While there is increasing reliance on information technology by state and local elections systems that opens cyber risks, the dispersed nature of these systems and the fact that voting machines are not connected to the Internet means they are inherently resilient and would be difficult to hack in a significant way, federal and state officials told a House panel on Sept. 28.
“Increasingly the nation’s election infrastructure leverages information technology for efficiency and convenience,” Andy Ozment, assistant secretary of Cybersecurity and Communications at DHS, told the House Oversight and Government Reform Subcommittee on Information Technology. “And like other systems, reliance on digital technologies introduces new cyber security risks. However, the diverse and dispersed nature of our election infrastructure provides inherent resilience and presents real challenges to a coordinated, significant incident having an impact on election results.”
The elections systems are also secure due to a lack of connectivity, particularly to the Internet.
Thomas Hicks, chairman of the bi-partisan U.S. Election Assistance Commission, told the panel that “From what we determined, no voting machines are connected to the Internet.” He said his main message is that “Voters have confidence that their votes will be counted accurately and recorded accurately when they cast them.”
Rep. Will Hurd (R-Texas), chairman of the subcommittee, at the outset of the hearing framed the importance of secure elections systems, saying “Our existence as a democratic republic is only made possible and legitimate through free and fair elections.”
Brian Kemp, Georgia’s secretary of state, testified that “elections are secure.”
All the witnesses that testified at the hearing agreed that in the upcoming national elections in November a cyber attack cannot change the outcome.
One witness said that the “biggest danger” to the upcoming elections is “attempts to undermine confidence in the elections.” Lawrence Norden, deputy director, Democracy Program at the Brennan Center for Justice at New York University School of Law, agreed that cyber attacks against voting machines “are highly unlikely to have widespread impact on vote totals this November.”
Norden said it is attacks or malfunctions that could damage public confidence in the elections.
He added that about 80 percent of the voting machines in the U.S. still have a paper trail associated with them, which strengthens resiliency amid concerns of cyber attacks.
Andrew Appel, a computer science professor at Princeton University, warned that touchscreen voter machines, which don’t provide a paper trail, can be physically infected with software to hack and shift votes from one candidate to another. He argued for eliminating touchscreen machines nationwide following the November elections and using paper ballots that can be read by a computer but recounted by hand.
Following the disclosure this summer that the Democratic National Committee and another Democratic organization had been hacked by Russia, Homeland Security Secretary Jeh Johnson initiated a review to consider whether to determine if the nation’s elections systems are critical infrastructure. Such a determination would give DHS authorities to work with state and local elections officials to proactively manage risks and strengthen resilience.
Hurd said that for now a decision to determine if election systems are critical infrastructure is “no longer on the table for this election cycle.” Kemp, in his remarks, said that administering elections is a responsibility of the states, adding that “I encourage the federal government to respect the constitutional lines our founders created, leaving the administration of elections to states.”
Kemp said elections systems have three key components: campaign systems; registration and reporting systems; and voting systems. Campaign systems are held by national parties and attacks on these don’t impact states’ jurisdiction, he said.
Registration and reporting systems are operated by states to manage voter registration rolls and report results, but Kemp said attacks on these can’t change votes that are cast. Voting machines aren’t networked, he pointed out.
DHS is currently offering on a voluntary basis cyber security help and expertise to state and local elections officials. Johnson said in August that best practices need to be shared with these officials and “there are probably some longer term investments we need to make in cyber security of our election process.”
Kemp said that establishing election systems as critical infrastructure could lead to a cyber security standard “that could lead to legal liabilities for states.” He also said that state databases might also end up being exposed to the federal government and possibly end up being shown to the public, which means “undermining the security of our elections.”