5 ways to improve voting security in the US

Voting officials can pump up their audits and hire white-hat hackers

With the U.S. presidential election just weeks away, questions about election security continue to dog the nation's voting system. 

It's too late for election officials to make major improvements, "and there are no resources," said Joe Kiniry, a long-time election security researcher.

However, officials can take several steps for upcoming elections, security experts say.

"Nobody should ever imagine changing the voting technology used this close to a general election," said Douglas Jones, a computer science professor at the University of Iowa. "The best time to buy new equipment would be in January after a general election, so you've got almost two years to learn how to use it."

Stop using touchscreen electronic voting machines without printers

Fifteen states still use outdated touchscreen e-voting machines without printers attached in some or all of their voting precincts. E-voting machines without paper printouts don't give election officials a way to audit their internal vote counts, voting security critics say.

Many security experts say these e-voting machines, often called direct-recording electronic machines or DREs, still have several points of vulnerability. Jones, who has researched their security, has called on all DREs to be phased out, even the ones with attached printers. But it needs to be an "orderly" transition, he said.

"Don't declare an emergency and require everyone to buy new equipment right now," he said by email. "Doing that just creates a feeding frenzy among the manufacturers and leads to inflated prices, along with all the other problems that occur when people make important decisions under pressure."

DREs rose to prominence after the hanging-chad controversy in Florida in the 2000 presidential election, but the use of paperless DREs has fallen from 23 states in 2008 to 15 in the upcoming election.

The problem for states is the cost of replacing thousands of DREs. Congress allocated money for new election technology following the debacle in Florida in 2000, but money has been tight since then.

Conduct more extensive pre-election voting machine tests

Some states conduct extensive pre-election tests of their voting equipment, but other tests are less comprehensive, said Pamela Smith, president of elections security advocacy group Verified Voting.

Most jurisdictions conduct pre-election voting tests, but many "randomly select some machines" after ballot information, such as candidates' names, is programmed in, Smith said. Testing all voting machines before an election would be more secure, she said.

Iowa's Jones discounted current pre-election testing in many jurisdictions. The testing usually doesn't involve security checks, but only a brief test of "only a few ballots per machine … long before election day," he said.

So, if hackers find a way to load malware onto voting machines, "the malware can easily distinguish between testing and a real election," he added. 

Put better election auditing processes in place

Many states have post-election auditing processes in place that "don’t make sense statistically," said Kiniry, now CEO and chief scientist at Free and Fair, an election technology developer. "They don’t really give you any veracity about the election outcome."

The auditing plans were passed by legislators who "don’t actually talk to statisticians," he added. "You hear about audits happening, but they don’t reveal anything about the election."

States should look at two kinds of voting audits, he recommended. Risk-limiting audits, now in place in California and Colorado, are statistically sound audits based on a recount of a small sample of ballots, he noted.

"That’s cheap," he said. "That’s something literally you can learn how to do -- without being a statistician -- in a day, and you can perform the recount in an afternoon."

Secondly, voting officials can run parallel-testing audits, if they have extra voting machines. Officials randomly select machines to pull out of the voting process and run a mock election on those machines, using poll workers. With the parallel test, officials can check for malicious activity on those test machines.

Hire hackers to test your systems

The cheapest and most simple step election officials can take is to hire white-hat hackers, "even if it's an intern from a computer science department in your area," Kiniry said. Those outside security experts "can work with you and think like a bad guy," he added. "Thinking like a bad guy can subtly change the way you operate your business and protect you against accidental or malicious behavior."

The U.S. Department of Homeland Security has also offered to help states check their voting security, including scanning for network security problems, Verified Voting's Smith noted. But as of late September, only 18 states had asked DHS for help.

"In the past, polling systems tended to less technologically complex, and voting officials were never IT experts," she said. "The resources are needed for some of the smaller [county] jurisdictions that may not have the resources."

Ensure that strong physical security is in place

Many voting jurisdictions have improved the physical security of their voting machines in recent years, after reports of machines being left overnight in school or being stored in voting officials' cars or homes, said Verified Voting's Smith.

"There was a lot of fuss about that in the media years ago," she said. "There is an effort to minimize the time where that equipment would be unsecured. You don’t want to be the one jurisdiction that says, 'Hey, look, I saw these voting machines sitting out in the open.'"

Voting officials still have time to add observers before, during, and after the election, Kiniry added. One of the best steps they can take is to "get more volunteers to work polling places and more good-natured citizens of all stripes being election observers, primarily during early vote processing, tabulation, canvassing, and audits," he said.


Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place