Cybersecurity debates on Capitol Hill often revolve around the penalties that Congress should levy on industries or agencies that fail to adequately secure their systems. But when it comes to upgrading the cybersecurity of voting machines—a power that the Constitution grants solely to the states—Congress is approaching the problem through persuasion instead of punishment.
“I don’t think we can push the states, right?” said Rep. Will Hurd, the Republican chairman of the House Oversight Subcommittee on Information Technology, during a brief interview following Wednesday’s hearing on voting-machine cybersecurity. “This is firmly a responsibility of the states.”
New machines that provide a paper copy of each electronic ballot cast aren’t cheap, and lawmakers may need to provide additional funding to states that are otherwise skeptical of top-down decrees pushing for new tools to audit electronic election results. “I think it is a carrot versus a stick,” Hurd said. “It is the opportunity to have access to resources if you are following good hygiene or best practices.”
There’s no evidence to indicate that the Russian government’s attack against the 2016 election extended to voting machines themselves, or that vote tallies in any state were altered. Many local election officials are adamant that such an attack would be impossible, claiming that the machines are never connected to the internet and are carefully monitored to prevent physical tampering.
But more than one lawmaker during Wednesday’s hearing brought up a demonstration carried out over the summer at the DefCon cybersecurity summit, where hackers were able to gain remote access to direct-recording electronic voting machines (equipment that does not include a paper-ballot backup for each vote) and alter vote tallies. Such a hack would likely be harder to achieve in real-world conditions, but cybersecurity experts say it’s important to expect the unexpected.
Matthew Blaze, a professor of information science at the University of Pennsylvania, told Hurd that it would be “very difficult” for hackers to compromise state-run voting machines in a way that would significantly impact voter tallies. But, he added, that’s not the only concern. “I think the difficulty that we have is it’s very difficult to prove that it hasn’t happened,” Blaze said.
Hurd and other lawmakers believe the goal of last year’s attacks on election infrastructure was to undermine confidence in America’s democratic institutions. While changing voter tallies may be next to impossible, without a paper trail it’s almost as hard to prove that the election was aboveboard. Hurd believes that lack of confidence undermines voter participation, and wants states to use machines that provide a hard-copy record of each ballot cast in case suspicions later arise.
Some states have already implemented these changes. Just ahead of this month’s election, Virginia scrapped its touch-screen voting machines in favor of new equipment that provides paper backups for each vote. But many more states—particularly those in the South and Midwest of the country—are hesitant to take the plunge, especially without federal assistance.
Some officials, including Louisiana Secretary of State Tom Schedler, believe that even talking about the security of voting machines in a public forum works to further undermine voter confidence. “Look, it’s a necessary thing to discuss—I’m not trying to pretend that it’s not,” he told National Journal after the hearing. “But the more we continue to do this—and the dilemma that an election official has in their state is we want to come solutions, but at the same time we have to keep voter confidence up. And that’s a real balancing act.”
When asked if federal legislation could do anything to help Louisiana enhance voting-machine cybersecurity—either through the use of paper-ballot backups or otherwise—Schedler first said no. But then he caught himself. “Money,” the secretary of state said, claiming that Congress is sitting on hundreds of millions of dollars in election-assistance funding that it has yet to appropriate.
Speaking to reporters after the hearing, Hurd said he’s not necessarily sold on the importance of legislation to coax states into stronger cybersecurity protections for voting machines. With January’s designation of elections as critical infrastructure by the Homeland Security Department—and with lots of federal money still locked up in the federal Election Assistance Commission—Hurd believes there may already be an existing infrastructure to achieve some of these concerns. “If we can do this without legislation, it can be done quicker,” Hurd said.
The chairman added that he’s particularly optimistic in the response that he’s received from secretaries of state like Schedler, many of whom were previously upset over a perceived power grab by Homeland Security. He believes some of those objections have fallen by the wayside in the past year, perhaps opening the door to greater cooperation between Washington and the states. That cooperation, of course, would almost certainly be greased by federal funds.
“There is no such thing as an impenetrable device or system,” Hurd said after the hearing. “With something so important as our elections, we have to be able to refute these concerns of manipulation or erosion of trust. Even though you can still use electronic tools to facilitate and make this process as quick as possible for the voter, you still have to have an audit trail. And a lot of the time that’s paper.”