July 21, 2018 — The job description for the Wisconsin Election Commission’s public information officer does not say “Secure Wisconsin’s elections.” So Reid Magney’s annual performance review won’t suffer if, next November, hackers compromise ES&S headquarters in Nebraska, manipulate Milwaukee County’s voting system, and pick Wisconsin’s US Senator.
Magney’s job description probably says something like “Build voter confidence.” So don’t expect him to draw attention to this or that national report, or whichever new report has once again given Wisconsin poor marks for election security.
Last Wednesday, Carrie Kaufman of WPR’s Morning Show told Magney, “Assure me that our voting system is secure.”
Magney obliged, and recited all the great things about security for the voter-registration system (my emphasis, not his). He talked about firewalls, multifactor authentication, and installing software that will monitor for suspicious activity.
Magney avoided saying much about Wisconsin’s vote-tabulation system, for which he would need to tell a very different story.
WEC has very little responsibility for the vote-tabulation system. It was developed by private out-of-state companies, and is owned, operated, updated, and maintained by those companies and by Wisconsin’s local election officials. Not by WEC.
I know enough to notice Magney’s feints and finesses. As I listened, I found myself imagining a different interview. I imagined Kaufman had asked specifically about the tabulation system, and that she was able to keep the interview on topic.
I imagined her speaking with a WEC representative whose job description said “Make sure voters understand the real risks and necessary safeguards.”
Here’s that interview:
Interviewer: Welcome to our show. Every day seems to bring more alarming news about Russia’s intent to tamper with American elections. Is Wisconsin’s computerized vote-tabulation system secure? I will discuss that today with my guest, Earnest Veracity of the Wisconsin Elections Commission. Welcome, Earnest.
Veracity: Thank you for having me.
Interviewer: I’m assuming you’re familiar with the five basic functions of a cybersecurity program, spelled out by the National Institute of Standards and Technology—identify the risks; protect the system; detect any problems; respond to any problems; and recover. Would that be a good framework for discussing Wisconsin’s election security?
Veracity: Yes, that framework is useful. But I must make one thing clear before we start. I’ll answer your questions as best I can, but tabulation-system security isn’t something that WEC has much say about. That’s the job of the voting-machine companies and the local election officials. Wisconsin has decentralized elections administration, and voting-machine security is no exception.
Interviewer: I understand that. Let’s start with simply describing the system. Are the computers that count our votes inside those machines at our polling place, or somewhere else? Whose system is it? Who manages it?
Veracity: The vote-tabulating system consists of three parts: 1) the voting-machine companies’ own computers that they use to develop and update the software; 2) an ‘elections management’ computer in each county clerk’s office; and 3) the voting machines in each polling place.
Each new election has its own set of races and candidates, so the county computers and the voting machines have to be reprogrammed for every new election. Typically, the software is developed at one of the voting-machine companies’ offices, and then transferred to the county either over the Internet or with portable digital media. The county clerk then prepares the software for each voting machine, and the municipal clerks install it in the voting machines. That software really travels.
Ownership and management get a little tangled. The companies own the software and some of the equipment. Counties typically own and manage the county computers, while the voting machines are owned or leased by the cities, villages, and towns.
Interviewer: So where are our votes counted?
Veracity: The software that counts your votes is typically inside the machine in your polling place. But it got there through the county’s computer and the vendor’s computers.
Interviewer: Got it. Let’s move to security, and start with the first function, risk identification. Have the voting machine companies and the local election officials identified the risks?
Veracity: We don’t know. It’s possible they haven’t, because to the best of our knowledge, none employ any IT security professionals. Your network carries a great show, Science Friday, which aired a very good segment on this topic right before the 2016 elections. Aviel Rubin, director of the Johns Hopkins University Information Security Institute, described what he learned when he visited all the major voting-machine companies.
As for the local election officials, few understand the risks. Most, for example, will tell you the voting machine cannot be hacked if it isn’t connected to the Internet, forgetting the other computers involved in the process that might be. They also believe pre-election tests can detect hacked software. No one should expect local election officials to be IT security professionals. They just are not.
Interviewer: I suppose that’s fair. How about the second function of a good cybersecurity program. Do the managers of the vote-tabulation system protect it from the risks?
Veracity: Again, we know almost nothing about the voting-machine companies’ security practices. A few incidents indicate they might be lax. For example, in 2016, recount observers noticed manufacturers’ seals missing from voting machines in St. Croix County. When we investigated those citizens’ reports, we discovered a vendor’s service technician had left machines unsealed through several elections, and local officials had not noticed. We checked only St. Croix County’s machines. There may have been others that the technician left unsealed.
The local election officials, well, they usually do the best they can. They keep the voting machines and county election computers in locked rooms, and only occasionally find someone got unauthorized access. They are very reliable about keeping track of the software as it passes back and forth between the county and the municipalities. But keep in mind the nature of the workforce. Elections are run mostly by people who work on those tasks only a few days each year. We cannot expect security protocols to be reliably followed.
Interviewer: Well, that’s sobering. Who oversees the local governments’ election-security efforts? Do you?
Veracity: No, they’re pretty much on their own. County clerks are independently elected. Making sure they do their job right is up to the voters. Municipal clerks generally answer to the city council, village board, or town board, not to any professional election overseers. WEC does not, cannot, monitor their security practices.
Interviewer: Yikes. So as far as we know, no one is making sure we have much risk-identification or strong protection going on. What about detection? Do the local officials at least have ways to detect Election-Day computer miscounts? I understand that hacking isn’t the only threat—that they also need to be on the lookout for human error and random malfunction.
Veracity: Yes, those are the three main categories of electronic threats to our election results. But again, I’m sorry I cannot answer that question with regard to the voting-machine companies’ security practices. We have no idea what they do, if anything, that would, for example, detect malicious code if one of their programmers goes rogue and starts working for Russia.
And local election officials have no way to notice any malicious code if it’s already there when they receive software or updates from the vendor and install them in the voting machines. They are good about doing pre-election voting-machine tests, which can catch human programming errors. But those tests wouldn’t detect hacking. Remember the Volkswagen scandal? That should have taught everyone that hacks are designed to operate only during actual use, not during testing. A hacker would make the malicious code operate only on Election Day.
After each election, local election officials check that the machines counted ballots correctly, but not whether the machines counted votes correctly. That doesn’t protect our election results, because hackers would tamper only with vote totals and leave the ballot totals alone.
When miscounts are really obvious, local election officials sometimes notice, like they did in Stoughton in 2014. But sometimes they don’t. In Racine and Marinette Counties in 2016, and in Medford in 2004, the local officials just blew past obvious computer miscounts and certified the wrong vote totals. Hackers could make thousands of votes just disappear, and it probably wouldn’t be noticed or corrected in the canvass.
A citizens’ group, Wisconsin Election Integrity, has been pressuring us since 2012 to promote routine post-election audits during the canvass. National authorities recommend, and other states use, those audits because they deter hacking and protect certified election results from all types of miscounts. But we cannot make a decision in only six years. Maybe we’ll give it some thought for 2020. Maybe not.
Interviewer: Do the managers have procedures to respond to an event, so that they can prevent or minimize damage to the final election results?
Veracity: Finally, I can answer “Yes!” If local election officials detect incorrect preliminary vote totals during the canvass, Wisconsin statutes give them everything they need to protect the final, certified election results. They have the paper ballots, the freedom to decide to hand count, enough time for the canvass. The Stoughton voting-machine miscount of 2014 is an excellent illustration. Once they noticed the miscount, the municipal clerk quickly opened the ballot bags, hand-counted, and didn’t even miss the municipal canvass deadline. So if they do routine audits during the canvass, they will always be able to secure the final election results.
If they wait to detect problems until after they certify, though, that would be royal mess—expensive lawsuits and scandal, massive damage to voter confidence. I don’t even want to think about it.
Interviewer: Do the managers have procedures to recover and restore the system to normal functioning after an event?
Veracity: Well, neither we nor the local election officials have the skills or resources for serious forensic investigation. So it’s hard to say what we’d do to determine the causes and fix the flaw if we ever noticed a hack. When in 2017 we could no longer ignore the Optech Eagle’s inability to count votes from many absentee ballots, we decertified that system. But we probably wouldn’t do that if we found problems with a newer system. I cannot imagine, for example, expelling ES&S from the state if we found they’d installed remote-access software here like they admit they’ve done elsewhere. They count more than 70% of Wisconsin’s votes. Banishing them would be terribly disruptive and expensive.
* * *