全球智库信息集成服务系统

The legitimacy of self-government rests on the consent of the governed. In our democratic republic, that consent is manifested through the administration of free and fair elections. But in 2016, our democratic process came under attack from a foreign state seeking to exercise power and influence in U.S. domestic politics. It’s possible that Russia believed that if it could interfere in the U.S. presidential election, it could change the course of American history.

Last summer, Americans learned that Russian operatives were behind leaks at the Democratic National Committee (DNC).¹ Those leaks exposed sensitive information about DNC staffers, including Social Security numbers, home addresses, and personal details that resulted in harassment, attempts at identity theft, and workplace marginalization.² In January 2017, the country’s intelligence community unanimously confirmed that the Russian government—under orders from Russian President Vladimir Putin—interfered in the 2016 elections, engaging in a mass disinformation campaign to assist Donald Trump in winning the presidential election.³

That was only the beginning. In June 2017, reports surfaced that Russian hackers infiltrated 39 state election systems in the lead-up to Election Day, while a top secret National Security Agency (NSA) report published by The Intercept in July revealed that Russian military intelligence, or the Main Intelligence Directorate (GRU), sent spear-phishing emails to 122 email addresses associated with those likely “involved in the management of voter registration systems” in an attempt to probe or infiltrate voting databases.⁴ After successfully breaching election records in Illinois, hackers attempted to delete and alter voter information. The Illinois database contained the personal information—including names, birthdates, gender, driver’s license numbers, and partial Social Security numbers—of 15 million people.⁵ Bloomberg estimates that as many as 90,000 records were compromised.⁶

According to the U.S. Department of Homeland Security (DHS), there are no signs, as yet, that Russia tampered with vote totals or succeeded in removing eligible Americans from state voting lists.⁷ But we still do not have a full picture of what the Russians were doing, and the FBI has said that it is conducting multiple investigations into what happened.⁸ Intelligence experts warn that the 2016 U.S. election cycle is only a preview of what’s to come.⁹ Russia may have used the 2016 cycle as a testing ground to determine vulnerabilities in U.S. election databases in preparation for more sophisticated campaigns in future elections. As Sen. Angus King (I-ME) warned, “[T]hey are going to be back, and they’re going to be back with knowledge and information that they didn’t have before.”¹⁰

Russia is not the only U.S. adversary honing its skills in cyberintrusion. North Korea and Iran have also engaged in destructive cyberattacks against Western democracies, and the Islamic State has made strategic use of the internet to advance its goals.¹¹

Unfortunately, our election infrastructure is woefully ill-prepared for future interference. Outdated voting machines, lack of verified paper ballots or records, and inadequate cybersecurity measures for voting machines and databases are just a few vulnerabilities that leave U.S. elections open to subversion by hostile entities—foreign and domestic—seeking to undermine the democratic process and even skew election results.¹² While further efforts are needed to address the wider influence campaign that extended well beyond election systems, it is of extreme importance that America begins to invest in and update its election infrastructure to protect against future interference and disruption.¹³

Protecting our elections is a matter of national security, requiring immediate action and coordination at all levels of government. In the lead-up to the 2016 general election, 33 states, along with 36 localities, requested assessment of their election systems by DHS.¹⁴ More requests have been made since November 2016.¹⁵ For its part, DHS has made clear, “[T]his is of the utmost urgency for the department and this government to ensure that we have better protections going forward.”¹⁶ Election officials and politicians at the local, state, and federal levels have a critical role to play.

This issue brief details nine recommendations to address some of the most serious vulnerabilities in America’s election infrastructure:

1. Require voter-verified paper ballots or records for every vote cast.
2. Replace old voting machines.
3. Conduct robust postelection audits to confirm election outcomes.
4. Update and secure outdated voter registration systems and e-poll books.
5. Require minimum cybersecurity standards for voter registration systems and other pieces of voting infrastructure.
6. Perform mandatory pre-election testing on all voting machines, as well as continuous vulnerability analysis.
7. Expand threat information sharing, including comprehensive threat assessments accompanied by mandatory reporting requirements.
8. Elevate coordination between states and federal agencies on election security, including real-time notification of security breaches and threats.
9. Provide federal funding for updating election infrastructure.

The right and ability to conduct free and fair elections transcend partisan politics.¹⁷ At the Senate Select Intelligence Committee hearing on June 21, 2017, Sen. Mark Warner (D-VA), vice chairman of the committee, reminded those in attendance that “only with a robust and comprehensive response will we be able to protect our democratic processes from even more dramatic incursions in the future.”¹⁸ The committee’s chairman, Sen. Richard Burr (R-NC), voiced a similar sentiment during the hearing, saying in reference to foreign interference, “In 2016, we were woefully unprepared to defend and respond and I’m hopeful that we will not be caught flatfooted again.”¹⁹ Finally, Sen. King declared, “[S]hame on us if we’re not prepared.”²⁰

U.S. election systems are not equipped to handle sophisticated cyberattacks and other interference. Even in the absence of a malicious campaign, the negative consequences of this vulnerability to the strength and resiliency of U.S. democracy and government are steep. A July 2017 poll conducted by The Hill found that one in four Americans will consider not participating in future elections due to concerns over cybersecurity.²¹ As Sen. Marco Rubio (R-FL) noted, “[I]t is really critical that people have confidence that when they go vote that vote is going to count and someone’s not going to come in electronically and change it.”²²

Luckily, there are practical steps that local, state, and federal officials can take to create resilient elections and protect self-government. In the words of Sen. Burr, “Together, we can bring considerable resources to bear and keep the election system safe.”²³

9 recommendations to address vulnerabilities in U.S. election security

1. Require voter-verifiable paper ballots or records for every vote cast

Voting machines that record votes and tally them are run on software that is vulnerable to cyberintrusions.²⁴ Well-resourced hackers, whether funded by foreign governments or criminal syndicates, have the access, ability, and motivation to infect computerized voting machines and tallying systems across America. This can occur even if the machines are not connected to the internet. Attackers, for example, can deploy software such as Stuxnet and Brutal Kangaroo to target offline voting machines.²⁵

That is why there needs to be a paper ballot—which is software independent—for every vote cast. A paper ballot offers a record of voter intent, which will exist even if voting machines are attacked and data are altered. Paper ballots or records are necessary both to conduct meaningful postelection audits able to confirm the election outcomes, and to enable post-hoc correction in the event of malfunctions or security breaches. As described by Ed Felten, professor of computer science and public affairs at Princeton University, “If there is uncertainty after an election, either because of the possibility of tampering or just the possibility of error or malfunction, a paperless system … doesn’t have any way to go back to other evidence to figure out what really happened.”²⁶ Most experts agree that paper ballots marked by the voter, either with a pen or via a ballot-marking device, are the easiest to audit.²⁷ Some states still deploy electronic voting machines that can produce a paper record of voters’ choices on a paper roll, which voters can review. While paper-producing electronic machines can be used, they are not ideal for auditing purposes.²⁸

Fourteen states lack voter-verified paper ballots in at least some jurisdictions.²⁹ Put another way, roughly a quarter of the nation’s voting machines do not provide paper records for votes cast.³⁰ In all, the Brennan Center for Justice estimates that during the 2016 general election, some 20 percent of registered Americans voted without leaving any voter-verified paper ballot or record.³¹ That number of voters—20 percent of the vote—is far more than what is necessary to swing an election. According to one postelection analysis by The Washington Post, a mere 0.09 percent of votes effectively decided the outcome of the 2016 presidential race.³²

States and counties using paperless touch-screen voting systems should replace them with paper ballots and optical scanners, or invest in electronic voting machines that produce voter-verified paper records. Recognizing the potential benefits of paper-ballot systems, officials in Denton County, Texas—the state’s ninth-largest county—recently announced that they would be trading out the county’s electronic voting machines for paper ballots after experiencing system malfunctions resulting in long lines and incorrect vote tallies during the 2016 general election.³³ Even President Trump endorses the paper ballot system, telling reporters in November 2016, “There’s something really nice about the old paper-ballot system … You don’t worry about hacking.”³⁴

Paper-ballot optical scan systems have been shown to be more cost effective than electronic voting machines.³⁵ In 2008, SAVE our Votes—a Maryland-based advocacy group for secure, accessible, and verifiable elections—conducted a cost analysis of Maryland’s decision to convert from a paper-based system to electronic voting machine touch screens in 2004.³⁶ The study found that by 2008, the cost of conducting elections increased tenfold compared with only seven years prior. A number of counties that previously used optical scan systems saw their voting equipment costs skyrocket by an average of 179 percent per voter after switching to electronic touch screens.³⁷ Maryland has since returned to a paper-ballot system.³⁸ Voting systems that use electronic machines are costlier because they require more equipment. Each precinct, for example, requires several electronic voting machines to ensure that polling places can accommodate multiple voters at once. In contrast, paper-ballot voting systems require as few as one optical scanner and one ballot-marking station per precinct to assist voters with disabilities or language barriers.

Additionally, many states allow voters to submit completed absentee ballots over the internet—via email, fax, or web portal—where there is no way for voters to confirm that the vote they cast is the same as that recorded by the county clerk’s office. While most states only allow online voting for military personnel and U.S. citizens living abroad, states such as Alaska allow online voting for all absentee voters.³⁹ The Department of Homeland Security’s Cyber Security Division “does not recommend the adoption of online voting for elections at any level of government at this time,” due to concerns over voter confidentiality and the potential for vote manipulation by malicious actors.⁴⁰ One solution going forward is to require that all absentee ballots be returned by mail.

2. Replace old voting machines

Much has been written about the dismal state of voting machines.⁴¹ In all, 42 states use voting machines that are more than a decade old, beyond the predicted 10-year lifespan of most models.⁴² As noted by cybersecurity expert and co-founder and chief development officer of the Open Source Election Technology Institute Gregory Miller, “In the time we’ve changed our cell phones five times, the same equipment is still running our elections.”⁴³ Outdated voting machines pose serious security risks and are susceptible to system crashes and “vote flipping,” a rare occurrence whereby an individual’s vote for one candidate appears on the electronic interface as a vote for a different candidate.⁴⁴ Voters in several states—including Michigan, Massachusetts, Utah, Virginia, and Illinois—reported experiencing problems with voting machines during the 2016 general election, citing machine malfunction and paper jamming, among other issues.⁴⁵

Old voting machines are prone to hacking, as many rely on outdated computer operating systems that do not accommodate modern-day cybersecurity protections.⁴⁶ A number of voting machines in use today run on Windows XP, a Microsoft operating system first introduced in 2001 that has not been supported since 2014.⁴⁷ As described by Wired Magazine’s Brian Barrett, a machine running on Windows XP “is a castle with no moat, portcullis raised, doors flung open, greeting the ravaging hoards with wine spritzers and jam.”⁴⁸ On June 28, 2017, hackers attending the DEF CON hacking conference in Las Vegas infiltrated and remotely hacked voting machines—some operating on Windows XP—within just 90 minutes.⁴⁹ Moreover, upkeep for outdated machines is becoming increasingly difficult, since many parts are no longer manufactured.⁵⁰ In order to obtain the parts needed, some election administrators are turning to eBay, which comes with its own security risks.⁵¹

Piling onto these concerns is the fact that weak chain-of-custody practices leave voting machines vulnerable to tampering. For example, an individual with only limited access can infect a machine with malicious malware and other viruses that can corrupt honest vote counts.⁵² Some electronic voting machines even include accessible ports that are an open invitation to hackers, who can plug in laptops or smartphones in order to add extra votes.⁵³ Even with strong chain-of-custody practices, hackers can remotely infiltrate an electronic machine’s operating system, and without paper-ballot records, it is impossible to know whether a hack occurred or if votes were changed.⁵⁴

Aside from altering votes, glitches in the functionality of voting machines can sow public distrust in election outcomes and undermine the democratic process. During last year’s general election, reports surfaced of votes being “flipped” during early voting in North Carolina and Nevada.⁵⁵ The NAACP sent a letter to North Carolina’s board of elections on October 24 after receiving complaints that machines in five of the state’s counties had flipped votes.⁵⁶Although those who experienced problems were ultimately able to correct the error before casting their vote, two machines were removed from an early voting site in Mecklenburg County.⁵⁷

Given the documented problems, it is imperative that election administrators replace and upgrade all voting machines and components that still use outdated operating systems to new models that meet modern standards and up-to-date cybersecurity protections. In January, Michigan announced $40 million in state funding to upgrade its optical scanning machines—many of which are between 10 and 12 years old.⁵⁸ The new machines, which the state hopes to start introducing as soon as August 2017, will not run on Windows XP.⁵⁹ Local jurisdictions—in places such as Colorado, Florida, Texas, Wisconsin, and Virginia—are also meeting the challenge posed by outdated voting systems by investing in new voting machines.⁶⁰ Ohio too is looking to update its machines, most of which were purchased between 2005 and 2006.⁶¹ Ohio has asked county boards of elections to provide the state with an estimated price tag for new voting systems, with the hope of having new machines in place by 2019 in anticipation for the 2020 presidential election.⁶²

3. Conduct robust postelection audits, which can verify that outcomes are correct

The utility of paper ballots and voter-verified paper records is only useful for ensuring that the outcome of an election is correct if election administrators commit to carrying out robust postelection audits. As previously noted, all voting machines are vulnerable to hacking and even misprogramming, which can lead to reported election outcomes that do not match the tally of actual votes cast. For example, during a March 2012 municipal election in Palm Beach County, Florida, a software error in an optical scanning machine ended with votes being allocated to the wrong candidates, resulting in the misreporting of election results.⁶³ The error was discovered through a postelection audit, and the results officially changed after a court-ordered public hand count of the votes.⁶⁴

Many jurisdictions are not doing enough to conduct audits on an adequate number of ballots to ensure election accuracy and detect manipulation of vote totals caused by failing machines or hackers. According to J. Alex Halderman, a computer science and engineering professor at the University of Michigan, only New Mexico and Colorado “conduct audits that are robust enough to reliably detect cyber attacks.”⁶⁵ Having participated in numerous hacking experiments on voting machines, Halderman noted, “We need to consistently and routinely check that our election results are accurate, by inspecting enough of the paper ballots to tell whether the computer results are right.”⁶⁶

Given these facts, postelection audits—which are robust enough to create strong evidence that the outcome is accurate and to correct it if it is wrong—must be conducted after every election. Importantly, election officials must be given enough time between the closing of the polls and the certification of official election results to conduct a thorough audit. “Risk-limiting” audits increase the efficiency of the auditing process by testing only the number of ballots needed to determine the accuracy of election outcomes.⁶⁷ Risk-limiting audits generally proceed by selecting an initial sample of ballots and interpreting them by hand, then determining whether the audit must expand.⁶⁸ The number of ballots in the initial sample depends on various things, including the margin of victory in the contest.⁶⁹ Elections with wide margins of victory require testing fewer ballots, while races with close margins of victory require more ballots to be tested because there is less room for error.⁷⁰ Colorado is about to become the first state to regularly conduct risk-limiting audits after elections.⁷¹ As described by Dwight Shellman, the Colorado elections office’s county support manager, “If a voting system has been maliciously altered in some way, [this audit] should give the public great assurance that we are going to know that, and we will adjust the result accordingly.”⁷² Risk-limiting audits offer election administrators an effective and efficient way to test the accuracy of their elections without breaking the bank.

4. Update and secure outdated voter registration systems and e-poll books

America’s antiquated voter registration system threatens voter privacy and the ability of eligible voters to cast ballots that count. The Brennan Center for Justice estimates that 41 states and the District of Columbia use voter registration databases that are more than a decade old, leaving them susceptible to modern-day cyberattacks.⁷³ If successfully breached, hackers could alter or delete voter registration information, which in turn could result in eligible Americans being turned away at the polls or prevented from casting ballots that count.⁷⁴ Hackers could, for example, switch just a few letters in a registered voter’s name without detection. In states with strict voter ID laws, eligible Americans could be prevented from voting because of discrepancies between the name listed on an official poll book and the individual’s ID. In addition, by changing or deleting a registered individual’s political affiliation, hackers could prevent would-be voters from participating in partisan primaries. One of the major concerns associated with Trump’s new voter fraud commission is that it could establish a centralized national voter registration database, making it easy for hackers to penetrate and exploit voter registration information. As expressed by Kentucky Secretary of State Alison Lundergan Grimes, “Coordinating a national voter registration system located in the White House is akin to handing a zip drive to Russia.”⁷⁵

The threat to voter registration systems is real. According to a DHS memo obtained by CNN, the department observed “Russian cyber actors attempting to access voter registration databases prior to the 2016 elections.”⁷⁶ In August 2016, the Russian government targeted a company specializing in voter registration software, VR Systems, as part of a plan to “launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations,” according to National Security Agency documents obtained by The Intercept.⁷⁷ On at least one occasion, hackers installed malware on the computer of an Arizona county election official, giving hackers access to login information that could be used to breach county voter registration databases.⁷⁸ Twenty-one counties in North Carolina use software produced by VR Systems, including Durham County, which experienced the malfunction of laptops used to confirm voter registrations across multiple precincts last year, though local officials maintain that the problem was unrelated to Russian hacking.⁷⁹ In order to ensure the accuracy and accessibility of voter registration lists during voting periods, states should establish paper-based contingency plans during early voting and on Election Day in case of system fail