Georgia Secretary of State Brian Kemp revealed that the Georgia voter rolls were hacked just days before the election. Texas voting machines were changing Democratic votes to Republican. Every election it seems voter data and machines have problems, yet states never seem to fix it.
More often than not, votes are counted as they’re cast, yet, Ars Technica noted, problems surface and from election to election it seems they’re not necessarily fixed. One Texas problem was an interface issue on the Hart eSlate voting system when voters hit the “enter” button while also turning an election dial. The problem began in 2016, but it never got fixed and continues in the state today.
Only 13 states require a federal certification for voting systems, but those only cover the machines themselves, not necessarily the software. Despite so-called “federal certification requirements,” “there has never been a full independent code audit and penetration test covering the entire scope of voting systems.”
Veracode Chief Technology Officer Chris Wysopal wondered why he couldn’t get a white paper about the handling of sensitive data for electronic voting machines from reputable security firms.
“Software security audits, including penetration testing, are done for ‘thousands of small software companies every year, on software for banks, media, and manufacturing,'” he said. “Their customers demand that they get a third-party audit of their software. Financial and manufacturing firms are vetting their software. That kind of thinking hasn’t made it to state and county government.”
The Department of Homeland Security helps states with some voting security issues, but realistically, most counties don’t have the time or money to handle major security.
Wysopal wants to see counties do a “mock election day” where they can test penetration and see if vote tallies can be manipulated. It could help find issues before the big day, and for states that don’t allow early voting, it might help cut time opening up polling places in the morning.
States have become “reluctant—and in some cases even hostile” to anyone trying to help secure their election systems. In Georgia, a judge even called the security “inadequate” after vulnerabilities were discovered for ballot systems.
The tech and security conference DEF CON had security researchers Josh Franklin and his father Kevin outlining the many states that lack the proper security to protect their voter registration websites. Georgia was one of the states that earned an “F” grade. Twice Kemp has inadvertently released social security numbers of Georgia voters. That state has upgraded and fixed other bugs, but other states still lack the proper security.
All of these fixes require time and money. For 2018 the time is up and in states that are suffering from serious budget cuts, money isn’t there.
“This is a problem that can’t be solved in a few months,” Wysopal told Ars Technica. “It’s really going to take years of change, of how you think about vetting the software, and how the manufacturers that are making the software think about security.”
There’s no mandatory standard for voting equipment or processes and states and counties coordinate to make it work. So, getting state lawmakers and county-level officials on the same page about election security is nearly impossible.