Skip Navigation

Why Federalism Keeps Me Up At Night

Congress is reluctant to use its power under the Elections Clause to set standards for the states. This could be an area where the diversity of federalism is a disadvantage.

Last week I did what law profess­ors often do: speak at a symposium. This one was held at Pepperdine Law School, and was on feder­al­ism. It set to me to think­ing that the lack of federal control over state elec­tions might hinder their abil­ity to stop the next attack (perhaps during the 2018 mid-terms) by a foreign nation.

I then found a story in the Decem­ber 2017 Atlantic about Barbara Simons, a retired IBM computer scient­ist who had been a long­time – and lonely – critic of elec­tronic voting soft­ware. Yet, because of Russi­a’s hack­ing, Simons no longer toils in obscur­ity.  She even spoke at DEFCON 25, one of the world’s largest gath­er­ings of hack­ers, held annu­ally in Las Vegas.

What attrac­ted Simons – and the hundreds of other hack­ers who visited “Voting Machine Hack­ing Village” at DEFCON last July was the chance to legally hack all sorts of pieces of voting equip­ment, from actual voting machines to voter regis­tra­tion data­bases to elec­tion office networks. Such an oppor­tun­ity had never been avail­able.

Indeed, they even had to create an excep­tion to the law to uncover voting machine vulner­ab­il­it­ies legally. Computer scient­ists are normally barred from hack­ing voting machines for many reas­ons, includ­ing the Digital Millen­nium Copy­right Act (DMCA) which protects the intel­lec­tual prop­erty rights of whoever created a voting tech­no­logy. But in 2015 the Library of Congress, which has juris­dic­tion under the DMCA, issued a three-year exemp­tion for research to invest­ig­ate the secur­ity of voting machines. The exemp­tion ends in Octo­ber 2019.

But even with the DMCA exemp­tion, computer scient­ists still had the prac­tical prob­lem of find­ing voting machines to test and explore. Voting machine manu­fac­tur­ers were unlikely to give them unfettered access to the equip­ment and soft­ware. States would also be unlikely to provide open access because of restrict­ive coven­ants in their contracts with the manu­fac­tur­ers. Allegedly, this was all so the equip­ment makers could protect their propri­et­ary tech­no­logy. However, it’s also pretty easy to see why the manu­fac­tur­ers were not exactly enthu­si­astic about discus­sions on voting machine secur­ity.

The “white hat” hack­ers knew they had to be more creat­ive. They soon found that voting machines were avail­able for sale on eBay. Some of these machines had come from Dane County, Wisc., which includes Madison. The machines were for sale because a storm had  collapsed the roof on a build­ing where they were stored. The county claimed a total loss, and some of the surviv­ing func­tion­ing machines were put up for sale by the insur­ance company.

The report from the three-day gath­er­ing was grim: “By the end of the confer­ence, every piece of equip­ment in the Voting Village was effect­ively breached in some manner. Parti­cipants with little prior know­ledge and only limited tools and resources were quite capable of under­min­ing the confid­en­ti­al­ity, integ­rity, and avail­ab­il­ity of these systems.”

One of the things that troubled the computer scient­ists is that many of the parts were foreign manu­fac­tured. They were bothered that foreign actors could build back­doors into voting tech­no­lo­gies in future Amer­ican elec­tions.

As Simons, the Bren­nan Center and others have been preach­ing for years, juris­dic­tions must have machines that produce an audit­able paper trail to allow for checks on a vote or even a full, hand recount. But at least 14 states still use voting machines in some juris­ic­tions that do not produce an audit­able paper trail. This list includes three states targeted by Russia, all of which are major swing states: Flor­ida, Virginia and Pennsylvania.

Unfor­tu­nately, under our typical feder­al­ism struc­ture, Congress is reluct­ant to assert its power under the Elec­tions Clause of the Consti­tu­tion to super­sede state rules govern­ing elec­tions. And while the diversity of elec­tion oper­a­tions at the state level can be seen as a source of protec­tion against foreign inter­fer­ence, this may be wish­ful think­ing in the face of a determ­ined adversary like Russia, China, North Korea or Iran. When it’s Chinese govern­ment hack­ers versus Alabama elec­tions admin­is­trat­ors, who would you bet to win?

Thus I am enorm­ously encour­aged that in the new omni­bus budget, there is  $380 million to help secure elec­tions. That money may be divided among 50 states, so the appro­pri­ation looks a little more modest. I simply hope that it is suffi­cient and can be deployed fast enough. What happened at DEFCON 25 keeps me up at night.

(Image: Think­Stock)

The views expressed are the author’s own and not neces­sar­ily those of the Bren­nan Center for Justice.