Election Systems & Software CEO Tom Burt, CEO of Dominion Voting Systems CEO John Poulos and Hart InterCivic CEO Julie Mathis testify before the House Administration Committee. (Photo by Alex Wong/Getty Images)
Cybersecurity experts have told us that the gold standard for fair and secure elections are hand-marked paper ballots and robust post-election audits. However, the current trend is to vote on computers. The question is, how safe are the voting systems that you rely on today to secure your vote?
Here is what an expert, formerly with election systems vendor Hart InterCivic, tells us: “It’s very simple. No matter how secure that device is, there’s no way to know whether the choice that’s recorded matches what the voter intended. It’s rightly called a black box,” Edward Perez, a former Hart InterCivic executive who is now global director of technology development at OSET Institute, a nonprofit election technology organization, said in an interview.
Government agencies tell us that Russian hackers probed election systems across the country in 2016 and penetrated systems in our own state of Illinois as well as in Florida.
So why are states, including Illinois, paying exorbitant tax payer funds to purchase the new wave of machinery, called Ballot Marking Devices (BMDs)? BMDs are an increasingly popular piece of equipment that combines paper and touch-screen voting estimated to cost anywhere from $3,000 – $5,000? They are systems that are known to be unstable AND tend to cause long lines at polling places as reported by cybersecurity experts such as Drs. Richard DeMillo of GIT and Phillip Stark of Berkeley. Illinois purchased BMDs for $31 million in September of 2018 for Suburban Cook County. We understand that the Chicago Board of Elections has signed up for BMDs as well. Currently, there are more than 350,000 voting machines in use across the nation. This makes no sense given that most experts agree that hand-marked paper ballots are more reliable and cost effective. Assistive devices should only be available for people with disabilities.
Earlier this month, the three major CEOs of election systems testified at a three-hour congressional hearing for the first time to explore what’s being done to secure the vote before one of the more contentious general elections in decades.
As my group, Election Security Strategic Team (ESST), has demonstrated through an election security public awareness campaign, more than 90% of United States voting machines are made and controlled by just three vendors: These vendors are Elections Systems & Software (ES&S), LLC, Dominion Voting and Hart InterCivic. ES&S and Dominion account for 80% of the market. Illinois Suburban Cook County has purchased BMDs in the Dominion family of products. The control of our voting processes by these vendors opens the door to vulnerabilities.
Background on the vendors:
• As cited by the articles referenced and reviewed here, these vendors supply three main types of equipment that voters use at the polls: 1) optical or digital scanners for counting hand-marked paper ballots, 2) direct record electronic called DREs (usually touchscreen) voting machines, and 3) BMDs that generate computer-marked paper ballots or “summary cards” to be counted on scanners often with much-disputed barcodes used to assess your vote
• Despite three years of congressional attention to election security since Russia’s hacking efforts in 2016, little has been done to oversee the voting machine vendors who run our elections. Mitch McConnell has put the kibosh on a plethora of legislation introduced in Congress and designed to protect our elections, which has actually been bipartisan in some cases
• Is lobbying by the vendors why we have these machines? Philadelphia City Controller Rebecca Rhynhart said she found “serious flaws” with the way her city had awarded a $29 million contract to ES&S, following more than $425,000 in lobbying efforts and campaign contributions by the company as part of a six-year sales campaign. The company has defended its efforts, and argued its spending was properly documented. ES&S’s CEO, Tom Burt, told the panel that the company deployed lobbyists “to educate any of those involved about who we are as a company, the values we hold, and how we conduct our business.”
• Software from the vendors is considered proprietary. Therefore, if election officials want to investigate problems with software, they are legally unable to do so. This is not acceptable
• Privately held, private equity firms own each of the top three vendors. They have been unwilling to identify specific ownership which should cause major concern. We must demand answers
• This is a low-margin market, vendors are known to make contributions to political parties which put decision making about these systems in question. ES&S has donated more than $30,000 to the Republican State Leadership Council since 2013
• There is also a revolving door between election systems vendors and some election officials
Excerpts from the hearing:
• Vendors faced a range of questions on sensitive topics from lawmakers on their companies’ products and supply chains, their lobbying practices and the reliability and security of those trending BMDs
• The vendors declined to answer questions about their annual profits, stating: “We’re a private company, so we’ll keep that information private,” ES&S’s Burt said. This lack of transparency is unacceptable!
• The executives acknowledged that their machines include hardware manufactured in China, a state of affairs that has been identified as a potential security risk, but argued that that was an unavoidable outcome of 21st century global supply chains
• Liz Howard, counsel for the Brennan Center’s Democracy Program and a former deputy commissioner at Virginia’s Department of Elections, warned that election vendors “play a critical role in our democracy but have received little or no congressional oversight.”
• Matt Blaze, a Georgetown computer scientist and a prominent expert in the field, said that election infrastructure—not only used to cast votes, but to register voters, design ballots, and report results—“has proven dangerously vulnerable to tampering and attack,” and suggested policymakers should devote more attention to such backend systems, which can offer hackers more centralized targets
• Blaze said that machine-aided elections can be safe and reliable as long as voter intentions are accurately recorded on paper then checked in rigorous post-election audits. (Please note that I personally disagree that machines can reliably record voter intent as are Professors DeMillo and Stark.) Unfortunately, Blaze noted, only a handful, but growing, number of states employ what’s known as a risk-limiting audit, the gold standard among election security experts that harnesses statistics to randomly select ballots for manual inspection and comparison against the machine tallies.
• Just as we don’t expect the local sheriff to single-handedly defend against military ground invasions, we shouldn’t expect county election IT managers to defend against cyber attacks by foreign intelligence services,” Blaze said, “But that’s precisely what we’ve been asking them to do.”
Matt Blaze: “The vulnerabilities are real, they’re serious, and absent a surprising breakthrough in my field—which I would welcome but I don’t see coming soon—probably inevitable.”
What can we do about it?
Plenty, knowledge is power. Let’s take what we have learned and schedule meetings with our state legislators and election officials to secure our votes. This is a critical area of our democracy that has received scant attention. Let them know that we the people are paying attention. Schedule an appoint today and ESST will join you to demand accountability and transparency in our elections.
Want to know what your county is using? Check this out!
CONTACT ROSE AT ESST TO DISCUSS HOW YOU CAN SECURE THE VOTE: [email protected]
Sources used for this posting:
Vicens, AJ, (January 10, 2020), Voting Machine Makers Face Tough Questions from Congress, Mother Jones, Voting Machine Makers Face Tough Questions from Congress
Popken, Ben, (January 9, 2020), Voting Machine Vendors Testify in Election Security Hearing, MSNBC Video, Voting machine vendors testify in election security hearing
Marks, Joseph, (January 10, 2020), The Cybersecurity 202: Voting Vendors, Security Pros Still Far Apart on Protecting 2020 Election, Washington Post, , The Cybersecurity 202: Voting vendors, security pros still far apart on protecting 2020 election
Cohn, Jennifer, (November 5, 2018), Voting Machines: What Could Possibly Go Wrong?, NYR Daily, Voting Machines: What Could Possibly Go Wrong?
Zetter, Kim, (October 30, 2018), Texas Voting Machines Have Been ‘a Known Problem’ for a Decade, VICE, Texas Voting Machines Have Been ‘a Known Problem” for a Decade
Lauterbach, Cole, (January 10, 2020), County Clerk from Illinois Testifies on Election Security, The Center Square, County clerk from Illinois testifies on election security before Congress