Are Electronic Voting Machines and Cyber Secure Elections Compatible?

Approximately 70% of Americans live in counties that employ either optically scanned paper ballots or electronic voting with a verifiable paper trail (a printed paper record of the vote).[1] These are fairly safe methods of casting and counting votes, because both methods are verifiable. Challenges with ensuring cyber security and electoral integrity arise when counties use electronic voting machines without verifiable paper trails, as for example many counties in Pennsylvania do.[2] 

Employing an electronic voting system does entail certain inherent risks of cyberattacks, as these systems are computers that normally have reprogrammable software.[3] Still, there are many advantages to using electronic voting systems and their use should not be discouraged so long as cyber security precautions are in place. Unfortunately, many of those precautions have been overlooked. Researchers at Pennsylvania State University, University of Pennsylvania, and WebWise Security, Inc., analyzed many different electronic voting systems and concluded that all of the systems studied shared flaws that indicated insufficient security of election data, improper use or implementation of security technology, lack of verifiable auditing options, and flawed software maintenance practices.[4]

In fact, researchers have conducted experiments where they were able to actually amend votes on existing voting machines. For example, several states use the Sequoia AVC Advantage, a voting machine designed to be secure, incorporating security features like read-only software and a hardware that does not accept instructions from its RAM memory, as opposed to a normal computer. Despite these security features, by using only publicly available information and a technique called return-oriented programming where short pieces of code already present in the machine are combined in a way which could produce the desired behavior researchers were able to infiltrate the Sequoia.[5] This example illustrates that there are risks to the accuracy of the vote count when using electronic voting machines, but because most of the electronic voting systems have proprietary source codes, voters do not know how these machines work or what the specific risks are.[6] This underlines the importance of having a parallel “back-up” system of counting votes with verifiable paper trails.

However, the risk of cyberattacks on electronic voting systems can be mitigated by improved security on the machines themselves and at the polling stations, as well as an increased focus on applying relevant laws and regulations. While election law is mostly based on state and local law, the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, could also be applicable. §1030(a)(2) regulates anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (B) information from any department or agency of the United States; or (C) information from any protected computer.” The applicability is likely to turn on (1) whether a hacker would be deemed to have “access[ed]” the electronic voting databases or machines “without authorization”, and (2) whether these machines and databases are “computers” within the meaning of §1030. There is not much, if any, case law on this statute in an electoral framework.

Although the CFAA does not define “access,” if a hacker was able to successfully infiltrate an electronic voting machine, even without manipulating any data, a court would likely find that he or she accessed it.[7] The 9th Circuit has interpreted the term “without authorization” in line with the dictionary definition of acting without “permission or power granted by an authority.”[8] Because the term is broadly defined in the statute, an electronic voting machine would most likely be deemed a “computer.”[9] The 8th Circuit has found that a lack of connection to the Internet does not exclude a device from the definition.[10] All in all, a successful infiltration of an electronic voting machine where the hacker obtains information seems to be regulated by §1030(a)(2).

The situations where the hacker does not take information may be regulated by §1030(a)(5)(A), which applies to whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” The term “protected computer” includes computers “exclusively for the use of … the United States Government.”[11] An attack will likely be found to cause “damage without authorization”, especially if the hacker spreads malware that makes the machines malfunction. Some jurisdictions may also find that altering information, such as altering a vote count, can constitute damage to the computer, as the statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.”[12] Therefore, this subsection seems to cover situations where the hackers do not take any information but do cause damage, and even situations where the integrity of the information is compromised by the cyber-attack itself.

Thus, there are laws in place that seem applicable to the hacking of electronic voting systems, but these laws mainly sanction the perpetrators, if identified, rather than to serve as a deterrent. Therefore, efforts should focus more on improving the security of electronic voting systems than on sanctioning those who execute cyberattacks on these systems. Election security experts like Alex Halderman argue that paper ballots actually are the best manner of casting votes, because it is verifiable.[13] Electronic voting machines can be verifiable and can produce paper ballots in addition to the electronic ones. However, use of electronic voting machines that are non-verifiable should be avoided. The abovementioned characteristics of the voting system can be mitigated by developing more accurate voter registration databases, closing security loopholes identified by experts such as the fact that the ballot design is often moved from a regular computer connected to the Internet to the voting machines, and ensuring that all electronic voting machines produce verifiable paper trails.

[1] J. Alex Halderman, Want to Know if the Election was Hacked? Look at the Ballots, Medium (Nov. 23, 2016), https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.syimjms1y.  

[2] Ben Buchanan and Michael Sulmeyer, Hacking Chads The Motivations, Threats, and Effects of Electoral Insecurity, The Cyber Security Project Harvard Kennedy School 14 (October 2016). See illustrative map of the use of electronic voting systems at J. Alex Halderman, Want to Know if the Election was Hacked? Look at the Ballots, Medium (Nov. 23, 2016), https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.syimjms1y.

[3] J. Alex Halderman, Want to Know if the Election was Hacked? Look at the Ballots, Medium (Nov. 23, 2016), https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.syimjms1y.

[4] EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing Final Report 3 (Dec. 7, 2007).

[5] Stephen Checkoway, Ariel J. Feldman et al., Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage 1, https://cseweb.ucsd.edu/~hovav/dist/avc.pdf (Accessed on Feb. 28, 2017)

[6] Andrew Massey, ”But We Have To Protect Our Source!”: How Electronic Voting Companies’ Proprietary Code Ruins Elections, 27 Hastings Comm. & Ent. L.J. 2004-2005, 233, 234-235

[7] In United States v. Morris, the 2nd Circuit found that a person who released a worm malware onto the Internet, which spread to many computers the defendant did not have authorized access to at all, had “accessed” these computers through the worm. United States v. Morris, 928 F.2d 504 (2nd Cir. 1991) at 510.

[8] LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) at 1133.

[9] 18 U.S.C. §1030(e)(1).

[10] United States v. Kramer, 631 F.3d 900 (8th Cir. 2011) at 903.

[11] 18 U.S.C. §1030(e)(2).

[12] 18 U.S.C. §1030(e)(8).

[13] J. Alex Halderman, Want to Know if the Election was Hacked? Look at the Ballots, Medium (Nov. 23, 2016), https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.syimjms1y.

Comments are closed.