Last week, a team of security researchers who run the DefCon hacking convention released a report on voting machines in use around the country that contain structural flaws ripe for exploitation by hackers. Among its dismaying findings, DefCon reported a flaw in one widely used voting tabulator that, if hacked, “could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.”
Though it’s been nearly two years since the 2016 election, there remains a startling gap between the well understood need to secure our elections against cyberattacks and the reality on the ground.
Computer security experts and leading intelligence and law enforcement voices have sounded the alarm on the persistent and serious threats facing election systems. Yet the actors best positioned to take broad action — state governments, Congress, and election system vendors — have moved slowly, and in some cases stalled.
However, a recent court decision suggests that the federal courts could break the impasse. In Curling v. Kemp, a federal judge found that vulnerabilities in Georgia’s paperless electronic voting system raised profound constitutional issues, requiring urgent action from state officials. While the court did not force Georgia to implement an alternative voting system by November’s election, it did conclude that the plaintiffs are likely to prevail in their challenge to the state’s system.
Significantly, the court found that casting ballots on a system as vulnerable to cyberattacks as Georgia’s burdened the plaintiffs’ rights to vote under the Due Process and Equal Protection Clauses of the Fourteenth Amendment. (A similar case brought by Protect Democracy, where I work, is progressing in South Carolina. Protect Democracy also filed a friend-of-the-court brief in Curling.)
The Curling decision reflects a foundational principle: When government officials fail to safeguard constitutional rights, courts have a critical role to play in holding those officials accountable.
The urgency of tackling this issue is hard to overstate. Thirteen states continue to use paperless electronic voting machines, some of which have been known for years to contain serious vulnerabilities. Most states lack procedures for rigorously and consistently auditing elections to detect interference. And in most jurisdictions, the kind of top-to-bottom attention to network security and cybersecurity training that would be commonplace for most private businesses remains absent.
Technologists and election experts have long called for election systems built to withstand cyberattacks through better technology, paper trails, and rigorous audit procedures. Similar safeguards would prevent attacks on election registration systems.
Last month, the National Academy of Sciences released a comprehensive review of voting and cybersecurity, which concluded (among other things) that “Elections should be conducted with human-readable paper ballots.”
Threats against our election infrastructure are an urgent national security challenge. Federal and state officials around the country must respond. But political leaders have largely failed to mount a response commensurate to these risks. Federal legislation has stalled, and industry has largely defended its territory.
One major voting machine manufacturer threatened legal action against the security researchers who produced the DefCon Voting Village report and then asked Congress to investigate them.
State governments, for reasons ranging from budgetary concerns to ostrich-like commitments to the status quo, have – for the most part – failed to take sweeping action. (Exceptions exist: Virginia enacted a sweeping change to eliminate paperless electronic voting in the two months preceding its 2017 state elections.)
Addressing election cybersecurity should be an easy call for federal and state officials. After all, defending our election infrastructure from attack is a vital national security imperative. Ensuring that every vote counts is a bedrock democratic principle. And, modernizing elections will help boost voter confidence and participation.
But to the extent those considerations have not produced change, add another to the list: In Curling, the court recognized that the right to vote implies a right to an election system that is not unnecessarily vulnerable to cyberattacks. If states fail to enact sufficient safeguards, voters may increasingly turn to the courts to enforce their constitutional rights.
Larry Schwartztol is counsel at Protect Democracy, where he leads the organization’s election security efforts.