America Won’t Give Up Its Hackable Wireless Voting Machines

(Bloomberg) -- After Russian hackers made extensive efforts to infiltrate the American voting apparatus in 2016, some states moved to restrict internet access to their vote-counting systems. Colorado got rid of barcodes used to electronically read ballots. California tightened its rules for electronic voting machines that can go online. Ohio bought new voting machines that deliberately excluded wireless capabilities.

Michigan went in a different direction, authorizing as much as $82 million for machines that rely on wireless modems to connect to the internet. State officials justified the move by saying it is the best way to satisfy an impatient public that craves instantaneous results, even if they’re unofficial.

The problem is, connecting election machines to the public internet, especially wirelessly, leaves the whole system vulnerable, according to cybersecurity experts. So Michigan’s new secretary of state is considering using some of the state’s $10 million in federal election funds to rip out those modems before the March presidential primary.

“The system we inherited is not optimal for security since our election equipment can and has connected to the internet,” said Jocelyn Benson, who won election as secretary of state and took office in January 2019. She convened a committee of cybersecurity experts to evaluate the state election system’s vulnerabilities. “If that’s what the committee recommends, we’ll take them out.”

Michigan’s experience illustrates a thorny challenge for state and local election officials as they try to update old and insecure equipment: Technology that’s evolved over two decades to quickly transit election results from precincts to news organizations projecting winners has now been labeled a cybersecurity risk.

Michigan says its votes are safe from hackers since its election system only connects to the internet only after votes have been counted. Cybersecurity experts differ. Even brief exposure to the internet can leave states vulnerable to infiltration and an attack on the credibility of their results, said Eddie Perez, Global Director of Technology at the Open Source Election Technology Institute.

Malicious Attackers

Part of the challenge of protecting the 2020 vote is convincing localities to prioritize security over familiarity, convenience and accessibility.

Cybersecurity experts maintain that connecting election systems to the internet, even briefly, exposes these machines to malicious attackers who may be intent on derailing or discrediting an election. It’s not just voting machines that are vulnerable but any piece of the election apparatus, including wireless-enabled printers, digital check-in tablets, tabulators and even the registration database, they said.

And yet, some local and state election officials remain committed to wireless-enabled machines, which allow them to quickly provide results to the public and more easily accommodate disabled voters. Heading into the 2020 presidential election, Rhode Island, Wisconsin, Georgia and Florida are among at least 11 states that still allow voting jurisdictions to use wireless-enabled voting equipment.

“Connecting for a millisecond is enough to propagate malware through a system,” said Rich DeMillo, a computer science professor at the Georgia Institute of Technology and a member of Michigan’s election security panel. “Every weak link in the chain of network security is a problem, so opening the door to the internet is just a bad idea in every conceivable scenario.”

In 2016, Russian hackers attempted to infiltrate most, if not all, state election systems, and downloaded voter data in Illinois, federal authorities have said. However, there is no evidence that the hackers attempted to change the vote. Furthermore, while cybersecurity experts and some election officials fear that wireless connectivity exposes voting systems to hackers, there’s no evidence that such an attack has occurred in the U.S.

Hacking the vote through wirelessly connected voting machines is one of several potential risks from foreign agents going into the 2020 election. As it did in 2016, Russia could deploy an extensive disinformation campaign on social media to try to sway the vote -- as could other adversaries. Hackers could penetrate voter registration databases and alter or delete information -- potentially sowing chaos on Election Day.

Read More: Expensive, Glitchy Voting Machines Expose Hacking Risks

Remote election machinery hacks, however, are almost certainly the easiest to prevent -- by simply not allowing the equipment to connect to the public internet.

The Cybersecurity and Infrastructure Security Agency, which is responsible for defending Americans from cyber-attacks, has already advised local election authorities to avoid wireless connections altogether. In July, the U.S. Senate Intelligence Committee issued a report on Russian meddling, saying states should remove any wireless networking capability.

Wireless connectivity of voting systems is such a bad idea that the National Institute of Standards and Technology on Dec. 18 recommended restricting voting machines from connecting to external networks through cellular modems. The recommendation would allow cellular connectivity if individual machines are “air gapped” -- isolated from unsecured networks.

An advisory committee of the U.S. Election Assistance Commission could vote on the recommendations by February, the first step in what’s likely to be at least a yearlong procedure to restrict the use of wireless modems in voting systems.

But there’s a catch: even if the EAC, the federal agency responsible for enforcing these non-binding voting machine guidelines, does approve such a prohibition, they’ll have no material impact on the 2020 election. Voting machine vendors have stated that it could take them as long as four years to build machines compliant with the new standards.

Quick Results

That means the 2020 vote, starting with primaries in March, will occur across the country using some machines that cybersecurity experts don’t trust.

“The added risk is just unnecessary,” said Andrew Appel, a computer science professor at Princeton University. “The only purpose of these modems is to call in results to the news media in seconds rather than minutes.”

The pressure to promptly transmit results to news organizations –- and ultimately voters -- is so great that election officials have no choice but to briefly connect voting systems to the internet at the end of the night, said Paul Lux, the elections supervisor of Okaloosa County, Florida and a member of the EAC advisory committee that develops technical guidelines.

“If everyone would just be patient on election night and let us produce the results, then there’s no real debate here about wireless transmission,” Lux said.

Election Systems & Software LLC, provider of more than half of the country’s voting machines, contends these systems reduce wait time for results and are secure. Still, Katina Granger, a spokeswoman, said the company does “not promote the use of modems. If customers request it, we provide cellular modem transmittal capability on a secure and encrypted network.”

ES&S also said the number of its election machines with wireless modems is relatively minuscule: 14,420 across 11 states. That would be almost two per jurisdiction, if spread across the entire country.

‘Screws Accessibility’

Another election machine manufacturer, Hart InterCivic Inc., which has the only wireless-enabled system to receive EAC’s certification, didn’t return messages seeking comment.

There is another group advocating for wireless connectivity of voting machines: accessibility groups. While cybersecurity experts are clamoring for less internet connectivity, voters with disabilities are vying for more, including the ability to vote online.

Remote access to ballots “is just not going to be a priority as long as all of this attention is on security instead,” said Diane Golden, a member of a federal committee on voting standards and a voting rights advocate for citizens with disabilities. “Every step you take to increase security basically screws accessibility.”

For all the warnings about wireless-enabled voting machines from federal officials, the safety of elections is mostly the responsibility of more than 7,000 local voting jurisdictions, ranging from Los Angeles County with more than 5.5 million voters to small towns with just a few hundred.

In recent years, the federal government has provided $300 million to improve state and local electoral security. Some states and cities have used the money to buy new voting machines and hire cybersecurity experts. But many believe that effort has fallen short of what is needed, leaving some election authorities preparing for the 2020 election with minimal technical and financial support.

Cyber Heartburn

Some election officials maintain that internet access can be crucial in keeping election machinery functioning properly.

In Georgia, six counties ran a pilot program alongside municipal elections in November to test their new voting system, including new digital check-in machines -- iPads used to identify voters. But when voters entered precincts on Nov. 5, the system failed.

To fix the glitch, state election officials decided to connect the tablets to the internet, using the same Wi-Fi found in polling places. They figured, “if we turn on Wi-Fi for a minute, we’ll load the correct data and it will work like a dream,” said Gabriel Sterling, chief operating officer for the Georgia Secretary of State, who is overseeing the pilot project. “And it did.”

It’s the kind of episode that gives cybersecurity officials heartburn, even if there’s no evidence that anything went wrong in Georgia.

“It’s easy to use wireless in a bad way,” said Dan Wallach, a computer science professor at Rice University and a member of the EAC’s technical guidelines committee. “To configure it in a way that works and isn’t a security nightmare is just asking for a lot.”

In Michigan, Benson’s predecessor, Ruth Johnson, said the reason for investing in internet-enabled machines was to transmit “pre-preliminary” results as quickly as possible. But she said the decision wasn’t made in isolation. The state also chose to procure machines with a paper trail to audit their results to provide additional security.

The state may have to live with that decision if Benson’s panel determines the modems can’t be ripped out without harming the rest of the hardware. Benson hopes to know more by the end of January, with the state’s primary looming in a little more than a month.

“If nothing else, these capabilities create a sense of insecurity in our results,” she said. “Until we have technology that can be completely secure, yes, we should be taking steps to get away from the internet in our machines.”

To contact the reporter on this story: Kartikay Mehrotra in San Francisco at kmehrotra2@bloomberg.net

To contact the editors responsible for this story: Andrew Martin at amartin146@bloomberg.net, Andrew Pollack

©2020 Bloomberg L.P.