Georgia voters could soon leave a paper trail when they go to the ballot box after a contentious presidential and special election resulted in a lawsuit accusing the state of failing to ensure the integrity of its elections.
State lawmakers are drafting HB 641, a law that would require all direct recording electronic (DRE) voting systems to generate paper receipts so election results can be audited. The bill will be considered by the state’s General Assembly when it returns from recess in January 2018.
A government accountability group is suing the state of Georgia for using paperless DRE voting equipment the group claims was easy to hack into in order to steal data and alter votes during the 2016 presidential election and a special election and run-off in June 2017, “causing the results of such elections to be indeterminable.”
Exacerbating the controversy, the Associated Press reported:
A computer server crucial to a lawsuit against Georgia election officials was quietly wiped clean by its custodians just after the suit was filed.
Per the suit:
This case is not merely about a technical violation or a theoretical risk. It is about forcing voters to choose between totally relinquishing their right to vote and acquiescing to cast their vote despite very real risks: the risk that how they voted will be exposed; the risk that their vote will not be properly counted; the risk that the declared results will be contrary to the will of voters, and furthermore, the risk that there will be no way to verify the validity of the election.
State Rep. Scot Turner (R-Holly Springs) told us he’s expecting a bipartisan push to resolve the issue by requiring not only paper receipts but a process that ensures election accuracy and transparency:
There will be new legislation that will be introduced as a bipartisan effort to address this both from a technology and a process standpoint. We’re looking at establishing some minimum requirements for any new equipment in the way of voting machines and backing that up with a solid auditing process, which we don’t have today. It has to be both of those things — it can’t be just one or the other.
Turner said he introduced the bill in August after DEFCON, an annual hacker convention held in July 2017 in Las Vegas. This year’s convention featured “Voting Village,” where organizers provided participating hackers with 25 pieces of equipment including voting machines and electronic poll books, most of which are still widely used in U.S. elections. According to event organizers, the results were “sobering”:
By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems
Moreover, a closer physical examination of the machines found, as expected, multiple cases of foreign-manufactured internal parts (including hardware developed in China), highlighting the serious possibility of supply chain vulnerabilities. This discovery means that a hacker’s point-of entry into an entire make or model of voting machine could happen well before that voting machine rolls off the production line. With an ability to infiltrate voting infrastructure at any point in the supply chain process, then the ability to synchronize and inflict large-scale damage becomes a real possibility. Also, as expected, many of these systems had extensive use of binary software for subcomponents that could completely control the behavior of the system and information flow, highlighting the need for greater use of trusted computing elements to limit the effect of malicious software. In other words, a nation-state actor with resources, expertise and motive – like Russia – could exploit these supply chain security flaws to plant malware into the parts of every machine, and indeed could breach vast segments of U.S. election infrastructure remotely, all at once.
Edgardo Cortés, Virginia election commissioner, told us the results of “Voting Village” prompted the Commonwealth to decertify all paperless voting machines as of 8 September 2017 because they don’t leave a paper trail in case results come under question. He told us Virginia had been moving in that direction anyway but officials were spurred to act quickly by how easily the machines were breached by hackers at the conference:
Our responsibility is not just to make sure you run a fair and transparent election but that voters have confidence. Even if you have run an election well, if people’s comfort level isn’t there, and there’s a question over the accuracy of it, that’s a problem. It’s not just having an accurate election, it’s having the voters feel that it was an accurate election. Those two things definitely go hand in hand.
Four other states currently use entirely paperless systems — Delaware, Louisiana, New Jersey and South Carolina. 10 other states use a mixture of equipment that includes paperless systems. In late September 2017, the Department of Homeland Security informed 21 states that Russian hackers had tried to manipulate their systems — although two of those, California and Wisconsin, said DHS was incorrect.
Part of the goal in Russian election interference was simply to sow distrust in the democratic system — and voter confidence is key. Cortés told us:
Elections are a core function of democracy, so we need to make sure there are resources to get the equipment and do things in a way that are going to make people feel confident in the process.