A bipartisan panel was convened on Tuesday, July 10, by several Election Integrity (EI) organizations as well as FreedomWorks to discuss election cybersecurity as it relates to the upcoming midterm election.
Senator James Lankford (R-OK), of the Senate Select Committee on Intelligence, delivered closing remarks in the midst of a busy day. He is working on cybersecurity issues with Tulsi Gabbard (D-HI), he said, seeming to underline the curious alliance.
Moderated by The Honorable Trey Grayson,* former Secretary of State of Kentucky, the expert panelists included Alex Halderman, professor of computer science at the University of Michigan; Liz Howard, former deputy commissioner of elections in Virginia and currently a counsel with the Brennan Center for Justice; the renowned cyber security expert Harri Hursti, organizer of the Voting Village at DEFCON, the world's largest hacker convention; Shantiel Soeder, election and compliance administrator, Cuyahoga County, Ohio; Lt. Colonel Tony Shaffer, former intelligence officer famous for exposing suppressed intelligence regarding 9/11 that might have prevented it; and Dan Savickas, the legislative outreach manager of FreedomWorks.
There was inevitable humor among the participants about their unlikely assemblage given their vast political differences; that once the problem of foreign and other hackers' invasion into our election systems was resolved, they would immediately return to the other issues that usually divide them.
Grayson's opening question, directed to Halderman, concerned what to do before Election 2018.
The professor discussed the problems associated with computerized voting, whether on optical scanners or DREs. He had hacked into an AccuVote TSX at an earlier congressional hearing this year. Infection is easy because of "dozens of vulnerabilities," and much damage can be done in minutes. Much of the voting machinery in this country is obsolete, having exceeded the 10-year maximum usability limit. He spoke of the huge diversity in systems throughout the country, which actually makes it harder for hackers to invade large jurisdictions at one time--in swing states hackers seek out the weakest among the systems to invade. A hacker can invade a vendor by means of email addresses of employees posted at vendors' commercial websites. Halderman compared the optical scanners' paper ballots, their physical backup, to magnetic compasses kept in airplanes in case the computerized piloting system fails. Most states don't use paper audits to verify election results. Visible paper records are of paramount importance in elections to push back against the cyber-dependent hackers.
Only three states require robust audits, said Halderman; others require them to a lesser extent. The $380 million divided among the states to prepare for the November election is a welcome contribution lacking specificity as to how it should be spent. [The issue is, of course, that most states need to replace their out-of-date systems, but the distributions will cover only a small percentage of the expenses involved.] He mentioned with praise the Secure Elections Act, sponsored by four Republicans and four Democrats, whose purpose is, among many, to ensure cybersecurity in future elections and be certain that information about cyber invasion is promptly shared among all the states.
Hursti joked that the machinery used by hackers at DEFCON had easily and cheaply been obtained from eBay and others in Europe who gladly mailed the unwieldy bundles to them. Hacking tools are also cheap, he said; auditing elections is the bottom line for security and confidence in results.
Lt.-Colonel Shaffer quickly identified himself as a consultant to President Trump on his 2020 campaign and then briefly described his experience publicizing the ineptitude of the CIA in burying materials that would have prevented 9/11. Not only Russians are interested in interfering with US elections; Iran, N. Korea, and China also are. He reiterated the importance of audit trails. It is vital to fund best practices.
In Virginia, said Liz Howard, the next to speak, all DREs in use were decertified and the Dominion State is already using optical scanners. There were many close races last year, and she is sure that voters are losing confidence in the elections and that Russia will once again interfere in 2018.
In Cuyahoga County, Ohio, risk-limiting audits (RLA) have been in use since 2011, said Soeder, through a grant from the Election Assistance Commission (EAC). RLAs are far more efficient than routine audits, she said, reducing the latter in one instance by 250,000 ballots.
Savickas said that he supports the Secure Elections Act because it preserves individual liberties (he is a Republican and a Libertarian). He referred to the Tenth Amendment of the Constitution, which says that the federal government "possesses only those powers delegated to it by the United States Constitution. All remaining powers are reserved for the states or the people"; and to Article 8 of the Articles of Confederation: "any expenses of the United States would be paid out of a common treasury, with deposits made to the treasury by the states in proportion to the value of the land and buildings in the state." These provisions provide for the general welfare and are commonsense. "The NSA/Deep State will find other solutions," he said. Election results must be accurate. The Paper Act, now submitted to the House Administration and Intelligence committee, "to direct the EAC to develop best practices for States to use, specifically paper ballots and post-election audits, to protect the integrity of elections for Federal office," among other goals, is also bipartisan, an amendment to HAVA, Savickas said.
Moderator Grayson asked Howard to describe the Secure Elections Act. She divided it into three pieces: 1) mandatory reporting of all cyber incidents nationwide; 2) mandatory transitions to paper-based elections; and 3) post-election audits are required--all to deter foreign invasions into the electoral infrastructure.
Grayson ask Halderman what he thought about the new digital-image optical scanners now on the market. Halderman answered that since the images are computer-generated, they are vulnerable to all possible problems this infers. "There is no substitute for paper," he said.
Added Hursti, Digital images require TRUST [i.e. are "faith-based"] in their accuracy. Halderman describes such pitfalls in terms of the Volkswagen scandal a few years ago, when the vehicles' computers were found only to operate when being tested, not when in actual use, a huge safety hazard to drivers.