- Attacks on electronic poll books and registration systems to remove individuals from voter rolls, swap their polling location, or claim they’ve voted when they haven’t.
- Hacking attacks against election websites that educate the public on voting times, polling locations, and the current status of registrations.
- Disinformation campaigns that disseminate inaccurate results through election night reporting system attacks.
Upgrade voting machinesThe most important step in protecting American elections is securing its voting machines. This is hardly a surprise given that the easiest form of attack to comprehend (and by far the most frightening) is the stealthy introduction of malware into voting machines so that election results are changed without anyone noticing. The first step (and most important) in this process is giving paperless systems a “paper backup” of every vote, one that is verified by each voter. Without this, there is no way to independently assess whether the digital totals provided by the voting machines are legitimate. While this may seem like a huge step, this is something that the United States has made sizable progress towards achieving, that is, halving the number of paperless machines used before 2017. In a general sense, most American voting machines pose a security risk just by virtue of their age. At a certain point in any computer or software’s lifetime, they simply become more likely to break down, more prone to attack, and harder to maintain. For example, the use of outdated voting machines has led to some election officials turning to platforms like eBay to find replacement parts - as hard as that is to believe. This isn’t to say, however, that these same officials aren’t blind to the defects of their systems. In a survey by the Brennan Center, 31 states explained that they had to replace their voting machines before the 2020 election, but at the same time, two-thirds of responders said they couldn’t afford to do so. Without funding, these responders are left at risk of DNS attacks, malware, and any form of influence that a bad agent may choose.
Secure voter registrationCorrections aren’t just limited to voting machines. Other key areas of infrastructure, such as databases for voter registration, have to be upgraded with top-of-the-line security. While there is zero evidence that American voting machines were hacked in 2016, there is certainly evidence that the databases for voter registration were. To prevent a repeat of this, security has to be improved, as this trend doesn’t seem to be declining and isn’t limited to the borders of the United States. Voter registration databases are used to determine exactly who can vote and where they can do it. By leaving these databases open to attack, huge swathes of voters are at risk of being disenfranchised from the democratic process of their own country, or worse, subject to censorship from their own government. To give an idea of the risk faced by many states, it doesn’t take much more than the fact that many of the statewide registration systems that are being used today were built before 2006. As a result, their cybersecurity protection is over 10 years behind today’s threats. This leaves us with a specific question: are we too far behind the ball in upgrading our election infrastructure? More than any other security measures that ought to be taken, this one requires the most time to fully implement. States typically don’t like to replace election infrastructure (such as voting machines) at all, let alone less than a year before an election. That said, Virginia managed to replace not just a few but all of its paperless systems within a few months of discovering their security risks. It is incredibly important for states to achieve similar results. Alongside the security of the election itself, the reputation that voting has is greatly affected by its perceived security (and veracity). Voters need to know that their vote is safe and that it counts; otherwise, they may be increasingly motivated towards disinterest and apathy in elections. The importance of reputation is hardly unique to voting, but it isn’t taken as seriously as it should be.
Utilize cybersecurity trainingThe United States electoral system is both enormous and decentralized, which, while it has its benefits, also means elections are run at a local level. This brings with it several security risks. The clearest danger is that there are in excess of 8,000 separate election offices, each posing a unique target for bad agents. These can include election websites telling individuals when and where to vote to the reporting systems that are used to tally the votes when the polls close. Each presents its own target, and each can be used to affect the election outcome. This means that the need for trained cybersecurity professionals will be at its peak in 2020. Many states have had Homeland Security and other cybersecurity experts audit their systems, but with the current resources available to each jurisdiction, many vulnerabilities will go undiscovered and unfixed. While some elements, such as website security and firewall protection, are now provided by default by web hosts, other elements, such as the reporting systems, will require a more hands-on and complex approach, one that may be too difficult for many states to fix.
Perform post-election auditsMost of the work in election security should be in the “post-election audit,” comparing the electronic totals to those produced by the voting machines. Over 85 percent of Americans will vote using systems in 2020, and it can be expected that more than 42 states will be keeping paper records of almost every vote. However, these records will offer little value if they aren’t utilized to check each electronic tally. As it stands, as little as 24 of the aforementioned 42 states require post-election audits before “certifying” the results of an election. The 26 states that remain require no post-election audit whatsoever. While this may seem worrying, there is nothing actually preventing these states from conducting these audits provided they have the resources to do so. A handful of states have indicated their intention to do so. Using a robust risk-limiting audit (RLA), states such as Michigan and New Jersey plan to use statistical modeling to prove that the election winner was the rightful one.
There is still timeWhile this may paint a gloomy picture of ’20 election’s security, there is still time to make positive changes and keep as much of the result in the hands of voters as possible. These include hiring trained cybersecurity experts, replacing inadequate or outdated systems, and performing sufficient audits of all votes. If these steps are taken, then a more secure and democratic election can be seen through to the finish.