper ballots, which is when the voters fill in a bubble on a paper ballot that is then scanned. Forty states already use this system, he said.

The variety of the systems states use, and the fact they’re dispersed throughout the country, helps keep secure the voting system, according to Andy Ozment, DHS assistant secretary for cybersecurity and communications. The department has also offered a variety of assistance to state and local governments, including cyber hygiene scans for internet-facing systems, and on-site risk and vulnerability assessments.

He emphasized that all help is voluntary on behalf of the states and that 18 have accepted assistance.

“I want to reiterate that we have confidence in the overall integrity of our electoral system,” Ozment said. “Our voting infrastructure is is diverse, subject to local control, and has many checks and balances built in.”