Cyber Experts Warn Of Vulnerabilities Facing 2020 Election Machines
A group of guys are staring into a laptop, exchanging excited giggles. Every couple minutes there's an "oooooh" that morphs into an expectant hush.
The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process.
Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard.
"That's a new vulnerability!" someone yells.
The laptop that's drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia.
"Right now, we're trying to develop a way to remotely control the voting machine," said a hacker named Alex.
He's seated next to Ryan, and like a lot of the hackers at the Defcon conference, they didn't feel comfortable giving their full names. What they're doing — messing around with voting equipment, the innards of democracy — falls into a legal gray area.
The voting machine looks sort of like a game of Operation. The cover is off and dozens of cords are sticking out, leading to multiple keyboards and laptop computers.
No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren't indicative of problems that actually could be exploited during an election.
All the same, hackers like Alex and Ryan say the work they're doing is important because it's the highest profile public investigation of the equipment U.S. citizens use to vote.
And if they can exploit it, so could government-sponsored specialists working for another nation's intelligence agency.
Governments contract with private companies to provide voting equipment and other services and there are no laws requiring any sort of breach disclosure or third party security auditing. Even the governments themselves are usually barred from hiring a security firm to investigate the machines they serve to voters.
At this year's Defcon, it was Alex's first time looking at the technology that voters use to cast their ballots — and he wasn't impressed.
The machine he's investigating is a ballot-marking device used to help people with physical impairments or language barriers vote, and it's running a version of Windows that is more than 15 years old.
"These systems crash at your Wal-Mart scanning your groceries. And we're using those systems here to protect our democracy, which is a little bit unsettling," he said.
"I wouldn't even use this to control a camera at my house. Or my toaster."
Russian cyberattacks targeted a number of voter databases, election vendors and other such systems in the 2016 presidential election. There's no evidence anyone's vote was changed, but the Russians did compromise a few key systems and extract some data.
And less than six months before voters head to the polls in early primary states for the 2020 election, American voting is stuck in a paradox: States have spent hundreds of millions of dollars on security improvements, and yet the overall system remains vulnerable in some of the same ways it was four years ago.
Cybersecurity expert Bruce Schneier, a fellow with Harvard's Berkman Center for Internet and Society and the author of more than a dozen books, was asked how much security has improved since 2016. He cut off the question.
"Oh, we have done nothing," Schneier told NPR. "We've done absolutely nothing."
He isn't being literal, but this sentiment was pervasive at Def Con.
People who spend their lives thinking about computer security said they feel the government still isn't taking the threat of a major breach seriously enough. Congress allocated $380 million towards election improvements in 2018, but even at the time, technical experts scoffed at what they called such a low number.
Because technology is constantly changing, cyber advocates say new funding needs to arrive regularly — not as a once-in-a-decade outpouring of cash. But anxiety about election security has run headlong into broader, decades-old partisan divisions about practicing democracy.
Republicans, led by Senate Majority Leader Mitch McConnell, have resisted calls for large amounts of new funding or legislation.
One reason is principle: McConnell and some of his colleagues argue that Congress should not "federalize" a practice in which responsibility now rests with state and local jurisdictions around the country.
Another objection is practical: The government did a good job safeguarding the 2018 midterm elections, McConnell argues, which ran comparatively smoothly. So although the door isn't completely closed to more grants or other work by Congress, the system — in this view — is working as it should.
Critics tease that the Senate majority leader is "Moscow Mitch," alluding to supposed softness on Russia. That nickname rankles McConnell, who called it "over the top" in an interview on Tuesday with Hugh Hewitt.
The parties' differences in outlook are vast.
Oregon Democrat Sen. Wyden says the federal government should take control over how the country votes, and he disagrees with the every-state-for-itself argument.
"I'll be damned if, when we're up against the Russians and all their military and all their cybersecurity might, we're going to send out the county IT guy," Wyden told a crowded conference room, in the keynote address at Defcon.
House Democrats approved a bill earlier this summer that would authorize more than $700 million in election security grants, but Republicans in the Senate have made it clear that the bill has no future.
"Why hasn't Congress fixed the problem?" Wyden asked, rhetorically. "Two words: Mitch McConnell."
The confidence issue
But experts say the system is only as strong as its weakest jurisdiction, so improvements done in a piecemeal way could just make it clearer which states and counties to target for future attacks.
The Senate intelligence committee's report on Russian election interference says one of Moscow's goals may have been to "undermine confidence in the 2016 U.S. elections simply through the discovery of their activity."
In other words: one breach, even without actually affecting overall results, can give the impression that nothing anywhere can be trusted.
The other side of that coin, however, is increased awareness.
One of the largest improvements over the past four years isn't quantifiable, says Matt Olney, the director of threat intelligence and interdiction at Cisco. He says general awareness of cybersecurity as a paramount concern for election officials makes the U.S. significantly safer heading into 2020.
"There's no conversations anymore about whether or not this is a problem," said Olney.
One glaring vulnerability — which cybersecurity experts have been talking about for 20 years, and yelling about for the past decade — are paperless voting machines.
Experts agree that these machines are insecure because they record votes electronically and could either be manipulated or malfunction without detection. They can't truly be audited and they leave room for some doubt in the result.
"[We need] paper ballots 100 percent ... This isn't hard, this isn't controversial. As scientists, we know exactly what we need," Schneier said. "Getting it done is hard."
The U.S. is improving in this area, but work isn't complete.
In 2016, approximately 20 percent of voters used electronic voting equipment that didn't provide a paper trail. In 2020, that number will be around 12 percent, according a recent report from the Brennan Center for Justice.
The largest state that was exclusively using paperless electronic machines in 2016, Georgia, is slated to replace its machines with touchscreen equipment that provides a paper record before 2020.
But even after the 2020 election, it's unclear whether there will be the urgency to overhaul the rest of the systems that are in use — unless there's another election-related cyberattack.
Just last month, Politico reported that election officials in 69 counties in Texas will either be "sticking with their existing paperless machines, some of them almost 20 years old, or buying new [paperless] ones. Several counties said they wouldn't upgrade until the state legislature mandated it."
Copyright 2019 NPR. To see more, visit https://www.npr.org.