Sign In

Communications of the ACM

[email protected]

Securing Threats to Election Systems

Duncan Buell.

In a New York Times Magazine article on 21 February 2018, award-winning journalist Kim Zetter (Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon) detailed a serious problem in U.S. election systems: county election servers with Internet connections, modems, and remote access software installed by default, and local election officials (LEOs) who seem unaware that "connected to the Internet" (and thus vulnerable to hacking) can happen in ways other than a wire being plugged into the wall.

The initial target of Zetter's inquiry was the Election Systems and Software installation in Venango County, PA. After a contested election there in 2011, David Eckhardt of Carnegie Mellon University discovered that an IT contractor was remotely logging in to the county's central server to do his legitimate work. (Disclaimer: I also had a small part to play in the Venango County analysis, but not with the issue of remote access.)

Election systems are supposed to be disconnected from the Internet, for obvious and sensible reasons. Most elections today, however, use computers: electronic poll books, ballot marking devices, optical scanners, or direct recording electronic (DRE) computers such as were used in Venango. These are configured or programmed the way we do everything with computers these days--there are flash memory cards of various sorts, handheld devices slotted into DREs, and bulk upload and download with special gadgetry. My own county, second-largest in the medium-sized state of South Carolina, with about 240,000 voters, will send out in November 2018 about 1,000 DREs, each with a removable flash memory card, and about 700 handheld devices that will open and close the DREs and collect vote totals at the end of the day.

By any standard, managing these bits and pieces of the election system for a 12-hour election day in 150 local precincts with a largely volunteer staff is a logistical nightmare; the nightmare is exacerbated by news media pressure to have the results available for display within seconds of the close of the polls.

Further complicating things is the fact that election offices, like most government offices, are underfunded. Venango was not unusual in not having a full-time IT person, and I suspect few counties nationally would have the luxury of full-time computer security staff. Even the State Election Commission in South Carolina relies for computer security in part on the state's Division of Administration. (The SC SEC was upset when the state's security analysis apparently was a less-than-glowing endorsement. I have not seen the report, but I do have the snarky email that was released under FOIA.)

Elections are important, and increasingly computerized, and thus increasingly vulnerable. We owe it to the nation (and the world) to make sure that local election officials (LEOs) know the risks and take steps to secure the election process. I have found most LEOs to be sincere and well-meaning, but they are not computer experts, and too many (even in some very large counties) seem unaware (or unwilling to admit) that all the access points—flash memory cards, handheld devices, modems, wireless connections—have been shown to be viable threat vectors.

It's also not just the election process itself. Voter registration databases are now online in most states, permitting online registration and checking of polling places. Are these the "real" databases? The prudent administrator would assume that anything online might well be corrupted. Are the necessary backups and protocols in place to ensure maintenance of a pristine copy offline?

Our democracy is at risk, not just from corruption, but probably even more so from disruption. There are often claims that the diversity of election systems in the 3,000 counties prevents attacks. This bogus claim needs to be refuted by the Willie Sutton argument. One doesn't attack all 3,000 counties; one attacks Milwaukee, Madison, Detroit, Pittsburgh, Philadelphia, Charlotte, Raleigh-Durham, and Phoenix, and the outcome can be made different. We saw serious problems in year 2000 with only one state's results in question. What level of disruption in swing states would make it impossible to determine the outcome of a major election?

The attacks from all directions have been shown to be not just "theoretical," but actually quite practical. I think it is incumbent on ACM membership to find ways to educate election officials on the threats and to work to mitigate if not to remove them. Our democracy deserves nothing less than our full support.

Guest blogger Duncan A. Buell is NCR Professor of Computer Science and Engineering at the University of South Carolina, whose research includes digital humanities and electronic voting systems.


No entries found