Democrats in Congress have issued what may be their most alarming report ever about the vulnerability of America’s voting machinery to sophisticated adversaries and the limited abilities of government at every level to stop Election Day chaos.
The “Congressional Task Force on Election Security Report,” from the party’s foremost experts on cyber threats in the House, gives new details on Russian hacking of the 2016 election and how the response across many layers of government was often poorly coordinated and marginally ineffective.
For example, as the 2016 presidential election came to a close, the Department of Homeland Security wanted to help states and counties by probing their computer systems to identify hacking vulnerabilities. But it noted that states and localities that sought help had to wait for weeks in October — a timeline out of sync with early November's Election Day. (The report said DHS is now trying to do better.)
The report also restated how and why the nation’s electronic voting infrastructure is aging, cannot universally be trusted to accurately count votes, is not accompanied by thorough post-election audits to verify vote counts, and is made and maintained by a monopoly of private firms and contractors with little regulation or marketplace pressure to do better.
Its authors are sponsoring legislation to spend hundreds of millions to patch a national system beset by hacking pathways and other vulnerabilities. Not a single Republican in Congress took part in the hearings that produced the report. Nor have Republicans shown interest in acknowledging the cyber threats to voting or the millions needed to fortify the machinery for more trustable elections.
“The president and House Republicans have done nothing,” House Minority Leader Nancy Pelosi said at a press conference releasing the report and the legislation, where she recounted how every top intelligence official appointed by President Trump has recently said that Russia is already meddling in the upcoming 2018 election. “They have refused to take inventory of what our resources are and what they need to be. They have refused to assess what the danger is to our electoral system, while the intelligence community, clearly by consensus, has told them.”
Layers of Vulnerability
The report covers a lot of ground, starting with what Russia did in 2016 that was different from its past efforts to seed and spread political propaganda in the U.S.
It began by citing the outlines of what most people already know; that Russian agents posted “more than 1,000 YouTube videos, 130,000 tweets, and 80,000 Facebook posts. The latter were viewed by approximately 126 million people on Facebook platforms alone.” But the report quickly narrowed its focus to cyber probing of voting systems, starting with state voter registration databases.
“The 2016 election has shown us that these systems are vulnerable to attack,” the report said. “The Department of Homeland Security found that Russian hackers targeted these [registration] systems in 21 states. In Illinois, Russian hackers successfully breached the databases and attempted, but failed, to alter and delete voting records. In Arizona, hackers were able to successfully install malware on a county election official’s computer. That gave the hackers access to the official’s credentials which could have then been used to get into the county’s voter registration database. In addition, hackers targeted at least one election vendor with the hope of ultimately obtaining access into voter registration databases.”
The report described the kind of havoc that could have ensued had the Russians — or anyone else — scrambled voter data in those systems.
“The most significant threat posed by vulnerable voter registration databases is that an attacker could alter, delete, or add voter registration records which would then cause profound chaos on Election Day and potentially change the results of the election,” it said. “There is no federal law that governs what steps election vendors must take to safeguard their systems from attack. Instead, any obligations that vendors are subject to stem from the terms of their contracts with states and localities.”
The report also noted successful hacks by North Korea, China and Iran of U.S. companies, including defense contractors, banks and major media. However, it noted that none of those foreign governments were known to have meddled in U.S. elections. In comments at the press conference, report co-author Rep. Val Demings, D-FL, emphasized that America’s system of privatized contractors programming voting machines must be pushed to follow higher security standards.
“The [proposed] Election Security Act proactively strengthens our elections system by requiring election technology vendors to adopt specific cyber security standards that share threats with elections and security officials, intelligence officials, as well as running pre-election threat assessments to uncover vulnerabilities, with enough time to solve them,” Demings said. “Nowhere is that more evident than in my home state of Florida, where a voter registration vendor [VR Systems] for 57 of 58 counties was targeted in August of 2016. By October, at least 12 county elections officials had received information about it, but it was not until November first that all counties were notified of the attempted hack. To my knowledge there were no successful breaches, but Russia and others will be back with a vengeance. We must be ready.”
DHS and Critical Infrastructure
Demings alluded to some of the report’s most eyebrow-raising content, which discussed, in great detail, how difficult it was for DHS to work with state and county officials to try to detect and prevent attacks on the different computer systems overseeing voting. (Voter registration databases are one system; another system tabulates the votes.) That cooperation was also hampered by Republicans in Congress and states that didn’t trust the Obama administration — even though DHS is not a regulatory agency.
“DHS was slow to gain the trust and buy-in of its state partners,” the report said. “On September 28, 2016, with the election nearing and fewer than half the states requesting assistance from DHS, bipartisan congressional leadership wrote to state election officials to urge them to take advantage of resources to secure their network infrastructure, including those offered by DHS. At the same time Congressional leadership promised to ‘oppose any effort by the federal government to exercise any degree of control over the states’ administration of elections by designating these systems as critical infrastructure.’”
The report notes that DHS was unable to expeditiously help states as 2016’s election came to a close, even where its assistance — such as running tests to see if voting networks could be hacked — was wanted.
“On October 10, DHS once again warned election officials that: ‘[T]ime is a factor... There are only 29 days until Election Day,’” the report said. “Although cyber hygiene scans can be performed quickly and remotely, ‘it can take up to two weeks...to run the scans and identify vulnerabilities. It can then take at least an additional week for state and local election officials to mitigate any vulnerabilities on systems that we may find.’”
The report’s authors have drafted legislation in which DHS can play a significant role. As a result, the report alternates between critical passages like the above paragraph, and supportive passages about what DHS achieved, such as: “With consistent prodding, DHS provided cyber hygiene scans to election officials in 33 states and 36 local jurisdictions and shared over 800 cyber threat indicators officials could use to identify attempted intrusions, as well as other tactics, techniques and best practices, with officials in thousands of jurisdictions across the country.”
But the problems of DHS coordinating with states that want its help has persisted since the 2016 election, the report noted. In one example, states had to wait nine months to have the federal agency assess their cyber vulnerabilities. That track record, apart from promises of help by top DHS officials, was troubling, election officials told the report’s authors.
“Election officials also had difficulty squaring DHS’ offer of ‘priority access’ to services with the nine month waiting list for certain services like Risk and Vulnerability Assessments,” the report said. “These delays render the benefit useless in light of the compressed time frame of an election cycle.”
While these revelations don’t mean DHS officials aren’t trying to help states, they underscore how difficult it is to make systemic changes that are needed to safeguard elections. Another example given was that DHS kept telling governor’s offices what was needed, but the messages were never given to senior state election officials — because election offices use different computer systems for their data and communications.
“Although DHS officials testified in June 2017 that Russia targeted voting systems in 21 states, for example, it did not notify state election officials whether their election systems were targeted until late September, almost a year after the election,” the report said. “In part, DHS attributed these information sharing challenges to the nature of its existing information sharing channels and reporting structures within each state. As a general rule, DHS shares threat information at the state level through state Homeland Security Advisors, Fusion Centers, CIOs and other agents of the state governor. Each state government is organized differently, but for the most part, Secretaries of State and other chief election officials are independently elected officials who do not report to the governor and exist outside the executive branch chain-of-command. As a result, information shared by DHS did not automatically flow to them under existing information-sharing relationships.”
Little Political Will to Fix Voting Systems
These kinds of delays and communication snafus show a system that operates at a snail’s pace relative to the speed of cyber probes and attacks. To make matters worse, in many states — and in Congress, as seen in the just-passed federal budget — there’s no willingness to spend the funds needed to modernize voting in the United States.
“State and local election officials are acutely aware of the threats they are facing, but they lack the necessary funds to safeguard their voting infrastructure,” the report said. “In most states, legislatures are not increasing their election security budgets. In some cases, Governors [Florida, Ohio, Wisconsin] are actively undermining election security efforts. Moreover, state and local officials have expressed a desire for Congress to step in.”
The report recites the known vulnerabilities of electronic voting systems — problems that so-called election integrity activists have repeatedly raised for more than a dozen years. They note paperless systems, which are still used in 13 states for about one-fifth of the country’s voters, can mistakenly record votes and cannot be audited. The report recommends replacing all of the remaining paperless systems with paper ballot-based machines. It said ink-marked paper ballots are the best way to have a verifiable vote, one that could be audited for accuracy even if those ballots were electronically scanned. It cited one academic estimate that it would cost between $130 million to $400 million to make that transition in all remaining states with paperless systems, and noted that “over $300 million” remains in federal funds from a past law to buy voting machines.
It also said states should institute much more rigorous post-election audits to see if their machinery is properly counting votes. And Congress should empower and fully fund a little-known federal agency, the Election Assistance Commission, to help with developing and implementing the technical standards needed to meet cyber threats.
But mostly, the report said states have to spend more money “to replace outdated technology and hire IT support. It is important to note that cyber threats evolve at a rapid pace, and a one-time lump sum investment is not enough. States also need resources for maintenance and periodic upgrades, and cybersecurity training for poll workers and other election officials.”
Looking at 2018 and 2020
The report by House Democrats may be one of the most detailed and honest assessments of the vulnerabilities of America’s voting systems to be issued by a congressional panel in years. Its findings are truly frightening, from the cyber threats and the best responses, to the lack of political will to spend money to address the problems, and the sorry state of the privatized voting machinery industry.
The report gives no indication that elected officials with the power of the purse — mainly Republicans these days — have much inclination to make voting and elections more trustworthy. Perhaps because they are in power, they feel no need to patch the vulnerabilities in the system that helped elect them. But the political tides shift, and Americans across the political spectrum deserve to know that their voters are accurately cast and counted.
Sadly, the report notes that the tech sector has shown no inclination to step in. Consider these passages in the report describing the current monopoly held by voting machinery manufactures and contractors maintaining them:
“According to a recent study put out by the Penn Wharton Public Policy Initiative, the election technology industry is dominated by three firms whose products cover approximately 92% of the total eligible voter population. These firms are neither publicly nor independently held which limits the amount of publicly available information available about their operations. Smaller companies routinely get bought out and merged with one of the three larger companies, and biggest tech companies, including Apple, Dell, IBM, HP, and Microsoft have chosen to stay out of the election technology business. This may in part be because the sector generates approximately $300 million in annual revenue, a relatively modest amount when compared to the revenue of the largest technology companies. For example, Apple generates about $300 million in revenue every 12 hours.
“Currently, election technology vendors present serious security risks. The consolidation in the election technology industry means that ‘there is no meaningful competitive pressure from the suppliers to the vendors.’ In other words, there is no incentive for election technology vendors to prioritize security. This problem is compounded by the lack of regulation in this area. These vendors are not required to make financial disclosures to the Securities and Exchange Commission. The executives are not required to disclose political contributions to the Federal Elections Commission. State and local contracts do not necessarily require vendors to notify election officials in the event of a cyberattack. Under current law, there is no way to ensure that vendors are doing everything possible to keep their systems secure.”
This is the sorry state of voting infrastructure in America. The report by House Democrats is filled with best-practices that could be implemented, and even some lines of defense that might seem a bit far-fetched, such as training poll workers to look for cyber-security threats. But taken as a whole, it reveals that the voting system that will record and count the ballots in upcoming elections is marked with a range of vulnerabilities. And sadly, there’s little political will in America’s current ruling party, the Republicans, to improve things.