A hackable election: 5 things you need to know about e-voting machines

E-voting machines without paper trails are still used in several U.S. states, leading to fears that a 'determined adversary' could hack this year's election

As the U.S. heads toward an especially contentious national election in November, 15 states are still clinging to outdated electronic voting machines that don't support paper printouts used to audit their internal vote counts.

E-voting machines without attached printers are still being used in a handful of presidential swing states, leading some voting security advocates to worry about the potential of a hacked election.

Some makers of e-voting machines, often called direct-recording electronic machines or DREs, are now focusing on other sorts of voting technology, including optical scanners. They seem reluctant to talk about DREs; three major DRE vendors didn't respond to questions about security.

Here are five things to know about DREs:

1. DREs without paper-trail backups are still used in several states

Five states, New Jersey, Delaware, South Carolina, Georgia, and Lousiana, continue to use DREs without paper-trail printouts statewide, according to election security advocate Verified Voting.

Another 10 states use DREs without paper trails in some voting locations. Among those states: potential presidential swing states Pennsylvania, Virginia, and Florida, as well as Texas, Indiana, and Tennessee.

Fourteen states use DREs combined with a paper-trail backup, either statewide or in some jurisdictions.

2. Some experts worry about a hacked election

While a hacked election may be unlikely, it's not impossible, said Joe Kiniry, a long-time election security researcher. Researchers have found many security holes in DREs, and many states don't conduct comprehensive election audits, said Kiniry, now CEO and chief scientist at Free and Fair, an open-source election technology vendor.

"I would say that a determined adversary, with the standard skill that people like me have, would be able to hack an election nationally," he said. "With enough money and resources, I don't think that's actually a technical challenge."

Voting results are "ripe for manipulation," Kiniry added. 

Hacking an election would be more of a social and political challenge than a technical one, he said. "You'd have a medium-sized conspiracy in order to achieve such a goal."

While most states have auditable voting systems, only about half the states conduct post-election audits, added Pamela Smith, president of Verified Voting.

"That leaves a lot of gaps for confirming that election outcomes were correct," she said. "In such a contentious election year, well, let's just say it's never a good thing to be unable to demonstrate to the public's satisfaction that votes were counted correctly, whether in a small contest or large."

3. The use of DREs without paper trails is in decline

Twenty-three states used DREs without paper trails in the 2008 U.S. election, and 17 used them in 2012, compared to 15 states this year, according to information from the U.S. Election Assistance Commission and Verified Voting.

Many states embraced e-voting machines after the disputed 2000 U.S. election, when so-called hanging chads on paper punch ballots in Florida helped to determine the results of the presidential race.

But many DRE models didn't offer a way for election officials to double-check the electronic results. Several fair election advocates called for printers to be installed as a way to audit, and several states listened.

Other states abandoned DREs for electronic scanning technology after several studies found glaring security holes in many DREs and some states reported glitches during the 2004 and 2008 elections. 

4. Several issues have driven the decline in DRE use

Many states wanted both reliability and the ability to audit electronic voting results, said Verified Voting's Smith.

"Ballots counted by scanners give you added reliability, in that if the scanner breaks down, voters can still continue to vote -- marking their ballots to be stored in a locked receptacle at the polling place and counted later when the scanner is working again," she said. "If you have a DRE polling place, if the DREs break down, voting comes to a halt -- unless you have emergency paper ballots for voters to mark."

In addition, some DREs proved expensive to maintain and replace, Smith said. Some DREs had "shorter lifespans that some other earlier kinds of equipment," she added. "Lever machines lasted for decades; punch-cards, too. So the purchasing cycle became shorter."

States received a 2002 funding boost for election equipment from the federal government, but the money dried up. "Jurisdictions found themselves, about a decade-plus on, realizing their systems were wearing out and may need replacement," Smith said.

5. States can take simple and inexpensive steps to improve security

Even though Kiniry's company sells voting technology, he tells states they can improve security with better election audits. Many states are "extremely resistant" to recounts, he said.

States can embrace statistics-based risk-limiting audits and parallel testing audits, which use excess voting machines to test results on Election Day. Both audits are inexpensive; risk-limiting audits are "literally something you can learn to do, without being a statistician, in a day, and you can perform the recount in an afternoon," Kiniry said.

States can also hire hackers, even "an intern from a computer science department," to probe their voting systems and "think like a bad guy," Kiniry said. White hat hackers can help states "protect against accidental or malicious behavior."

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place