Last week I did what law professors often do: speak at a symposium. This one was held at Pepperdine Law School, and was on federalism. It set to me to thinking that the lack of federal control over state elections might hinder their ability to stop the next attack (perhaps during the 2018 mid-terms) by a foreign nation.
I then found a story in the December 2017 Atlantic about Barbara Simons, a retired IBM computer scientist who had been a longtime – and lonely – critic of electronic voting software. Yet, because of Russia’s hacking, Simons no longer toils in obscurity. She even spoke at DEFCON 25, one of the world’s largest gatherings of hackers, held annually in Las Vegas.
What attracted Simons – and the hundreds of other hackers who visited “Voting Machine Hacking Village” at DEFCON last July was the chance to legally hack all sorts of pieces of voting equipment, from actual voting machines to voter registration databases to election office networks. Such an opportunity had never been available.
Indeed, they even had to create an exception to the law to uncover voting machine vulnerabilities legally. Computer scientists are normally barred from hacking voting machines for many reasons, including the Digital Millennium Copyright Act (DMCA) which protects the intellectual property rights of whoever created a voting technology. But in 2015 the Library of Congress, which has jurisdiction under the DMCA, issued a three-year exemption for research to investigate the security of voting machines. The exemption ends in October 2019.
But even with the DMCA exemption, computer scientists still had the practical problem of finding voting machines to test and explore. Voting machine manufacturers were unlikely to give them unfettered access to the equipment and software. States would also be unlikely to provide open access because of restrictive covenants in their contracts with the manufacturers. Allegedly, this was all so the equipment makers could protect their proprietary technology. However, it’s also pretty easy to see why the manufacturers were not exactly enthusiastic about discussions on voting machine security.
The “white hat” hackers knew they had to be more creative. They soon found that voting machines were available for sale on eBay. Some of these machines had come from Dane County, Wisc., which includes Madison. The machines were for sale because a storm had collapsed the roof on a building where they were stored. The county claimed a total loss, and some of the surviving functioning machines were put up for sale by the insurance company.
The report from the three-day gathering was grim: “By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems.”
One of the things that troubled the computer scientists is that many of the parts were foreign manufactured. They were bothered that foreign actors could build backdoors into voting technologies in future American elections.
As Simons, the Brennan Center and others have been preaching for years, jurisdictions must have machines that produce an auditable paper trail to allow for checks on a vote or even a full, hand recount. But at least 14 states still use voting machines in some jurisictions that do not produce an auditable paper trail. This list includes three states targeted by Russia, all of which are major swing states: Florida, Virginia and Pennsylvania.
Unfortunately, under our typical federalism structure, Congress is reluctant to assert its power under the Elections Clause of the Constitution to supersede state rules governing elections. And while the diversity of election operations at the state level can be seen as a source of protection against foreign interference, this may be wishful thinking in the face of a determined adversary like Russia, China, North Korea or Iran. When it’s Chinese government hackers versus Alabama elections administrators, who would you bet to win?
Thus I am enormously encouraged that in the new omnibus budget, there is $380 million to help secure elections. That money may be divided among 50 states, so the appropriation looks a little more modest. I simply hope that it is sufficient and can be deployed fast enough. What happened at DEFCON 25 keeps me up at night.
The views expressed are the author’s own and not necessarily those of the Brennan Center for Justice.