With the U.S. presidential election just weeks away, questions about election security continue to dog the nation's voting system.
It's too late for election officials to make major improvements, "and there are no resources," said Joe Kiniry, a long-time election security researcher.
However, officials can take several steps for upcoming elections, security experts say.
"Nobody should ever imagine changing the voting technology used this close to a general election," said Douglas Jones, a computer science professor at the University of Iowa. "The best time to buy new equipment would be in January after a general election, so you've got almost two years to learn how to use it."
Stop using touchscreen electronic voting machines without printers
Fifteen states still use outdated touchscreen e-voting machines without printers attached in some or all of their voting precincts. E-voting machines without paper printouts don't give election officials a way to audit their internal vote counts, voting security critics say.
Many security experts say these e-voting machines, often called direct-recording electronic machines or DREs, still have several points of vulnerability. Jones, who has researched their security, has called on all DREs to be phased out, even the ones with attached printers. But it needs to be an "orderly" transition, he said.
"Don't declare an emergency and require everyone to buy new equipment right now," he said by email. "Doing that just creates a feeding frenzy among the manufacturers and leads to inflated prices, along with all the other problems that occur when people make important decisions under pressure."
DREs rose to prominence after the hanging-chad controversy in Florida in the 2000 presidential election, but the use of paperless DREs has fallen from 23 states in 2008 to 15 in the upcoming election.
The problem for states is the cost of replacing thousands of DREs. Congress allocated money for new election technology following the debacle in Florida in 2000, but money has been tight since then.
Conduct more extensive pre-election voting machine tests
Some states conduct extensive pre-election tests of their voting equipment, but other tests are less comprehensive, said Pamela Smith, president of elections security advocacy group Verified Voting.
Most jurisdictions conduct pre-election voting tests, but many "randomly select some machines" after ballot information, such as candidates' names, is programmed in, Smith said. Testing all voting machines before an election would be more secure, she said.
Iowa's Jones discounted current pre-election testing in many jurisdictions. The testing usually doesn't involve security checks, but only a brief test of "only a few ballots per machine … long before election day," he said.
So, if hackers find a way to load malware onto voting machines, "the malware can easily distinguish between testing and a real election," he added.
Put better election auditing processes in place
Many states have post-election auditing processes in place that "don’t make sense statistically," said Kiniry, now CEO and chief scientist at Free and Fair, an election technology developer. "They don’t really give you any veracity about the election outcome."
The auditing plans were passed by legislators who "don’t actually talk to statisticians," he added. "You hear about audits happening, but they don’t reveal anything about the election."
States should look at two kinds of voting audits, he recommended. Risk-limiting audits, now in place in California and Colorado, are statistically sound audits based on a recount of a small sample of ballots, he noted.
"That’s cheap," he said. "That’s something literally you can learn how to do -- without being a statistician -- in a day, and you can perform the recount in an afternoon."
Secondly, voting officials can run parallel-testing audits, if they have extra voting machines. Officials randomly select machines to pull out of the voting process and run a mock election on those machines, using poll workers. With the parallel test, officials can check for malicious activity on those test machines.
Hire hackers to test your systems
The cheapest and most simple step election officials can take is to hire white-hat hackers, "even if it's an intern from a computer science department in your area," Kiniry said. Those outside security experts "can work with you and think like a bad guy," he added. "Thinking like a bad guy can subtly change the way you operate your business and protect you against accidental or malicious behavior."
The U.S. Department of Homeland Security has also offered to help states check their voting security, including scanning for network security problems, Verified Voting's Smith noted. But as of late September, only 18 states had asked DHS for help.
"In the past, polling systems tended to less technologically complex, and voting officials were never IT experts," she said. "The resources are needed for some of the smaller [county] jurisdictions that may not have the resources."
Ensure that strong physical security is in place
Many voting jurisdictions have improved the physical security of their voting machines in recent years, after reports of machines being left overnight in school or being stored in voting officials' cars or homes, said Verified Voting's Smith.
"There was a lot of fuss about that in the media years ago," she said. "There is an effort to minimize the time where that equipment would be unsecured. You don’t want to be the one jurisdiction that says, 'Hey, look, I saw these voting machines sitting out in the open.'"
Voting officials still have time to add observers before, during, and after the election, Kiniry added. One of the best steps they can take is to "get more volunteers to work polling places and more good-natured citizens of all stripes being election observers, primarily during early vote processing, tabulation, canvassing, and audits," he said.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.