Pitt Cyber Expert Discusses Security, Integrity Concerns Ahead of Upcoming Elections

woman walking into a brick polling place building with a VOTE HERE sandwich board outsideWith midterm elections just over a week away, hundreds of thousands of new and newly invigorated voters are expected to show up at the polls across the nation while many election security issues remain unresolved.

In Pennsylvania, for example, 201,331 new voter applications were approved the week of Oct. 15 alone, according to the Pennsylvania Department of State. And many of those voters — approximately eight out of 10 — will cast ballots on machines that offer no auditable paper record that could prevent the detection of a successful hacking or even benign error. This issue is emblematic of the potential threat to election security in systems across the U.S.

“The sophistication of nation-state hackers and cyber criminals is only increasing," said David Hickton, founding director of the University of Pittsburgh Institute for Cyber Law, Security, and Policy. "We must act with the urgency that this threat to our democracy requires and improve the security of our election architecture.”

Hickton, along with Grove City College President Paul McNulty, convened the independent, bipartisan Blue Ribbon Commission on Pennsylvania Election Security this year with support from The Heinz Endowments and the Charles H. Spang Fund of The Pittsburgh Foundation. The commission’s goal is to assess the cybersecurity of Pennsylvania’s election architecture, including voting machines and back-end election management systems, the voter registration system and resilience and recovery in the instance of a cyberattack.

The commission recently released a set of interim recommendations urging immediate actions prior to this year’s midterm elections and is set to release a full report early next year.

Warnings to legislators

In September, Hickton and McNulty offered testimony to the Senate State Government Committee on voting systems. In October, they presented testimony to the Pennsylvania House State Government Committee to outline specific cybersecurity risks associated with voter registration systems.

The testimony noted that Pennsylvania’s Statewide Uniform Registry of Electors (SURE) system is more than a decade old and was not initially designed to withstand today’s cybersecurity threats. SURE uses personal data such as Social Security and drivers’ license numbers to authenticate registered voters. Actors seeking to create fake voter registrations can find that information through illegal websites and use it in conjunction with the publicly available state voter file and SURE’s own polling place location tool.

Hickton at a podium in a gray suitAnother concern noted was the potential for Distributed Denial of Service (DDoS) attacks on voter registration and election reporting sites that could disrupt voting or interfere with how preliminary vote totals are reported.

“Successful attacks to the system could create substantial administrative challenges for election officials and frustrate voters in a way that could depress turnout. And such an attack could undermine faith in the Commonwealth’s elections and erode public trust in democracy — outcomes that must be guarded against,” read the testimony from Hickton and McNulty.

The testimony recommended replacing the SURE system as soon as possible and adding another layer of authentication, such as having voters identify information they provided during the application process, into the voter registration system to prevent fraud. It also suggested stronger encryption of voter data and sending paper notifications to voters to verify changes of address made online.

The call to replace the dated SURE system echoes interim recommendations the commission made in September to replace Direct Recording Electronic voting machines that lack voter-verifiable paper audit trails with machines using voter-marked paper ballots. It also suggested the state and federal government should fund counties’ efforts to replace the machines and highlighted following vendor selection and management best practices to avoid vulnerabilities through the supply chain.

The testimony noted that Pennsylvania’s Statewide Uniform Registry of Electors (SURE) system is more than a decade old and was not initially designed to withstand today’s cybersecurity threats.

The report and testimony applaud the state’s directive by Acting Secretary of State Robert Torres that all counties must have voter-verifiable paper record voting systems selected by Dec. 31, 2019, and preferably in place earlier, in time for the November 2019 off-year election. The report and testimony also highlight the sense of urgency that comes with replacing the systems, as well as the importance of state and federal funding for the effort.

The state directive was issued in April. Since that time, Susquehanna County, which was already using machines with paper ballots, has been the only county in the state to purchase a voting management system.

“We recognize that the General Assembly and counties have many funding priorities. The County Commission Association of Pennsylvania estimates the cost for replacing voting machines to be $125 million statewide. The majority of Pennsylvania’s current voting machines leave the integrity of our Commonwealth’s vote at risk. This is unacceptable. Compared to the magnitude of this risk, $125 million is a relative bargain,” reads the election security commission’s interim report.