Election data magnifying code concept.
There is no evidence, despite partisan claims to the contrary, that mail-in ballots are rife with voting fraud — but there are parts of the election system that security researchers say are at far greater risk for malicious activity.
National elections like the one in November, when Americans will decide whether Republican Donald Trump or Democrat Joe Biden will lead the country for the next four years, are really thousands of smaller elections administered by state and county governments. And each of those governments has its own procedures for ensuring ballot and information security, and for purchasing, maintaining and testing the equipment that it uses to conduct its election.
For instance, even though more than 30 states allow overseas voters to cast their ballots by email, fax or through other electronic means, there are no standards for even basic security measures like encryption. Michigan is one of the 19 states that does not allow electronic ballot submissions.
“Encryption? We don’t do that,” Cochise County Recorder David Stevens said about ballots his office accepts by email. “We probably should.”
The Cochise County Recorder’s Office accepts only federal ballots — not those with state or local contests — via email, Stevens said, and only in specific circumstances, such as voters who are in the military and stationed overseas.
Most overseas and military voters use a secure online portal provided by the Secretary of State, though some counties said they still accept ballots via fax or email.
Lax or nonexistent security on those systems, as well as the physical machines used to cast or count ballots, open the door to election hacking.
Hackers and security researchers at the annual DEFCON conference have in recent years made a point of looking at how secure — or insecure — the nation’s voting infrastructure is, known as the DEFCON Voting Village.
This year, instead of the hands-on hacking of election machines that have grabbed headlines in years past, the Voting Village focused on in-depth discussions about the integrity and security of our election infrastructure. Among the topics of discussion were the vulnerabilities to election systems presented by fax machines, email voting and more.
Hart Verity tabulators are less common. About 13% of the state uses Hart machines, and all 11 of those counties are located in the southern region of the Lower Peninsula.
ES&S machines are used the least, as only seven counties have them in use. That’s about 8% of Michigan’s 83 counties.
Ingham County Clerk Barb Byrum, a member of Michigan’s Election Security Commission, says that ES&S servers are especially notorious for leaving their servers on, making them more vulnerable to hacking, although Dominion machines have also been identified as vulnerable by the Def Con 27 report.
Audits of all voting machines are required in Michigan. These are done either solely by the local county clerk or with partial help from the state Bureau of Elections.
All election systems must be connected to the internet in some way to upload county results. Individual Michigan counties use various ways to mitigate the associated risks, including securing the connection through a VPN and other precautions that differ statewide.
Byrum declined to disclose other types of protection measures for election security reasons.
Hack the vote
Earlier this month, a Russian newspaper reported that the personal information of 7.5 million Michiganders was posted on a Russian hacker site. It appeared to show the their voter identification number and polling places. The paper claimed the site had been hacked in an attempt to solicit money from the U.S. government.
But Michigan’s Department of State denied that this was a data breach of any sort, as the information being posted is already publicly available.
“Public voter information in Michigan and elsewhere is accessible to anyone through a FOIA [Freedom of Information Act] request. Our system has not been hacked,” SOS spokesperson Jake Rollow told Michigan Advance in an email.
Voters in other key battleground states, including North Carolina and Florida, were similarly targeted in the dark web database, as were those in Arkansas, Connecticut and New York.
While the public is largely inured to news about data breaches because of how frequently they happen, data security — also known as infosec — can be the first line of defense for an organization or a person trying to make sure their data or personal information remains secure.
That focus on infosec was a big part of DEFCON talk this year by Forrest Senti, director of government and business affairs for the National Cybersecurity Center, and Caleb Gardner, a fellow with Secure the Vote.
The talk focused on how certain fax machines that are used to accept ballots can present a vulnerability to election offices, with election officials frequently unaware of the security issues stemming from a fax number that is often posted online.
Without proper security, all a hacker would need is the phone number to take over an election official’s fax machine, allowing them to search other computers that are on the same network or install a malicious program to steal documents.
For this story, reporters were able to find the fax number for all 15 county recorder’s offices in Arizona with a simple Google search.
“Even if you don’t get any ballots through a fax machine, it still represents a vulnerability,” Senti said.
Only two county recorder’s offices responded to the Mirror’s questions about how they maintain the security of faxes and emails, both saying they have been working with their IT departments.
Thirty-one states and the District of Columbia allow voters to return ballots by email and fax, but Michigan does not, according to the National Conference of State Legislatures.
In the 2016 election, 455 ballots were cast by overseas voters in Cochise County, according to data by the United States Election Assistance Commission. That includes votes cast via the county’s un-encrypted email system, faxed or through an online portal run by the Arizona Secretary of State’s Office.
In 2018, some 29,000 ballots were cast across the country by voters overseas using some form of online portal, email or fax, according to the data.
While Senti and others say this number is not “statistically significant,” the shortcomings pose an outsized risk.
The greater fear is that the ballots themselves could be compromised.
In the DEFCON Voting Village’s 2019 report, hackers and researchers found that voting machines had a number of vulnerabilities. Some had security features turned off when they were shipped, some had voter data easily accessible, some had no passwords set and one even had an unencrypted hard drive.
Several Arizona counties and states across the country use those machines.
“Immediate root access to the device was available simply by hitting the Windows key on the keyboard,” the report states. A user who gains root access on the device can see — and potentially change — any files or other systems.
The ES&S Automark obtained by the Voting Village was using software from 2007 and appeared to have last been used in a 2018 special election. The PIN code to replace the firmware on the entire device was listed as “1111.”
County recorders who have these devices in Arizona said they routinely do audits on the devices to ensure they are functioning properly.
But there are no national guidelines for how election officials conduct these sorts of audits or tests on electronic voting devices; instead, it is up to each jurisdiction to develop its own methods of checking the devices.
For example, in Colorado, election officials roll a series of 10-sided die on a webcast in order to generate a random number that determines which machine-tallied election results will be checked for discrepancies.
“These jurisdictions have a lot of autonomy in what they do,” Mattie Gullixson, program manager for Secure the Vote, said.
Some of the jurisdictions may also not have the manpower needed to institute the changes required to ensure safe election procedures.
It’s estimated that a nationwide vote by mail effort could cost up to $1.4 billion, compared to $272 million for in-person voting. Localities could get monies from the Help America Vote Act or the CARES Act to offset costs associated with voting this election cycle, but election hacking and its interplay with COVID-19 will present an acute financial impact, according to Gullixson and Senti.
And hacking isn’t limited to computer systems: Disinformation from foreign actors is commonly referred to as “social hacking” for its manipulation of social behavior.
“How do you [fight] against messages that say, because of COVID, this voting center has been shut down?” Gullixson said. “Those levels of mis- or disinformation could be one of the stronger negative drivers in people voting this year.”
Gullilxson’s background is in election administration and shortly after the 2016 election, she said that mis- or disinformation led many voters to call the elections office confused, asking questions that were fueled by disinformation circulating on social media.
The FBI and the Cybersecurity and Infrastructure Security Agency has already issued an alert urging Americans to be on the lookout for new websites or changes to existing websites made by foreign or malicious actors with the intention of spreading such misinformation.
“Information warfare has been around as long as warfare has been around,” Gullixson said.
In fact, in 1985, the Russians started a disinformation campaign dubbed Operation INFEKTION that aimed to make the world believe the United States had created AIDS, a conspiracy theory that is still active today.
So far in 2020, Russian, Chinese and Iranian hackers have been caught by Microsoft in attempts to target both the Trump and Biden campaigns.
China has also been caught by Facebook using fake accounts to speak on election matters. And just this month, Facebook and Twitter removed dozens of Russian accounts aimed at dissuading left-leaning voters from voting for Biden.
So how does one combat this type of warfare?
It starts with voters.
“There are growing efforts to try to tackle that but it starts with the voter realizing they could be manipulated in that way,” Gullixson said.
The FBI has shared similar advice, saying that voters should make sure to get their election information from their state and county officials instead of Facebook pages, as they could very well be hacked or fake pages.
Despite what may seem like a lot of doom and gloom, Gullixson and her colleagues are hopeful that the attention these issues have been getting will help shape policy around voting for the next 15 years for the better.
We just have to make sure we can get through it unscathed, she said.
Maine Beacon reporter Evan Popp and Colorado Newsline reporter Chase Woodruff contributed to this report.
This story has been updated.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.