Computers in election systems have introduced both new features and new risks to the electoral process, said NKU Professor and Director for the Center for Information Security Dr. James Walden at a meeting Wednesday evening.
During the meeting, Walden talked about cybersecurity during the election process starting with voter registration and continuing through the tabulation of votes. He said identifying where the greatest weaknesses lie and explaining how we can improve the cybersecurity of these election systems is key.
“To put it simply, there is no perfect solution,” Walden said.
The meeting was part of an NKU speaker series called [email protected] Community Lecture, intended to connect the campus and community. Because Tuesday was National Voter Registration Day, Wednesday’s lecture was focused on voting.
To avoid vote-tampering, voting machines must be configured with ballots for each election, typically via a memory card or USB drive, Walden said. The United states typically leaves voting machine choices up to the counties in states. This makes, for example, hacking a U.S. election difficult because you would have to know each county in each state’s voting machine and how it works.
Something interesting to note, Walden said, is that states do not have proper funding for state of the art voting machines, but they do for things like aircrafts.
Voting machines are PCs, and most of them are run through Windows, Walden said. Microsoft patched 1,212 vulnerabilities in 2021. These machines do not get regular security updates, as they’re usually powered off in a warehouse and must be recertified when the software changes.
Tabulators are also PCs, but with additional risks, he said. They are often accessible via the network or fax. Attacks have higher impact than attacks on voting machines since many more votes can be altered. Tabulation attacks impact confidentiality, integrity and availability.
That’s where the Cybersecurity and Infrastructure Security Agency, or CISA, comes into play. They are responsible for securing federal networks and systems along with protecting critical infrastructure and coordinating with states.
CISA has a library of documents on how to secure elections and many election risk profile tools. They often do cybersecurity assessments and get alerts when disinformation occurs.
“States are graded like a normal A-F scale,” Walden said when asked how states are ranked in terms of securest voting systems. “Some of the states that received an ‘A’ were California and Massachusetts. Kentucky, however received a ‘D.'”
Walden went on to say that the “D” grade was in past years and that Kentucky earned an “A” in 2022.
“What needs to change to secure voting comes down to two things,” said Walden. “The first is the Principles. Adequate resources need to be provided so everyone can vote in a reasonable amount of time. Humanly readable paper ballots need to be ensured no matter how someone votes. Risk limiting audits also need to be used to detect any problems. Secondly, Congress needs to pass a secure elections bill. This should require the already mentioned principles while also providing security requirements for voting machines, registration systems, e-poll books, and tabulation systems. Funding also needs to be there so states can implement the requirements.”