Danielle Root and Liz Kennedy at the Center for American Progress (“CAP”) published an important Briefing today (Wednesday) highlighting nine solutions to secure America’s elections. The Briefing is well researched and offers a keen assessment of current public elections’ average level of integrity. I want to say right up front, this is good and important work.
What we offer as review and comment below is meant to catalyze an important conversation, and not to simply serve as a critique of their Briefing, which was developed with input by some of the best election integrity professionals.
We have an over-arching concern missing in the many discussions and proposals finally being elevated to address how to best secure U.S. elections. While election officials need to triage existing systems as much as possible for the 2018 midterm and 2020 national election, America must come to terms with a difficult reality about underlying structural faults that our election infrastructure teeters upon. Root and Kennedy put it appropriately blunt:
“Our election infrastructure is woefully ill-prepared for future interference.”
As our readers and supporters know, we completely agree with this observation. But the issues run deeper. In fact, 3-weeks from now, when our Election Infrastructure White Paper is released, you’ll be able to take a deep dive on our assessment from the technical vantage point of election systems researchers and developers.
Many of the CAP recommendations will go a long way to improving the integrity of our elections systems; but, they miss addressing a “systemic” problem facing U.S. election technology infrastructure.
The Center’s Briefing correctly observes that there are multiple threats facing elections. Root and Kennedy note,
“U.S. election systems are not equipped to handle sophisticated cyber attacks and other interference. Even in the absence of a malicious campaign, the negative consequences of this vulnerability to the strength and resiliency of U.S. democracy and government are steep.”
Malicious actors can influence and manipulate elections without changing a vote tally by spreading distrust about the election, or as the Briefing later points out, by manipulating voter registration databases (VRDB) so that “eligible Americans could be prevented from voting.” We’ve more fully addressed differentiated avenues of attack on elections in other posts.
In accordance with this observation, Root and Kennedy outline nine solutions to improve election integrity. The recommendations include,
- Implementation of risk-limiting audits by all States;
- Adoption of paper ballots by all States;
- Use of information sharing between members of the sector; and
- Creation of security standards for voter registration systems.
The OSET Institute endorses all of these solutions as much-needed steps to improve election integrity. However, while important steps, they still fall short in addressing the underlying systemic problem facing election infrastructure.
The Underlying Architectural Fault
Here is the core problem: Our current voting machines are based on a fundamentally flawed and vulnerable technology architecture, never intended to withstand the current threat environment.
The Center’s Briefing accurately states that, “Old voting machines are prone to hacking, as many rely on outdated computer operating systems that do not accommodate modern-day cybersecurity protections,” even pointing out that “A number of voting machines in use today run on Windows XP, a Microsoft operating system first introduced in 2001 that has not been supported since 2014.”
These voting machines are, indeed, falling apart, surviving on a diet of spare parts, and in desperate need of replacement, the latter point being what Root and Kennedy’s Briefing advocates. But the thing is, its not just the age of these machines that makes them so dad-gum vulnerable.
In fact, the new replacement options being offered to States and counties all carry the same fundamental vulnerabilities as the aging machines from the early 2000s. It’s the same underlying inadequate architecture. (And its not the fault of commercial vendors, which we will discuss in our upcoming Infrastructure White Paper.)
As difficult as it may be for some officials to face, these machines are, by design, modifiable and thus vulnerable to manipulation. Full stop.
Today’s voting machinery is comprised of the same personal computer technology that many readers have in their homes and use on a daily basis. It makes sense for this type of machine to be readily modifiable because most consumers want (need) their personal computers to be easily (even automatically) updated. However, for an election system, something OSET and the Center for American Progress agree to be “a matter of national security,” this design-fact is a critical security flaw.
Root and Kennedy advocate for federal funding to help States replace their old voting machines. Regardless of how it’s packaged, this is essentially a second HAVA. We’ll pass on opining on the specific funding approach, but before any funding strategy is developed, we firmly believe we must address the security flaws inherent with our current election machinery architecture. Folks, if we fail to do this, we risk burdening our country with faulty election systems for the next decade and the risks of a derailed election that run with that, not to mention the amount of money that would be lost.
Instead of immediately replacing our voting systems with more of the same inherently vulnerable commodity PC hardware based designs, America needs to invest in the proper innovation research and development to produce a system architecture that is appropriate for the threat environment public elections now face.
And here’s some good news: this is not a "Manhattan Project." In fact, there are worked examples of systems with such architecture today. For example, consider those systems implemented by NASA and the military for satellites and missile defense systems.
We appreciate and respect that some counties may be unable to wait to replace their voting systems until next generation fault tolerant technology arrives, but before the U.S. rushes to create another national program to replace all voting systems, we must make sure that those replacements are suitable. It makes no sense whatsoever to spend more money on the same relics—essentially good money chasing bad.
Digital Poll Books Are No Better Off
We have a similar view regarding e-poll books. While it may be enough to conduct risk assessments for voter records systems and implement standard IT best practices for voter registration systems, e-poll books must be re-thought (after-all, digital poll books are essentially, another PC-based solution, slapping an App on top of a vulnerable hardware/software PC-style platform). The contingency protocols and paper records suggested by Root and Kennedy will definitely help (and are just good common sense practices), but the inherently modifiable nature of current e-poll books make them persistently vulnerable to manipulation.
Testing Equipment is Essential, But Not a Panacea
Our last minor disagreement with the CAP Briefing is on their 6th solution recommendation. The Center reasonably encourages that States “Conduct mandatory pre-election tests on all voting machines to ensure that they are in good working order before a single vote is cast.”
Sure, this seems like a common sense policy, and actually it is already a policy widely in place. Election officials, the men and women in the trenches on the front lines of democracy administration, working their tails off to do their best to preserve the integrity of our elections, already test voting machines before elections. The vast majority of election workers strive for the right and patriotic outcome—free, fair, and trustworthy elections. So, our difference here focuses on the implied point that if pre-election testing were a mandatory uniformly implemented process, that would be the difference-maker. It would not.
In fact, Root and Kennedy agree, noting, “Pre-election testing is not foolproof and can be manipulated, particularly by sophisticated actors.” And that's the point. Notwithstanding inevitable human error, election officials are handicapped in their job by the architectural failures of the systems they are given. Moreover, they are out-manned, out-gunned, and outwitted in defending against more sophisticated adversaries with unlimited resources. Thus, its impossible for election officials to know, regardless of pre-election tests, whether “sophisticated actors” such as the nation-state adversaries have tampered with their systems.
Addressing the Root Cause of Vulnerability
In summary, while many of the solutions offered by the Center for American Progress are vital to improving the integrity of American elections, and we earnestly support their research and recommendations in this regard, if America fails to address the fundamental vulnerabilities inherent in the foundation of our election technology, U.S. elections will continue to be seriously vulnerable to interference—both foreign and domestic. That's not fear mongering; that's fact reporting. In the coming weeks there will be more to discuss about the root cause of (and solution to) America's inherently vulnerable election technology infrastructure.