HAMBURG, Germany—As the Obama administration took tough action against Russia for interfering with the 2016 U.S. election this week, two experts in U.S. voting-machine security offered evidence at Europe’s largest annual hacker conference here they say proves that while the voting machines used in the November presidential election were not hacked, U.S. voting systems remain “shockingly” exposed to hackers.
“We knew on November 8 that hacking was possible,” J. Alex Halderman, a University of Michigan computer science professor who specializes in testing voting-machine security, said Wednesday in front of a crowd of more than 1,000 attendees of the 33rd annual Chaos Communication Congress.
Prior to Election Day, as Donald Trump repeatedly claimed that the election would be “rigged” against him, email servers belonging to the Democratic National Committee and Clinton campaign manager John Podesta, as well as voter registration systems in Illinois and Arizona, were hacked.
And after the election, which resulted in Hillary Clinton winning the popular vote by a substantial margin but Trump winning more votes in the overriding Electoral College, many people, including Green Party candidate Jill Stein, called into question whether votes had been tallied without interference. Trump also alleged on Twitter that if it wasn’t for “the millions of people who voted illegally,” he would have won the popular vote.
“Shockingly—at least shockingly to me and many other people, even under these circumstances—approximately zero U.S. states were going to look at enough paper ballots to know whether the computers had been hacked,” Halderman said. “This is a major gap in our system.”
Flaws in U.S. voting systems are myriad and complicated, argue Halderman and Matt Bernhard, his co-researcher. The biggest flaw, they say, is the reluctance of states to commit to vote recounts after elections apparently decided by small margins.
Within the 70 percent of states that require a paper trail to accompany electronic votes, paper recounts can ensure that voters’ will has been recorded without tampering. Without a literal paper trail, conversely, verifying the existence of a cyberattack on voting machines—not to mention actual voter intent—would be quite challenging.
“The purpose of a recount, of any examination of the paper ballots, is to gather evidence of whether the outcome was correct or not,” Halderman said. “Without looking at them, we don’t have the evidence to begin with. All we can do is say that it would be possible for an attack to change the result without leaving any visible evidence.”
Halderman told the audience that he and other election security researchers were able to start looking into whether hackers had altered its outcome only after Stein quickly raised more than $5 million from more than 160,000 donors to fund recounts in the three most tightly contested states—Wisconsin, Michigan, and Pennsylvania—where Trump apparently garnered a cumulative 78,000 votes more than Clinton.
“There is not strong evidence that there wasn’t fraud or a cyberattack, though, because the recounts were incomplete, and they are an imperfect way to verify” that the votes were unadulterated. — Matt Bernhard, electronic vote researcher, University of Michigan
States and municipalities, whose powers are protected by sections of the Constitution, individually control all aspects of U.S. elections. Each has its own rules and regulations with respect to everything from ballot designs to outcome certifications, including when and how to conduct a recount.
Audits are essential to ensuring that votes haven’t been hacked, Chris Jerdonek, vice president of the San Francisco Elections Commission, told The Parallax in September.
“There’s no surefire way to prevent hacking,” he said, “but if you’ve got good auditing procedures in place, you can catch any tampering.”
The recount process found no evidence of fraud or cyberattack in Michigan and Wisconsin, but a federal court order sought by Trump and the state of Pennsylvania halted the recount there before the researchers could recount more than half of one county, out of 67 in the state.
Wisconsin’s statewide recount saw 51 counties recount ballots by hand, 9 by rescanning, and 12 by a combination of the two. 11,883 votes were corrected, more than half the margin of victory by Trump, but in the end, there was a net change of only 397 votes.
Michigan’s recount was aborted after three days because of opposition by Trump and the state. Ten counties finished their recount, and 12 of 83 other counties started but did not finish their recounts. Forty-three percent of the total votes cast in the state were recounted, leading to a net change of 1,651 votes.
“The recounts support that the election outcome was correct,” Bernhard said. “There is not strong evidence that there wasn’t fraud or a cyberattack, though, because the recounts were incomplete, and they are an imperfect way to verify” that the votes were unadulterated.
To ensure that future votes are properly counted, Halderman and Bernhard want to see a statistical risk-limiting audit, which they defined as hand-counting randomly sampled precincts until it can be established with high statistical confidence that hand-counting all of the paper records would yield the same winner. Doing this would be “significantly” cheaper than conducting a full recount but ensure the same confidence, Bernhard said.
They also want to see security-“hardened” voting technology. They recommend that every municipality adopt paper ballots, at least as a supplement to voting machines, before the next presidential election in 2020.
Halderman concluded that while they have more confidence than before the recounts that the election wasn’t hacked, they also have more confidence that U.S. elections are vulnerable to hacking.
“What we need in the United States quite badly, at this point, is some specific reform to the election process,” he said. “We’re facing increasingly powerful and aggressive state-level attackers in every country, including attackers targeting the U.S.”