The Free Internet Project

election security

Federal Judge Orders Georgia Election Officials to Upgrade Voting System Before 2020

On Thursday, August 15th, Federal District Court Judge Amy Totenberg ordered the state of Georgia to upgrade its election systems before the state holds its presidential primary election in March of 2020. The 151-page ruling describes Georgia’s election system as “antiquated, seriously flawed, and vulnerable to failure, breach, contamination, and attack.” Although she has previously ordered Georgia to upgrade its election systems, Thursday’s order marks the first time Judge Totenberg has set a specific deadline that Georgia officials must meet.

Georgia is one of a handful of states that relies exclusively on electronic voting systems that do not provide a paper record. Election security experts have roundly criticized such systems, noting that they are vulnerable to hackers and susceptible to logistical problems. Indeed, election security experts have identified a number of significant security breaches that occurred during the 2018 election.

Due to these concerns and previous orders from Judge Totenberg, Georgia had announced plans to upgrade its voting systems prior to Thursday’s ruling. In July, Georgia’s Secretary of State Brad Raffensperger publicly announced that the state would purchase new electronic voting machines from Dominion Voting Systems. The machines will print out a paper ballot and a QR code that  both voters and election officials can use to verify vote tallies. The Associated Press notes that while Judge Totenberg has praised the new machines as “an essential step forward out of the quagmire, even if just to terminate use of antiquated voting  system,” plaintiffs remain skeptical of the new machines, specifically questioning the extent to which voters will be allowed to verify their selections rather than relying on a printed QR code. Because of these concerns, plaintiffs have publicly announced their intention to bring separate litigation over the newly proposed machines.

Judge Totenberg’s ruling was prompted by a motion from plaintiff voters and election security advocates asking the court to force Georgia officials to use paper ballots during upcoming 2019 municipal elections. Citing logistical concerns, Judge Totenberg held that the state would not have enough time to implement a paper ballot system in time. However, she notes that use of the current system “past this 2019 cycle of elections is indefensible given the operational and constitutional issues at stake.”

The ultimate effect of Thursday’s ruling is to prevent Georgia from reverting to current election systems if newly proposed voting machines are not rolled out in time for 2020 elections. As a result, Georgia will have to resort to a paper balloting system in 2020 if new systems are not in place. In preparation for this contingency,  Judge Totenberg’s order requires the Secretary of State to “address errors and discrepancies in the voter registration database” and test the use of a paper balloting system in a handful of jurisdictions during the state’s upcoming municipal elections.

Summary of Senate Intelligence Committee Report: “Russian Efforts Against Election Infrastructure”

On July 25, the Senate Select Committee on Intelligence published Volume I of a report on Russian Active Measures Campaigns and Interference.  The report stems from the committee’s bipartisan investigation into a wide range of Russian activities relating to the 2016 U.S. presidential election. Volume I reaffirmed the Intelligence Community Assessment (ICA)  that  Russian intelligence accessed elements of multiple state or local electoral boards prior to the 2016 presidential election. According to the Report, DHS concluded that the Russian government likely researched the electoral system in place in all 50 states. In fact, by September 2017, DHS concluded that 21 states were explicitly targeted by Russian government cyber actors.

The Committee determined that “scanning” of election-related state infrastructure was the most widespread activity conducted by the Russian government prior to the election. Scanning is a form of reconnaissance where an adversary searches for weaknesses, access points, and vulnerabilities. Dr. Samuel Liles, Acting Director of Cyber Division for the Office of Intelligence and Analysis, characterized these activities as “analogous to somebody walking down the street and looking to see if you are home. A small number of systems were unsuccessfully exploited, as though somebody had rattled the doorknob but was unable to get in . . . [however] a small number of the networks were successfully exploited. They made it through the door."

It should be noted that the Report provides no evidence that votes were changed, vote tallying systems were manipulated, or that any voter registration data was altered or deleted during the 2016 election cycle. Despite this, there is reason to believe that Russia will continue to escalate its interference in future elections. When testifying before the Committee, Michael Daniel, former Assistant and Cybersecurity Coordinator for President Obama, warned that mapping is done “so that [Russia] could actually understand the network [and] establish a presence so [they] could come back later and actually execute an operation.” Moreover, in an addendum providing the additional views of Senators Harris (D-CA), Bennet (D-CO), and Heinrich (D-NM), the Report states that “Russian operatives undoubtedly gained familiarity with our election systems and voter registration infrastructure—valuable intelligence that it may seek to exploit in the future.”

At the end of the Report, the Committee provided a comprehensive list of recommendations aimed at preventing Russia from interfering in future elections.

1.  Reinforce States' Primacy in Running Elections

The Committee recommends reinforcing the role of each state in administering elections while the federal government should ensure they receive the necessary resources and information. This recommendation received pushback from Senator Wyden (D-OR) who calls for mandatory, nation-wide cybersecurity requirements. Wyden argues that Congress's constitutional role in regulating federal elections is well-established and that the Russian attacks are too complex and too serious to be left solely to state and local officials. Wyden went so far as to say that “[w]e would not ask a local sheriff to go to war against the missiles, planes and tanks of the Russian Army. We shouldn't ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia's cyber army.”

2.  Create Effective Deterrence

The Committee recommends that the U.S. establish an international cyber doctrine to limit certain cyber activity. This doctrine would be similar to the existing international norms and treaties about the use of technologies and weapons systems. The government should treat a violation of this doctrine would be viewed as a hostile act and will be responded to appropriately. The Committee made it clear that the U.S. “should not limit its response to cyber activity; rather, it should create a menu of potential responses that will send a clear message and create significant costs for the perpetrator.”

3.  Improve Information Gathering and Sharing on Threats

The Committee recommends that the federal government, state governments, and local governments should establish clear channels of communication between one another. While this may seem rather rudimentary on its face, one of the key components of information sharing about elections is security clearances for appropriate officials at the state and local level. Since the 2016 election, DHS has compiled a list of officials to contact in every state if there is a threat. In addition, DHS is seeking to obtain security clearances for up to three election officials per state. Lastly, federal officials are working to declassify information in order to provide the greatest possible warning to state and local officials without compromising our own national intelligence.

4.  Secure Election-Related Cyber Systems

Despite the expense, the Committee recommends that cybersecurity needs to become a higher priority for election-related infrastructure. To do this, election officials should work with DHS to evaluate the security of their election systems, voter registration systems, state records, and other pre-election activities. The Report stated that in 2016, “cybersecurity for electoral infrastructure at the state and local level was sorely lacking.” The Committee additionally recommends that DHS creates an advisory panel to give expert-level advice on how states and localities run elections. Using this advice, DHS should develop procedures and processes to evaluate and routinely provide guidance on relevant vulnerabilities associated with voting systems.

5.  Take Steps to Secure the Vote Itself

The Committee recommends that states act with urgency to replace outdated and vulnerable voting systems. At a minimum, any machine purchased going forward should have a voter-verified paper trail and remove (or render inert) any wireless networking capability. This is because paper ballots and optical scanners are the least vulnerable to cyber-attack. However, in order for paper ballots to be a legitimate means of tallying votes, there must be a secure chain of custody for those ballots. For this reason, the Committee recommends that states reexamine their safeguards against insertion of fraudulent paper ballots at the local level. Lastly, the Committee recommended that vendors of election equipment be briefed about the vulnerabilities in both the machines and the supply chains for the components of their machines.

6.  Assistance for the States

Finally, the Committee outlined its assessment of how the federal government can assist state and local governments in ensuring free and fair elections. State officials told the Committee the main obstacle to improving cybersecurity and purchasing more secure voting machines is cost. In March 2018, Congress appropriated $280 million in grants aimed at improving election security. Among other things, these funds will go toward replacing voting machines, hiring additional IT staff, updating software, and contracting with vendors to provide cybersecurity services. The Committee recommends that the Election Assistance Commission—the entity responsible for administering the grants—regularly report to Congress on how the states are using those funds, whether more funds are needed, and whether states have both replaced outdated voting equipment and improved cybersecurity.

Above all, this Report serves as a reminder that since 2014, Russia has been exploiting weaknesses in the American electoral system in order to sow discord and distrust among the American public. As former Deputy Director of the FBI, Andrew McCabe, told the Committee, the Russians “might not be effective the first time or the fifth time, but they are going to keep at it until they can come back and do it in an effective way." The committee plans to release several more installments of its report in the fall, focusing on the "Intelligence Community Assessment (ICA) of Russian interference, the Obama Administration’s response to Russian interference, the role of social media disinformation campaigns, and remaining counterintelligence questions."

Time to Revisit Electronic Paperless Voting: State election systems lacking paper ballots are most vulnerable to hacking

Sample direct recording electronic (DRE) voting machine

Following the infamous hanging-chad fiasco in Florida during the 2000 U.S. presidential election, the federal Help America Vote Act of 2002 aimed to modernize election systems in the United States, in part by encouraging states to transition from paper ballots to electronic voting systems. That 2000 reform, however, may have led to the unintended consequence of making U.S. elections more vulnerable to hacking. Amid reports of cyberattacks against voting systems in Florida, Georgia, and other states in the recent 2018 election, officials are questioning the efficacy of machine-based or electronic voting that lacks a paper trail. Many experts have called for a return to paper ballots or at least paper-records that can be used to audit machine-voting tallies.  As election security expert and Georgetown Law Center Professor Matt Blaze said, "'It's ironic that the famous picture of an election official examining a paper ballot during the Florida recount' was used to illustrate the primitivism of punch-card voting machines, but now is used to demonstrate the robustness of paper ballots." 

Paperless voting systems continue to be popular, however.  During the 2018 election cycle, most states relied on Direct Recording Electronic (DRE) voting systems, which store votes directly into a computer’s memory. The National Conference of State Legislatures notes that DRE systems can be equipped to provide a “voter-verifiable paper audit trail” (VVPAT) that serves two functions. First, VVPAT capabilities allow voters to verify that their ballots are recorded correctly. Second, VVPAT systems provide a paper trail for election officials should an audit become necessary. Nonetheless, ABC reported that 5 states (Louisiana, Georgia, South Carolina, New Jersey, and Delaware) used versions of Direct Recording Electronic (DRE) systems that leave no paper record of individual votes. Additionally, ABC notes that 8 states, including Pennsylvania, use DRE systems without a paper trail in at least one, but not all, counties.

Experts are increasingly critical of paperless DRE systems. A 2018 report "Securing the Vote: Protecting American Democracy" by the National Academy of Science calls for such systems to be “removed from service as soon as possible.” The Brennan Center argues that $380 million in federal funding recently authorized for election modernization is nowhere near enough to address the potential scope of interference in the 2020 election. Specifically, experts warn that paperless DRE systems tend to be older systems, most vulnerable to hacking. A New Yorker piece illustrates the grave risk, recounting a 2018 hacking conference in which hackers were able to infiltrate each of 24 voting machines on display, “some within minutes." Nonetheless, some state officials insist that paperless DRE systems are safe. For example, Delaware Election Commissioner Elaine Manlove told ABC news that DRE machines are not connected to the internet and are not connected to other machines. Thus, hackers would have to penetrate each individual machine to change vote tallies.

State responses have been mixed. The Brennan Center surveyed election officials in jurisdictions that use paperless DRE systems and received a wide variety of responses. Six states have taken direct action to replace all paperless machines with DRE systems equipped with VVPAT systems. These include the 5 states entirely reliant on paperless DRE systems and Pennsylvania. Other jurisdictions have taken a more measured response. Kentucky election officials, for example, have called for the replacement of paperless DRE systems but have yet to secure the funding to do so. Kansas has prohibited counties from purchasing new paperless DRE systems, but has not banned the use of existing paperless machines. Still other jurisdictions have taken no apparent action to replace paperless machines, including Indiana, Mississippi, Tennessee, and Texas. In fact, one municipal election official in Texas reported to the Brennan Center that he hoped to replace existing paperless machines with a new set of paperless machines.

Jurisdictions that are taking action to replace paperless DRE systems are turning to a number of different alternatives. The Brennan Center report estimates that 55% of counties that intend to replace paperless DRE systems hope to purchase optical scanning machines, which rely on computers to scan and tally paper ballots. While optical scanning systems are still vulnerable to hacking of final tallies, they allow officials to retain paper ballots for auditing purposes. An additional 13% of counties intend to purchase DRE systems that are equipped with VVPAT technology, allowing officials to collect a paper trail of each individual vote. 6% of counties report plans to purchase ballot marking devices, which require voters to input their choices on a computer that in turn marks a paper ballot rather than storing votes to internal memory. The remaining 26% of counties have not specified an alternative voting system they intend to purchase.

The decentralized nature of American elections is often touted as an asset. Because elections are typically administered at the county level, hackers have to effectively infiltrate thousands of individual election systems rather than one centralized system. Given both the vulnerability of dated DRE systems and the demonstrated commitment of foreign actors to influence American elections, many believe that a federal mandate to collect paper records of individual votes could help strengthen the American electoral system.

Summary of proposed Protecting American Votes and Elections Act of 2019 (PAVE Act) and Bots Research Act

 

Protecting American Votes and Elections Act of 2019 (PAVE Act)

Washington, D.C. Sen. Ron Wyden, D-Ore., and 14 Senate co-sponsors introduced the PAVE Act requiring paper ballots and statistically rigorous “risk-limiting” audits for all federal elections.  In introducing the bill, Wyden said, “The PAVE Act scraps insecure voting machines that are juicy targets for hackers and replaces them with reliable, secure hand-marked paper ballots. It gives states the funding they need to defend their election systems and puts the Department of Homeland Security in charge of setting strong security standards for every federal election.” This bill updates aging election infrastructure.” Senator Gillibrand “Congress has a responsibility to secure the integrity of our elections, and I am proud to join with Senator Wyden to introduce this bill that strengthens our country’s election infrastructure.” 

The press release described the key provisions of the PAVE Act: 

  • "The new PAVE Act bans internet, WiFi and cellular connections for voting machines, and gives the Department of Homeland Security the authority to set, for the first time, minimum cybersecurity standards for voting machines, voter registration databases, electronic poll books used to 'check in' voters at polling places and election night reporting websites."
  • "The bill also provides state and local governments with $500 million dollars to buy new, secure ballot scanning machines, and $250 million to buy new ballot marking devices to be used by voters with disabilities. It also permits the federal government to reimburse states the cost of conducting post-elections audits, as well as the cost of designing and printing ballots."

Bots Research Act (H.R. 2860)

On May 22, 2019, Congressman Mark DeSaulnier (CA-11) announced the Bots Research Act (H.R. 2860).  According to the press release, this bill would "establish a task force of experts at the Federal Trade Commission (FTC) to determine the impact of automated social media accounts" on elections and public disclosure and to figure out "how to most effectively combat any use of automated accounts that negatively effects social media, public discourse, and elections while continuing to promote the protection of the First Amendment on the internet."  DeSaulnier said, “We now know that bot accounts were actively used by foreign agents as part of what the Mueller Report characterized as ‘sweeping and systematic’ interference in the 2016 presidential election. The accounts spread false information and manipulate public opinion and threaten free elections and the democratic process."

House passes election security bill, H.R. 2722, Securing America’s Federal Elections (SAFE) Act

On Thursday, June 27, 2019, the United States House of Representatives passed H.R. 2722, an election security bill aimed at strengthening the nation’s election system.  Introduced by Rep. Zoe Lofgren (D. Calif.), the Securing America’s Federal Elections (SAFE) Act authorizes $600 million to update voting equipment to comply with new standards.

  • The SAFE requirements mandate that voting machines be manufactured in the United States, stay disconnected from the Internet, and produce paper records; 
  • The SAFE bill provides an additional $175 million biannual appropriation for “sustainment” funds for maintain election infrastructure and
  • a $5 million grant program administered by the National Science Foundation (NSF) to research accessible paper ballot verification methods. [The Hill]

The bill passed the House floor in a near party-line vote 225 to 184; Rep. Brian Mast (R-Fla.) was the only Republican to vote for the bill. [Washington Post] In a party conference before the vote, House of Representatives Speaker Nancy Pelosi (D-Calif.) described the bill as an effort to “further strengthen the defense of our democracy.” At the same conference, Senate Minority Leader Charles Schumer (D-N.Y.) said, “We’re standing with our House colleagues today—we’re standing with the American people today, to protect the integrity of our elections.” Much of the Democratic support stems from the Special Counsel Robert Mueller’s report finding foreign political influence in the 2016 presidential election.

Though legislators from both parties have acknowledged the need for increased election security, the parties disagree how to achieve this goal. While congressional Democrats view the bill as a safeguard against foreign interference, their Republican counterparts view the bill as a form of federal encroachment into an area (overseeing elections) traditionally regulated by the states. Rep. Rodney Davis (R.-Ill.), the ranking Republican of the House Administration Committee, stated that the bill “focuses on forcing states to restructure their election systems through federal mandates and ignores states’ rights to choose the election system that best fits their unique needs.” [The Roll Call]

The bill faces steep opposition in the Senate. On Thursday morning, Senate Majority Leader Mitch McConnell (R-Ky.) deemed the bill a “nonstarter.” Citing Congress’s previous grant of $380 million to states for election security, McConnell believes additional funding unnecessary, as reported by the New York Times. On Tuesday, June 25, Sen. Amy Klobuchar (D-Minn.) tried to force a vote on a measure that would require backup paper ballots and authorize $1 billion in grants for states to improve election protection until Sen. James Lankford (R-Okla.) blocked the move. [The Hill]  In the week prior, Sen. Marsha Blackburn (R.-Tenn.) similarly blocked Sen. Mark Warner’s (D-Va.) attempt to bring forth a bill requiring campaigns to report to the Federal Election Commission any foreign nationals who make donations or provide election assistance. [The Hill]

Criticizing Republican opposition to the bill, Sen. Ron Wyden (D-Ore.) emphasized how Democrats would spend the upcoming July 4th holiday “fanning out all across the country” to advocate for election security measures. “We’re going to have a simple message: pass legislation with provisions of the SAFE Act, and tell Mitch McConnell that the future of our democracy is too important for him to stand in its way,” Sen. Wyden expressed. [The Roll Call]  Speaker Pelosi announced that election security officials would brief Congress on July 10 in an effort to further increase pressure on Leader McConnell. [The Hill]

Should tech companies do more for election security?: hard lessons from Russian social media warfare in 2016 U.S. elections

Bill Gates, founder of Microsoft, joined the growing number of high-profile individuals demanding that the U.S. government step up its regulation of big tech companies. In a June 2019 interview at the Economic Club of Washington, DC, Gates said, “Technology has become so central that governments have to think: What does that mean about elections?” Gates focused on the need to reform user privacy rights and data security.

This concern comes following the details of a Russian-led social media campaign to “sow discord in the U.S. political system through what it termed ‘information warfare’” outlined in Volume I Section II of the Mueller Report.  According to the Mueller Report, a Russian-based organization, known as the Internet Research Agency (IRA), “carried out a social media campaign that favored presidential candidate Donald J. Trump and disparaged presidential candidate Hillary Clinton.” As early as 2014, IRA employees traveled to the United States on intelligence-gathering missions to obtain information and photographs for use in their social media posts. After returning to St. Petersburg, IRA agents began creating and operating social media accounts and group pages which falsely claimed to be controlled by American activists. These accounts addressed divisive political and social issues in America and were designed to attract American audiences. The IRA's operation also included the purchase of political advertisements on social media in the names of American persons and entities.

Once the IRA-controlled accounts established a widespread following, they began organizing and staging political rallies within the United States. According to the Mueller Report, IRA-controlled accounts were used to announce and promote the events. Once potential attendees RSVP’d to the event page, the IRA-controlled account would then message these individuals to ask if they were interested in serving as an “event coordinator.” The IRA then further promoted the event by contacting US media about the event and directing them to speak with the coordinator. After the event, the IRA-controlled accounts posted videos and photographs of the event. Because the IRA is able to acquire unwitting American assets to contribute to the events, there was no need for any IRA employee to be present at the actual event.

Throughout the 2016 election season, several prominent political figures [including President Trump, Donald J. Trump Jr., Eric Trump, Kellyanne Conway, and Michael Flynn] and various American media outlets responded to, interacted with, or otherwise promoted dozens of tweets, posts, and other political content created by the IRA. By the end of the 2016 U.S. election, the IRA had the ability to reach millions of Americans through their social media accounts. The Mueller Report has confirmed the following information with individual social media companies:

  1. Twitter identified 3,814 IRA-controlled accounts that directly contacted an estimated 1.4 million people. In the ten weeks before the 2016 U.S. presidential election, these accounts posted approximately 175,993 tweets.
  2. Facebook identified 470 IRA-controlled accounts who posted more than 80,000 posts that reached as many as 126 million persons. IRA also paid for 3,500 advertisements.
  3. Instagram identified 170 IRA-controlled accounts that posted approximately 120,000 pieces of content.

Since the details of the IRA’s social media campaign were publicized, big tech companies have been subject to heightened levels of scrutiny regarding their effort to combat misinformation and other foreign interference in American elections. However, many members of Congress were pushing for wide-ranging social media reform even before the release of the Mueller Report.

In April 2018, Facebook Founder and CEO Mark Zuckerberg testified over a two-day period during a joint session of the Senate Commerce and Judiciary Committees and the House Energy and Commerce Committee. These hearings were prompted by the Cambridge Analytica scandal. Cambridge Analytica—a political consulting firm with links to the Trump campaign—harvested the data of an estimated 87 million Facebook users to psychologically profile voters during the 2016 election. Zuckerberg explained that, when functioning properly, Facebook is supposed to collect users’ information so that their advertisements can be tailored to a specific group of people that the third party wishes to target as part of their advertising strategy. In this scenario, the third-parties never receive any Facebook users’ data. However, Cambridge Analytica utilized a loophole in Facebook’s Application Programming Interface (API) that allowed the firm to obtain users’ data after the users accessed a quiz called “thisismydigitallife.” The quiz was created by Aleksandr Kogan, a Russian American who worked at the University of Cambridge. Zuckerberg explained to members of Congress that what Cambridge Analytica was improper, but also admitted that Facebook made a serious mistake in trusting Cambridge Analytica when the firm told Facebook it was not using the data it had collected through the quiz.

Another high-profile hearing occurred on September 5, 2018 when Twitter Co-Founder and CEO Jack Dorsey was called to testify before the Senate Intelligence Committee to discuss foreign influence operations on social media platforms. During this hearing, Dorsey discussed Twitter’s algorithm that prevents the circulation of Tweets that violate the platform’s Terms of Service, including the malicious behavior we saw in the 2016 election. Dorsey also discussed Twitter’s retrospective review of IRA-controlled accounts and how the information gathered is being utilized to quickly identify malicious automated accounts, a tool that the IRA relied heavily on prior to the 2016 election. Lastly, Dorsey briefed the committee on Twitter’s suspicion that other countries—namely Iran—may be launching their own social media campaigns.

With the 2020 election quickly approaching, these social media executives are under pressure to prevent their platform from being abused in the election process. Likewise, the calls for elected officials to increase regulation of social media platforms are growing stronger by the day, especially since Gates joined the conversation.

[Sources: Mueller Report, PBS, Washington Post, CNN, The Guardian, Vox I, Vox II]

Pages