On the agenda this summer at one of the largest annual conventions for hackers: a session for kids in attendance on how to break into America’s voting machines. If a preteen computer whiz can crack a voting machine from a hotel in Las Vegas, what might someone more experienced — and less scrupulous — be able to do if they set their sights on the November general election?
As we all know, American elections have been targeted before. In 2016, Russia attacked election-related systems in at least 21 states. And reports indicate Moscow has tried to breach other election systems around the world. But while past attacks are certainly reasons for concern, cybersecurity risks exist in every field — they’re part of the world we live in. And the United States has knowledge and resources to mount a defense.
First, outdated voting machines should be replaced. Forty-one states will use equipment that’s a decade old in this fall’s elections. We’ve heard from officials that some of the machines they’re using run on Windows 2000, and they occasionally resort to buying spare parts on eBay. This is especially true of paperless voting machines, which are still used in 13 states. When an election system produces no voter-verified paper record, officials can’t audit results to help identify malfunctions or hacks. And the vote could be impossible to recover if any data is lost or tampered.
Aging voter registration databases, which store voters’ personal information from their registration applications, are also prime targets. We know Russian hackers breached Illinois’ database in 2016, and lawmakers on the Senate Intelligence Committee have said a handful of other states were also targeted. To protect voters, and to prevent people from being disenfranchised if a hack manages to wipe the rolls, states need to upgrade or replace the most outdated systems.
State election websites, which provide information on where to vote and display vote totals, are also vulnerable to hacking. A recent attack in Knox County, Tennessee, provided a taste of the kind of effect such an intrusion could have: It shut down the site for an hour right when officials were about to post election results. Interfering with these websites can confuse voters who seek to find the right polling place, and can damage voters’ trust in the election. States need to make cybersecurity staffing a budgetary priority.
But even the most robust preventive measures can’t guarantee we will thwart every cyberattack. So it’s important to ensure that we can reliably confirm an accurate vote count. The most widely recommended process for this is a risk-limiting post-election audit, where auditors use statistical models to take a sample of ballots and hand count them, with the goal of providing a high-level of confidence in the accuracy of the outcome. Only three states mandate risk-limiting audits so far.
It is hard to know what candidate or issues an election hacker might favor in the coming years. But attempts to interfere in American elections share unmistakable common goals: disrupting protocol, stirring confusion and undermining confidence in key democratic institutions.
Fixing the issues outlined here, as well as providing additional backstops that add flexibility to the process and keep elections genuinely free and fair, is crucial for maintaining voters’ trust. These could include implementing reforms like early voting, which — besides making voting more accessible to working parents or people working long hours — could give states time to identify and respond to a breach before Election Day. Same-day voter registration is another common-sense reform that would allow citizens to verify their eligibility and enter the system right before voting, so they are not turned away if a hack compromises the rolls.
To be sure, intelligence officials say they have seen no evidence that votes themselves were changed in 2016. And, since then, many states have indeed invested in election security. Illinois is hiring new cybersecurity staff. Multiple localities in Virginia and California plan to conduct risk-limiting audit pilots this summer. And Congress has allocated $380 million for states to use to shore up their systems. That knowledge can and should calm alarmist rhetoric around election interference, but it doesn’t imply that the problem has gone away. The past two years have highlighted a critical issue of our time, and the public’s eyes are now open to an internet-age reality: Hackers are here to stay, and we have a continuing responsibility to stay ahead of them.
November promises bitterly contested races, and for voters to trust that their vote is counted as cast, states need to work to keep their elections secure, accessible and auditable. It’s safe to say the investments will be worth it.