Lawmakers: How Secure Are Voting Machines?

Election security experts testifying before a House committee found little consensus on whether hackers could get into voting machines, but agreed they have disrupted the process regardless.

Numerous reports on cyberattacks “have voters questioning whether their vote will actually count, which in my opinion is more damaging than the potential for hacking,” Louisiana Secretary of State Tom Schedler told the House Science, Space and Technology Committee.

The committee met to discuss what steps, if any, the federal government should take to help secure election systems after the email breach of the Democratic National Committee and voter registration database breaches in Illinois and Arizona with alleged ties to Russia. Lawmakers questioned experts on the integrity of the electoral process.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

“This is the worst situation we could be talking about going into an election,” Schedler said.

The decentralized nature of the election process—and each state’s unique ballots and systems—helps secure it, according to Schedler.

“It makes it very difficult for any player to go in and disrupt a federal, national election,” he said.

No voting machines are connected to the internet and they are kept securely with strict chains of custody, said David Becker, executive director of The Center for Election Innovation and Research. Additionally, more than 75 percent of voters use a paper ballot or machines that have a paper trail, he explained.

More states are embracing paper, such as paper ballots scanned by optical readers, in part because it's easier to audit, he said.  

“Even if there was a grand conspiracy, a post-election audit would almost certainly discover it before results became official,” Becker said.

But a widespread attack wouldn’t be necessary, according to Dan Wallach, Rice University Department of Computer Science professor.

“It’s sufficient for them to go after our battleground states, where a small nudge can have a large impact,” he said.  

His biggest concerns are vulnerabilities in voter registration databases, where bad actors could disenfranchise voters, and tabulation systems, which happened in a 2014 Ukrainian election.

“Our biggest nation-state adversaries have the capability to execute attacks against these systems,” he said. “The Ukrainians were lucky enough to catch this.”

In the case of Illinois and Arizona breaches, the lists remained intact, Becker said, adding that most states back up voter registration lists and they could be reconstructed if needed.

“The primary goal of the hack seemingly being to access personal data for purposes related to identity theft rather than to manipulate the voter lists themselves,” Wallach said.

To further improve security, he suggested contingency planning for all types of events, including cyber incidents.

“If you have plans in place of an earthquake, the earthquake doesn’t really care. It’s going to happen or not. If you have plans in place for cyber, you can actually dissuade a cyberattack,” Wallach said.

Schedler said more money to replace aging voting machines would help, pointing at $394 million unappropriated 2002 Help America Vote Act funds. He strongly discouraged the committee from designating the electoral process as critical infrastructure, as previously mentioned by Homeland Security Secretary Jeh Johnson. States and municipalities already have access to best practices from the National Institute of Standards and Technology, and the Justice and Homeland Security departments.

“Some secretaries, including myself, have been very vocal that no matter when that may occur, such a designation would undercut the constitutional role of the states and local jurisdictions,” Schedler said. “It would only complicate our ability to properly secure elections.”