Voting Security Has Come A Long Way Since 2016 — But Vulnerabilities Remain
Government officials have spent the year touting Tuesday's election as potentially the "most secure" in the nation's history.
Fewer voters are set to use the riskiest machines — electronic systems that leave no paper record — as compared to four years ago, and there is a whole-of-government approach to election security that never existed before.
"My confidence in the security of your vote has never been higher," said Chris Krebs, the director of the Department of Homeland Security's cybersecurity arm, in an election security video featuring a number of top national security officials released last month.
But a hard truth remains: many of the same vulnerabilities exposed in Russia's attack on the 2016 election have not disappeared. In the wake of discoveries about that episode, security experts recommended the U.S. spend billions of dollars to improve systems across the nation. Congress allocated just a fraction of that.
And while social media companies have worked to control influence operations and lies that spread on their platforms, the federal government has declined to regulate those changes. Experts say bad information is still spreading rapidly online — helped by many Americans users who have helped to sustain the explosion of questionable material.
Now, four years removed from an election that the intelligence community and bipartisan congressional committees agree was marred by an unprecedented level of interference, the U.S. is set to conclude another round of voting on Tuesday.
Here are some of the vulnerabilities that remain.
The votes themselves
While many Americans remain worried about the possibility that a foreign adversary could manipulate vote totals, there is no evidence this has ever happened in an American election — even in 2016 when Russian attackers were able to hack into the registration databases of a number of states.
Experts agree that actual votes themselves would probably be the most difficult part of an election to successfully hack. The problem has only gotten tougher. In 2016, nearly 28 million voters cast ballots that did not have a corresponding paper trail: a major cybersecurity red flag.
This year, that number may be less than 10 million.
Eliminating the paperless machines makes it more difficult for a cyberattack to potentially affect votes and go undetected.
But some security experts such as Prof. Philip Stark of the University of California at Berkeley still aren't satisfied. Stark is frustrated that in many jurisdictions, including the entire state of Georgia, officials replaced their paperless machines with machines that print out a piece of paper that allows the voter to verify their selections before the ballot is counted.
This gives the voter the ability to vote using the machine, but then also to check to make sure their vote was recorded accurately.
The problem is, research suggests only a small number of voters actually check the paper the machine prints out, making it questionable at best whether an attack that changes voter selections actually would be caught by this method.
"We really need systems where, if they malfunction, they always generate public evidence that can be used to show that they malfunctioned," Stark says. "And conversely, if the outcome is right, despite whatever malfunctions might have occurred, there ought to be a way for election officials to demonstrate that. "
The way officials can demonstrate that, Stark says, is through public auditing, a process that not every state uses. Even among the states that do some sort of audit, only a few do what are considered the "gold standard" of post-election audits, called risk limiting audits.
Sen. Ron Wyden, D-Ore., has proposed legislation to mandate such audits nationwide, but election reforms have gained little to no traction with the Republican-controlled Senate.
"The truth is that two decades after the Florida 2000 election debacle created a rift in the country, and four years after Russian interference in the 2016 election profoundly deepened that divide, the U.S. lacks satisfactory, uniform mechanisms for resolving questions about elections and verifying results," as journalist Kim Zetter wrote in Politico.
The bottom line: your 2020 vote is almost certainly safe, but some security experts won't be fully satisfied until the majority of votes are hand-marked, and the auditing process is advanced and rigorous enough to validate the results.
Considering the disparate nature of U.S. elections, that reality is still a ways away.
Hacks that don't touch the results
While actually affecting the vote totals remains difficult, other aspects of election infrastructure, like websites that post election information, are significantly more vulnerable.
Many local governments haven't taken simple steps that would make it more difficult for attackers to set up fake websites to post fake results, for instance.
Krebs, of the Cybersecurity and Infrastructure Security Agency, said at a briefing last week that he expects attackers to try to target election websites to either deface them, or just shut them down for a period of time. Hackers often use attacks like this to claim "capabilities that far exceed what they're actually capable of," Krebs said.
These are sometimes referred to as " perception hacks," since they allow an adversary to sow doubt about the vote totals without ever gaining the sort of access needed to actually change them.
The minds of the voters
The easiest targets for American adversaries, however, are the minds of Americans themselves. Influence in this realm can take a number of forms.
Last month, thousands of American voters got an email that seemed to indicate an extremist group had access to their personal data: change your voter registration, the message commanded, and support President Trump — or else.
But the email actually came from Iranian operatives, looking to sow discord, according to the U.S. government.
Misinformation, specifically about voting, also continues to spread across social media. Facebook and Twitter have added labels on some material, but it's clear that isn't putting a stop to it.
One analysis found that changing the font of a message or cropping an image was all it took to bypass Facebook's defenses, reported NPR's Shannon Bond last month.
And Newsguard, an organization founded by former journalists that works to identify sources of misinformation online, recently found 40 Facebook pages that share false voting content to their audiences of 100,000 or more followers.
Just three of the 53 posts Newsguard identified in its report had been flagged by Facebook as false. Together, the posts reached close to 23 million followers.
"It's far, far worse in terms of quantity," said Newsguard's founder, Steve Brill, earlier this year about misinformation online compared to 2016.
The mail helps
While President Trump and his allies continue to question the legitimacy of mail voting, other government leaders see its expansion as a potential positive for election security.
The amount of early voting that's occurred this year for example — 97 million votes and counting as of Monday afternoon — decreases the effectiveness that any one cyberattack could have at a single time, whether it sought to change votes or influence voters' opinions on behalf of the candidates.
"[More early voting] stretches out the attack surface," Krebs said, which is beneficial to the defender, since there isn't just one day on which an attacker can target to disrupt the entire process.
More broadly, the record amount of early voting indicates that 2020 will almost certainly feature record-breaking overall turnout.
That degree of participation is a direct counter strike against authoritarian adversaries who may want to boast about the American public losing faith in democracy, said Maggie Toulouse Oliver, the secretary of state of New Mexico.
"If the ultimate goal is to sow enough confusion and discord to basically keep our democracy from continuing to churn forward," she said, "it's failing."
Copyright 2020 NPR. To see more, visit https://www.npr.org.