Security of States Voting Systems

Prepared for Terence Linkletter

Prepared by Scott Fluharty, Kendall Johnston, and Crisdee Michie
Completion Date: June 2, 2017
 Table of Contents
List of Figures .......................................................................................................... iii
Executive Summary ................................................................................................. iv
Voting Machines ........................................................................................................1
Government Involvement in States Voting Systems ................................................2
Largest contributing motives to compromise our nation's voting systems and voter
registration rolls .........................................................................................................3
Security Issues with Voting Machines.......................................................................6
How to Improve Our Voting Systems .......................................................................7
Voting systems reconstructed with Cybersecurity in mind from the ground up, or
rid of states voting systems completely .....................................................................8
References ................................................................................................................10

ii
 List of Figures

Figure 1: Comparison States Voting Machines .........................................................7

iii
 Executive Summary

The purpose of this document is to discuss the security issues with voting machines and

how to improve them. Government involvement in voting machines, contributing motives that

compromise our nations voting systems, and options are considered. Americans do trust their

voting machines because of the recent election. However, due to the cost of upgrading the voting

machines, local and state government cannot afford to purchase new machines.

Criminals that take advantage of the technology to sell voter information is one of the

largest contributing motives to compromise our voting systems and voter registration rolls. By

creating a team that would be dedicated to securing the vulnerabilities, upgrading the outdated

voting systems, and by funding the voting systems, the government will be able to improve its

voting systems.

iv
 Voting Machines

In recent elections, we have come to encounter that our voting machines are easily

manipulated. People did not really put that much thought into them in the past as it was not as

significant as the past election, or at least not many people paid attention as much as they do

now. Americans do not trust our Election Systems and we have a lot of evidence that shows that

voting machines are easily manipulated and they can change the outcome of our elections.

Why do we have such problem with this?

One of the biggest reasons on why this is an overlooked subject by manufacturers,

software creators, installers and administrators is money. The government does not have enough

funds to invest what it needs to be invested in voting machines. So, there has not been a real need

for these to be changed in the past.

After what happened with the 2000 election, those machines were replaced with the electronic

voting system. But this system was not the most ideal. They did not think about voting system

security or what challenges could arise. This solved some problems but created a whole lot of

new ones. Computers, as we well know, with time need updates, if not, they can get obsolete,

our voting machines are very old computers with very old software. For example, most of those

machines are running on Windows XP, and Microsoft hasnt released a security patch since

2014.

There is no real evidence of direct voting machine interference as of right now but the

machines are susceptible to malware or major hacking. It is not just about switching election

results, this could damage the machines and in some cases, prevent people from voting. Voting

machines are just computers and they run on lots and lots of lines of code, so they are not perfect

but they could be protected so they are not easily manipulated.

1
 Another reason why this is such a big deal with manufacturers is that its believed that

manufacturers really do not have a clear understanding of all the aspects of an election. So, they

are creating voting machines but if the client really doesnt know much technology and the

manufacturer doesnt know the product and they cant do adequate testing, its bound to fail.

Most voting machines are made by two manufacturers and they do not share their software code

among each other, so there is no real testing to see if they will work well together.

The good news is that some states are starting to get next generation systems by August

of 2018. This is quite costly but way necessary. Its important to remember that computers do

not last forever, they have a shelf life and they need to be updated, you cant have a 20-year-old

machine and expect it to work at 100%. Hopefully, more and more States will follow that lead

and get their machines updated.

Government Involvement in States Voting Systems

Every State is individual and has their own system, this, in my opinion, has a sense of

disorganization and its really not uniform. I believe having a centralized focus for voting

machines will be ideal. If everybody functions the same way, then it would be easier to maintain,

also the risk of inconsistencies will be decreased, there will be a better way to document how

things get done and States could help each other when they have problems as well. A uniform

system will make it better.

If the Federal Government goes ahead and sets a standard for voting machines in all

States, this could also work, then again, I dont think all of them will choose to do the same thing

but at least there would be some rules they need to follow. There has got to be Federal Funding

as not all States can afford to fund elections on their own.

2
Very Specific guidelines on how their elections have to be done. What should be requested from

the manufacturers of Voting Machines, how should this software work and what it should do, I

do believe that if possible, elections should be done the same in each State, meaning, no more

paper ballots, all should be done electronically, except absentee ballots of course.

Another idea would be that State and local Elections could be the responsibility of each

locality, but when its a Federal Election it should be the responsibility of the Federal

Government, we have got to look beyond Government meddling on everything, sometimes we

do need the help, and this would improve our Election System.

I understand that the constitution separates Federal powers from State powers but, we all

elect a president, we all require elections, so we do need to have a system in place that works and

works fine. This does not necessarily mean that the States will be giving up independence or the

power to the Federal Government but, they could use the help. The current system does not

work. Everybody does things differently and there is a lot of room for error.

If this cant be changed because of the constitution, at least the Federal Government

should do more in order to be more involved in every States voting system.

Largest contributing motives to compromise our nation's voting

systems and voter registration rolls

With regards to motives driven to the compromise of our nations voting systems and

registration rolls, one of the largest contributing motives was found to be the act of attaining the

information provided on the voter registration, which the attacker would then plan to sell.

Another motive that was found to compromise voting systems/ voter registration was also found

on the contrary of attaining personally identifiable information (PII), but instead, influence the

election with political motives not financial. Finally, a third motive that found from conducted
3
research was that an attacker targeting these voting systems only has motives of voter integrity

and cause confusion loss of voter confidence.

In cases where the motives of an attacker are to sell information for financial gain by

attaining access to the systems, ABC News has claimed: nearly half of the states in the U.S.

have recently been targeted by foreign hackers, four of which have successfully been breached

(Levine & Thomas, 2016). We come to the realization that it is no longer a matter of

hypotheticals at this point, that argument is mute. We are facing on a much grander scale

criminals attempting to breach these systems than years in the past. Russian hackers were also to

blame for cyberattacks on Democratic organizations, as per what was released from WikiLeaks.

In addition to this, it has come to Alperovitch attention (co-founder of CROWDSTRIKE), that

Russian hackers have been seen stealing assets from one another, refuse to collaborate. Theyre

all vying for power, to sell Putin on how good they are (Nakashima, 2016).

Motives that were of political agenda on behalf of attacker were found to be another

influence on data breaches of voting systems. For example, after the attack on the voting

systems in Illinois, it was concluded that they didnt steal information for financial gain but

rather to influence future elections. This is something to consider when voting for future

elections because you never really will know if those around you were subjected to bribery from

those whom allocated this information. As of now, Dr. Andy Ozment (secretary for cybersecurity

and communications for DHS) has stated that "We have not seen intrusions intended to in any

way impact individuals' votes and actual voting" (Levine & Thomas, 2016). Having read that, it

does make one wonder that just because it may not have happened in the past is no reason to

stipulate that it wouldnt occur in the future is anything but absurd. The hackers that hacked the

Illinois voting systems managed to extract information from as much as 200,000 peoples

4
personal data. What appears to be the ultimatum for these criminals was not bank or credit

information to sell but rather voting history so establish if theres an opportunity to influence

future votes through such ways as bribes or threats (Ortega, 2016). This presents a large

problem for our future elections as a country because many individuals could be misguided by

special interests for a political agenda.

An addition motivation that was identified attacks on voting systems was to create

confusion and loss of voter confidence in future elections. According to the Department of

Homeland Security, more than 20 states have been targeted for their voter registration systems

(U.S. official: Hackers targeted voter registration systems of 20 states, 2016). Federal officials

have made claims that security threats aside, a hacker cannot alter an elections outcome due to

the systems not being connected to the internet. Releases from now President Donald Trump

during the election suggested that the election is going to be rigged. With that in mind, we can

conclude that voter confidence just from even that one statement by a former candidate can cause

lack of trust in the authenticity of our nations voting system. It has become a common

expression in the citizens perception as I am sure you may have heard before: Why even vote?

It doesnt matter who I vote for because the election is rigged. Without voter confidence, more

and more citizens will be less interested in politics feeling they no longer have a voice regarding

whom should be elected. Thus, added security to these voting systems is critical to the future

integrity of our nations democracy. For without it, this country will likely become a communist

country where the people eventually lose all voting privileges.

5
 Security Issues with Voting Machines

State and local governments are doing little to secure their voting machines due to the

cost associated with upgrading the technology, the politicians that are behind the government,

and the governments need to save tax dollars.

Election officials in 31 states would like to buy new voting machines but they do not

know where the money will come from. It costs millions of dollars to replace the outdated

machines. For example, in California, the secretary of state estimates that it could cost up to

$450 million to replace the voting machines there (Rauf, 2017). Without help from the federal

government, effectively replacing the outdated machines is a daunting task.

Politicians are not motivated to campaign on a promise to upgrade the voting machines in

their state/district because of other state-run programs that will garner more votes. Communities

need to make their voices heard about issues they care about and should contact their federal,

state and, local representatives to convince them to protect the security of our votes. Only when

everyones vote counts, will we have a true democracy.

The House Administration Committee voted on February 7, 2017, to eliminate the

Election Assistance Commission (EAC) which was the only federal agency that protects against

voting machine attacks. The vote passed 6 to 3 and the committee chair stated that the EAC has

outlived its usefulness and purpose (Harper, 2017). The recent election proved that the EAC

needs to be reinforced, not eliminated or replaced.

6
 How to Improve Our Voting Systems

The government can improve its voting systems by creating a team that would be

dedicated to securing the vulnerabilities, upgrading the outdated voting systems, and by funding

the voting systems.

Creating a team that would be dedicated to securing vulnerabilities in the nations voting

systems would allow the government to analyze and detect threats. To find vulnerabilities, this

team would be tasked with breaching the voting systems with the approval of the reestablished

U.S. Election Assistance Commission.

Polling equipment is actually falling apart in some states and there is dire need to upgrade

the voting systems. The last time the U.S. government updated its voting machines was in the

year 2000 after the widely controversial Bush/Gore election. The lifespan of a voting machine is

10 to 20 years, closer to 10, and in 14 states machines are going to be 15 years or older. Figure 1

below is a comparison between how many states use outdated voting machines and the ones that

use a newer voting machine or alternative voting methods.

States Voting Machines

50 43
NUMBER OF STATES

40

30

20

10 7

0
Decade old machines Newer Machines/Different
Voting Method

Figure 1: Comparison States Voting Machines

7
 There are a variety of options states can choose from when purchasing new voting

equipment. These options include direct appropriation, splitting the cost, setting up a grant

program, buying equipment in bulk, generating dedicated revenue, and passing a statewide bond

measure.

Voting systems reconstructed with Cybersecurity in mind from

the ground up, or rid of states voting systems completely

In relation to what following steps should be taken for U.S. voting systems whether it be

reconstructed group up with attention to cybersecurity in mind or be rid of completely. Our

research has found that there are three directions in which we could take as a nation to better

fulfill the data integrity and security of PII. The first direction is to, instead of reconstructing

existing systems from the ground up with cybersecurity set as a priority to rather upgrade the

existing system with a new one. Another direction our nation could go to value security in our

voting systems is to go fourth with keeping the existing systems and simply reconstruct them

from the ground up. Lastly, a stressing of urgency to have voting stems remain decentralized will

be a key component of added security measures.

With regards to the first direction our nation could go to better secure our voting systems,

is by upgrading the existing system to a new system. What was learned from our research is that

in 43 States have electronic voting equipment that is more than a decade old (Dacuan, 2016).

Outdated equipment in and of itself is not only difficult to operate with newer released software

but also a lack of internal security from patchwork and bug fixes. This is mostly why we can

expect individuals to attempt attacking these machines is because of their overall lack of security

thereof.

8
 Another direct solution to this issue is to just go forward by reconstructing the existing

systems from the ground up. By doing so what will be sorely needed is essential oversight and

funding. Funding by the state can in most cases not afford to replace all voting systems without

extended financial help from the federal government. With reconstruction from ground up with

focuses on cybersecurity, these systems will have a better chance at mitigating the chances of

data breeches of the systems. More importantly, this can also be a cost-effective solution. If

enough states got on board with this idea, the federal reserve would supply the states funding to

complete the initiative.

Lastly, a solution that could easily be implemented is stressing the awareness and

urgency of decentralizing the voting registry systems. Currently, most of our nations voting

systems run offline, thus being labeled decentralized. However, not all the states have switched

to this type of voting machine. By having the systems fully functional offline (no connection to

the internet), it is formally impossible to breach the voting systems themselves from across the

other side of the world. Pros to this solution are that it would save states funding billions of

dollars, and would help ensure the integrity and security of voters using the systems. A con to

this solution is that it does not prevent breeches from those made in person physically tampering

with the machines and it is a concept that the government has been having difficulties trying to

inform every voting station of this important and easy to do the concept.

9
 References
Barrett, B. (2016, August 02). America's Electronic Voting Machines Are Scarily Easy Targets.
Retrieved May 31, 2017, from https://www.wired.com/2016/08/americas-voting-machines-arent-
ready-election/

Berman, A. (2017, February 08). House Republicans Just Voted to Eliminate the Only Federal
Funding Elections Technology. (2017, May 10). Retrieved May 31, 2017, from
http://www.ncsl.org/research/elections-and-campaigns/funding-election-technology.aspx

Dacuan, L. (2016, March 16). THE 2016 RACE TO UPGRADE VOTING TECHNOLOGY
HEATS UP. Retrieved May 31, 2017, from Onvia: https://www.onvia.com/company/blog/2016-
race-to-upgrade-voting-technology-heats

Levine, M., & Thomas, P. (2016, September 29). Russian Hackers Targeted Nearly Half of
States' Voter Registration Systems, Successfully Infiltrated 4. Retrieved May 31, 2017, from
ABC News: http://abcnews.go.com/US/russian-hackers-targeted-half-states-voter-registration-
systems/story?id=42435822

Nakashima, E. (2016, June 14). Russian government hackers penetrated DNC, stole opposition
research on Trump. Retrieved May 31, 2017, from The Washington Post:
https://www.washingtonpost.com/world/national-security/russian-government-hackers-
penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-
7b6c1998b7a0_story.html?utm_term=.70e43853bffc

Oosting, J. (2017, January 24). Michigan plans to replace all voting machines by 2018.
Retrieved May 31, 2017, from
http://www.detroitnews.com/story/news/politics/2017/01/24/voting-machines/96991230/

Ortega, A. (2016, October 04). Hacking an election requires more than compromising a machine.
Retrieved May 31, 2017, from The Hill: http://thehill.com/blogs/congress-
blog/technology/299190-hacking-an-election-requires-more-than-compromising-a-machine

RAUF, D. S. (2017, March 12). States Scramble for Funding to Upgrade Aging Voting
Machines. Retrieved May 31, 2017, from https://www.usnews.com/news/best-
states/texas/articles/2017-03-12/states-scramble-for-funding-to-upgrade-aging-voting-machines

Smith, G. (2012, October 22). Electronic Voting Machines Still Widely Used Despite Security
Concerns. Retrieved May 31, 2017, from http://www.huffingtonpost.com/2012/10/22/electronic-
voting-machines-2012_n_1992992.html

10
Agency That Makes Sure Voting Machines Can't Be Hacked. Retrieved May 31, 2017, from
https://www.thenation.com/article/house-republicans-just-voted-to-eliminate-the-only-federal-
agency-that-makes-sure-voting-machines-cant-be-hacked/

U.S. official: Hackers targeted voter registration systems of 20 states. (2016, September 30).
Retrieved May 31, 2017, from Chicago Tribune:
http://www.chicagotribune.com/news/nationworld/ct-hackers-target-election-systems-20160930-
story.html

(2015, September 15). Retrieved May 31, 2017, from

https://www.brennancenter.org/publication/americas-voting-machines-risk

11