In the summer of 2017, the news is full of 2018 election headlines, like Politico’s How 2018 Became the New 2020, which is a story largely about Democratic candidates. But for local governments that need to assure citizens that the lifeblood of democracy — voting — is safe, election officials need to wrap their heads around how to secure their voting machines.
Alarming for civic tech, recent news about the Voter Hacking Village at the DEF CON conference in Las Vegas is spreading. The experiment determined that it’s easy to hack United States’ voting machines.
The village was composed of all 30 machines used in U.S. elections — at libraries, school cafeteria, firehouse and other community polling stations. According to Bustle, most of the test village’s machines were purchased on eBay, which may or may not be of significance for any possible scientific analysis of the conference experiment.
The report, however, indicates the machines were hacked within a few hours, some through WiFi. One techie participating told Forbes,”the stakeholders for voting machines are everyone in the country. So it’s important the problems get fixed.”
But Who Fixes The Hackable Voting Machines Problem?
Local governments purchase and maintain the systems out of their own budgets. And voting machines are costly to buy, so in some jurisdictions that may be beyond a decade in age.
Old software and equipment is more vulnerable to hacking. Voting machine manufacturers don’t design the machines to last, like antique Magic Chef stoves that still operate, for a reason. Computers and software need to be replaced often because they require security upgrades and patches to keep up with cybersecurity developments.
After the 2000 election, according to experts at the Wharton School researching the U.S. voting systems business, the useful life for a voting machine at that time time was about 15 years. Most local government voting machines are currently falling apart, according to a May University of Pennsylvania-produced podcast.
Voting machine vendors with service departments may organize preventative maintenance rounds for counties that have service plans, but those service plans may not include software or other pertinent cybersecurity upgrades
Some municipalities may replace voting machines with newer models. And while voting machines may have features like:
- Wireless accumulation transmissions speed the collection of post-election results within the voting location
- Redundant, secure, non-volatile storage devices protect election results
- Sophisticated data encryption protects stored election data
- Complete electronic audit files
there are three major voting machine technology companies that compete in a relatively small market — a $300-$350 million market, according to the Wharton School experts that developed the 2016 report, The Business of Voting, Market Structure and Innovation in the Election Technology Industry. In a limited market, machine innovation is limited.
The State of Federal Cybersecurity Funding to Secure Election Infrastructure
In January, outgoing Department of Homeland Security (DHS) Secretary Jeh Johnson added election infrastructure as a critical infrastructure subsector. The action doesn’t meant that cybersecure voting machines will be funded in a National Infrastructure Protection Plan, but the designation does make voting machines and election infrastructure eligible to receive prioritized DHS cybersecurity assistance.
As of this week, the U.S. Election Assistance Commission (EAC) and DHS are working out how to engage election stakeholders to formulate operations for the new DHS subsector. According to last week’s news posted to EAC’s website, the agencies agreed on a structure for coordination and protocol for operations. It doesn’t appear that a council is set up yet, that stakeholders are engaged or that any formal action in terms of funding voting cybersecurity research has started.
There’s 14 months left before November 6, 2018, so likely, old voting machines will be used. One safeguard may be advance DHS tech support to states. The agency assisted at least 33 states prior to the 2016 election, but it could take it several weeks to scan and address vulnerabilities, according to The Hill.