When we think about those who defend the territorial integrity of our nation and state, we tend to imagine well-equipped members of the U.S. armed forces, or perhaps a square-jawed detachment of Texas Rangers. Increasingly, however, the twenty-first century battle for control of the American homeland is being fought in the computerized elections systems overseen by our humble county clerks.
Here in Texas, votes in federal and state elections are tallied independently by 254 local officials, one in each county seat, from big cities like Houston and Dallas to tiny courthouse towns like Tahoka and Floydada. If a hostile country decides to hack an election in Texas, that means pitting Russia’s (or Iran’s or North Korea’s or China’s) most skilled hackers against a group of officials and volunteers who may not even know their way around an iPhone.
“We’re asking county clerks, and for that matter local poll workers, to defend against a nation-state adversary,” says Dan Wallach, computer science professor at Rice and expert on election security issues. “That’s not a fair fight.”
Wallach, a graduate of J.J. Pearce High School in Richardson as well as U.C. Berkeley and Princeton, has made it his mission to assist local election administrators by helping to develop and advocate for the adoption of foolproof, verifiable election systems and policies in Texas. From 2011 to 2015, Wallach served on the U.S. Air Force Scientific Advisory Board; before that he led the National Science Foundation–funded ACCURATE (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections). Most recently, he’s been seen testifying before the Texas Senate on issues related to election security.
“From a security perspective, the systems that we use, these electronic voting systems, were never engineered with the threat model of foreign nation-state actors,” Wallach says of the status quo in Texas. “I have no idea if anybody’s planning to exploit them, but there’s no question that the vulnerabilities are present.”
That’s the bad news. The good news is that remedies are within reach, if Texas is willing to invest money and other state-level resources to improve election security. Experts like Wallach have identified best practices that can make elections reliably secure for the current threat horizon. Wallach proposes what amounts to a three-step plan for improved election security: better machines, better oversight, and better contingency planning.
Scrap Paperless Voting Machines
The first bullet on the cybersecurity fix-it list for Wallach and other election security experts is replacing inherently insecure paperless voting machines.
Earlier this year, Texas was included in a list of the “Top 18 Most Vulnerable States” for election hacking by the U.S. House Committee on House Administration. (Perhaps reflecting current political incongruities over the nature of the foreign-adversary threat, the report was drafted by the Democratic members of the House Administration committee, without the support of committee Republicans.)
“The reason why I suspect they listed Texas … is that a substantial number of Texans, including me here in Houston, vote on paperless electronic machines that are difficult to audit, difficult to secure, and [that] many other states have banned,” Wallach says.
The problem with the direct-recording electronic (DRE) voting machines currently in use in Harris and other large Texas counties is that they do not generate any sort of backup evidence of voter intentions, such as a paper trail. Instead, a voter makes a selection on a screen, that vote is recorded inside the DRE’s hard drive, and the voter leaves the polling place without any way of knowing that his or her vote was counted correctly. If the paperless DRE is hacked (or otherwise fails to record the vote as the voter intended), there is no record to check the tally against.
“None of the present-day electronic voting systems, which are used in all the big cities in Texas, would have enough evidence that we would have much hope of being able to detect an attack, much less clean up afterwards and figure out what happened,” says Wallach. (Travis County did recently purchase machines with paper trails, but they will not be in use in elections until November 2019.) This is the ideal setup for a hacker—an opportunity to get away with election theft without leaving any fingerprints. It’s also a recipe for lack of faith in our democracy, since election results can’t be verified after the fact.
Several years ago in Houston, Wallach participated in a so-called “recount” of votes cast on a paperless DRE. In that exercise, election officials instructed the DRE to print out its internal records one vote at a time, and volunteers counted them by hand. But “the exercise was meaningless from a security perspective,” Wallach says, because if the DRE had been hacked, the information on the printouts would certainly have been hacked as well.
The DRE problem can be addressed by a return to paper-based voting systems, or by adopting new electronic machines that also print out a record of each vote, which the voter can view and verify before leaving the polling place. The problem? In the 2016 election, approximately 148 of Texas’s 254 counties—or 57 percent—used all or some machines with no paper trail. Replacing all the paperless DREs across Texas may cost as much as $350 million.
Sam Taylor, communications director for the office of the Texas Secretary of State, agrees with some of Wallach’s criticisms of paperless voting machines. “It’d be fair to say we’ve always been aware of the issue of the electronic machines not being auditable in the way that Dan Wallach is describing,” Taylor says. “That’s something we’re aware of, the Legislature is aware of, and that we’re perfectly ready to address.” However, Taylor says, the funding for replacing DREs must come from the federal government.
New federal funds for election systems are unlikely to arrive in the near term, however. The Trump administration is reported to have recently derailed the bipartisan Secure Elections Act in the U.S. Senate and appears hostile to further federal election-security actions.
Keep the Eyes of Texas on Counties at Election Time
Appropriating a few hundred million bucks for better voting machines is just as politically unlikely right now in Texas as it is in D.C. Even so, the state government is still capable of taking important steps to improve election security in the near term—and, to its credit, just in the past few months, it has begun to do so. In July, Secretary of State Rolando Pablos announced plans for spending a $23.3 million election security grant from the federal Election Assistance Commission (EAC).
Under this grant, the state is currently offering free security assessments and free subscriptions to a cybersecurity course for all 254 counties. Participation is voluntary, and so far, only 40 counties have begun the process of receiving security assessments. (A total of 150 counties have signed up for the training course.) Wallach urges every county clerk in Texas to receive some kind of in-person security consulting to avoid unwittingly introducing insecure practices into secure procedures provided by the state. For instance, Wallach fears that in some counties, election officials may be cutting corners by connecting voting machines to other, less-protected machines when the time comes to tabulate votes.
“It’s exceptionally annoying, if you’re the county clerk trying to publish election results, when your tabulator isn’t on the internet anymore,” Wallach says. “You have to burn a CD and carry it from one computer to another … But that kind of boring procedural detail, ‘Burn a CD and carry it from here to there,’ makes all the difference in the world. Somebody needs to look at every single county’s procedures at that level of detail and say, ‘You know, you could change this and you can fix that, and it’s worth it, and you should.’”
Along similar lines, county-level officials may not be up to speed with the notion that voter-registration databases themselves are important targets for foreign-adversary hackers. If hackers can change who is allowed to vote, that can affect the outcome of an election—and voter registration databases are currently not subject to the same regulations and certifications as voting systems. For those of us without high-level security clearances, it’s impossible to know for certain if U.S. voter registration databases were hacked in 2016, but it seems more than possible based on public reporting. In 2017, a DHS official testified to Congress that 21 states had been targeted by Russian hacking, though no vote-tallying machines had been affected. In early 2018, NBC News reported that the websites or voter registration systems of seven states, including Texas, had been “breached” prior to the 2016 election, based on high-level intelligence sources. However, Pablos has vociferously denied the accuracy of this report.
In any case, now seems to be an opportune moment for Texas to review how its voter registration databases are stored and secured. It’s too early to judge results, but it’s a positive sign that, in Taylor’s words, “a big chunk” of this year’s $23.3 million of federal money is going to voter registration database security, potentially integrating systems that are currently organized differently in each county.
“I would just like to see the state of Texas have one voter registration database, from the state level all the way down to the thing you use to check in at the polls,” Wallach says. “The state could build it once and do it right.”
One more positive development on the statewide level: On September 25, Pablos’s office announced new guidelines for counties where votes are recorded on paperless DREs. Beginning with this year’s elections, these counties must perform post-election audits using any paper ballots they receive—including early-voting ballots, which are filled out on paper for every county in Texas. Now, at the very least, if electronic vote totals are alarmingly skewed to one candidate or another, we’ll have a somewhat reliable reference for which candidate a paper-voting population may have intended to elect.
Make Election Hacking Ineffectual Even If Not Impossible
Wallach’s third election-security suggestion is something most states, including Texas, have not given much thought to in recent years: contingency planning for a tainted election. His outside-the-box thinking on this subject comes out of a recognition that there isn’t currently political will to address election security in a more comprehensive way.
“We have an obligation to somehow operate our elections in a way that produces timely and accurate results that are resistant to the nastiest, most sophisticated hackers in the world, on a shoestring budget,” Wallach says. “Something’s got to give. Exactly what’s going to give is something that needs to be a public discussion.”
One option, he says, is to “stretch our procedures,” such that, even if we can’t defend against every hack, at least we have a solid plan in place for how to respond when a suspected hack takes place. “Even having a mitigation process in and of itself is an important defense,” Wallach says. “Even if your process says, ‘When things go wrong, then we’re going to have to spend a bunch of money and do something.’ That process [makes a hacker think] ‘Why am I going to bother attacking an election if I know that I’m not going to affect the outcome?’”
Wallach’s notion of a “mitigation process,” in this scenario, would potentially involve local re-votes on auditable paper ballots in areas where hacked DREs, for example, had left an election hopelessly tainted and without a reliable backup of recorded voter intent. Wallach suggests “a written document somewhere that is signed by the governor that lays out a series of these threat scenarios and has a response that everybody’s going to agree to.” He adds that such scenarios don’t have to be likely to merit planning, as both a defense and a deterrent.
The Texas Secretary of State’s office is dismissive of Wallach’s notion that new contingency planning is needed beyond what is already codified in state law. In the case of a tainted election, Taylor says, courts have the authority to order new elections if unable to ascertain the true outcome. Additionally, judges can order that election do-overs be carried out on paper ballots if necessary. Taylor also reports that the Secretary of State’s office has been working for more than a year on “communications contingency planning”—that is, making sure that correct information about election returns is available to the press even if state websites for reporting the polls come under attack.
In our era of politics as spectator sport, there’s a tendency for everything remotely touching upon elections to devolve into disagreements rooted in party affiliation. Wallach stresses, however, that a commitment to election security should transcend partisanship or preference for one or another international alliance. Currently, most discussion about hacking from a nation-state adversary centers on Russia, but, Wallach says, “If your threat model for the election includes everything that Russia can do, anything that you do that’ll help defend you against Russia will also help defend you against China, will also help defend you against Israel, will also help defend you against your opponent’s political party that you don’t trust.”
It doesn’t take an advanced degree to understand that if our elections are left vulnerable to hackers of any stripe, our entire democracy is at risk. Thankfully, leaders in Austin and at the DHS are in vocal agreement that election security must be prioritized. Still, it remains to be seen if and how Texas will find the political will—above all the financial investment, but also county-level participation in security consulting and hard-nosed contingency planning—to back up that solemn commitment.