At least 100,000 online ballots—including the votes of overseas military personnel—were cast in 2016.
The government’s extensive effort to secure election systems after a Russian assault on the 2016 contest missed one glaring vulnerability: online ballots, according to a Wednesday report by voting security experts.
Online voting is not common in the U.S., but Americans cast at least 100,000 online ballots in the 2016 election, according to the authors’ tally. Many of those ballots were cast by military members overseas taking advantage of state laws that allow them to return ballots by email or digital fax.
In total, 32 states allow some subset of residents to return ballots by email, fax or through an internet portal, and Alaska and Hawaii offer electronic ballot return for all voters, according to the report from security experts at the Association for Computing Machinery US Technology Policy Committee, Common Cause Education Fund, the National Election Defense Coalition and the R Street Institute.
States began offering online voting options to overseas service members in the early 2000s when the Pentagon was working on developing an online portal for overseas voting, the report states. That plan was scrapped in 2015 after researchers concluded the portal could not be developed securely, according to the report.
Online voting creates multiple cybersecurity challenges, the report states. To begin with, emailed or faxed ballots could be hacked and altered at multiple points on their journey between the voter and the election office.
“It would not be difficult to create an automated process for discarding ballots with undesired votes and replacing them with forgeries,” the report states. “In this process, the sender’s original message and any other attachments, such as a voter’s declaration and signature, could be maintained, producing a forged ballot that would appear perfectly authentic to any unsuspecting election official.”
Criminals or adversary nation-states could also use email ballots to deliver malware into an election system network, allowing them to spy on or even disrupt other election operations.
Or, they could use an online ballot system to launch a digital denial of service attack against the election office.
Ultimately, the report concludes, the benefits of allowing some Americans, including overseas service members to cast online ballots does not outweigh the potential harm.
“Military voters … deserve any help the government can give them to participate in democracy equally with all other citizens,” the report states. “However, in this threat-filled environment, online voting endangers the very democracy the U.S. military is charged with protecting.”
The report urges that states drastically curtail online voting before the 2020 election.
In advance of the 2018 contest, state and local election administrators should ensure that systems that accept online ballots are fully segregated from other election systems and running on different Wi-Fi networks.
They should also scan all incoming fax and email ballots for malware and print them out rather than passing them to vote counters electronically, the report states.
The report also urges overseas voters to print out and mail their ballots if at all possible.