Security experts: Wisconsin voting systems can be hacked
Security experts: Wisconsin voting systems can be hacked
Security experts: Wisconsin voting systems can be hacked
By GRIGOR ATANESIAN of Wisconsin Center for Investigative Journalism.
Jul. 28, 2018
MADISON, Wis. (AP) — Visiting Wisconsin on June 28, President Donald Trump tweeted "Russia continues to say they had nothing to do with Meddling in our Election!" It was not the first time the president cast doubt on Russian interference in the 2016 election, contradicting conclusions of the FBI, CIA and National Security Agency, as well as reports by bipartisan committees in both chambers of Congress.
But Russians have been testing the vulnerability of elections in Wisconsin and other states for years, and top U.S. intelligence officials have warned the 2018 midterm elections are a potential target of Russian cyberattacks and disinformation.
A key swing state, Wisconsin was the scene of Russian measures in 2016 that utilized social media and also probed the websites of government agencies.
Wisconsin and other battleground states were targeted by a sophisticated social media campaign, according to a recent University of Wisconsin-Madison study headed by journalism professor Young Mie Kim. This campaign tapped into divisive issues like race, gun control and gay and transgender rights.
The nonprofit news outlet Wisconsin Center for Investigative Journalism provided this article to The Associated Press through a collaboration with Institute for Nonprofit News.
Alleged Kremlin-linked operatives also probed the website of the Democratic Party of Wisconsin. The websites of Ashland, Bayfield and Washburn in northern Wisconsin were targeted from Internet Protocol addresses listed in the joint FBI and Department of Homeland Security report on Russian malicious activity. And in July 2016, Russian government operatives attacked the Wisconsin Department of Workforce Development website, state officials reported.
Early in May, the U.S. Senate Intelligence Committee reported that "in 2016, cyberactors affiliated with the Russian Government conducted an unprecedented, coordinated nationwide cyber-campaign against state election infrastructures."
"Russian actors scanned databases for vulnerabilities, attempted intrusions, and in a small number of cases successfully penetrated a voter registration database," the committee found, adding that it had not uncovered any alterations in vote tallies or voter information.
Five top elections experts told the Wisconsin Center for Investigative Journalism that Wisconsin's voting systems are vulnerable. Some pointed to the Voting Machine Hacking Village demonstration last July at DEFCON, the annual cybersecurity conference held in Las Vegas.
"By the end of the (four-day) conference, every piece of equipment in the Voting Village was effectively breached in some manner," according to a report released after the conference. "Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity and availability of these systems."
However, municipal and county clerks interviewed by the Center say they are not worried about a cyberattack, citing the fact that voting in Wisconsin is not centrally coordinated but conducted on a local level by 1,854 communities. They also note that the voting machines are not connected to the internet.
The U.S. Senate Committee on Homeland Security and Governmental Affairs chaired by Wisconsin Sen. Ron Johnson, has heard testimony from experts warning of Russia's continued activities. Yet the Republican is not convinced it is a big problem.
"The election interference ... is not the greatest threat to our democracy. We've blown it way out of proportion," he told the Washington Examiner.
Others are not so sure. The left-leaning Center for American Progress concluded that Wisconsin's "failure to carry out post-election audits that test the accuracy of election outcomes leaves the state open to undetected hacking and other Election Day problems."
"Diversity can be a strength, but in a statewide contest, I don't have to hack all the machines," added J. Alex Halderman, director of the University of Michigan's Center for Computer Security and Society, citing Trump's narrow 22,748-vote win in Wisconsin. "I just have to hack some machines."
Wisconsin's 2016 presidential vote recount, requested by Green Party presidential candidate Jill Stein, found no evidence of election tampering or foreign interference, but it did uncover thousands of miscounted votes.
"Our best estimate is that at least one in 117 votes (statewide) was miscounted, and probably more," said Barry Burden, political science professor at the UW-Madison. Burden, who is a director of the UW Elections Research Center, led a study of the 2016 recount.
"As a voter, to think that there's one in a hundred chance that my ballot would be miscounted — that would be alarming," Burden said.
But many Wisconsin election officials said the concern is overblown. Dane County Clerk Scott McDonell told the Center that "Even now, with what happened with Russians intentionally trying to affect the election, I'm still more worried about a tornado or flood."
Karen McKim is coordinator for the Madison-based grassroots group Wisconsin Election Integrity, which focuses on "appropriate" use of technology to secure Wisconsin's elections. McKim has many stories of election errors.
In the 2016 general election, she noticed that hundreds of voters in the Oneida County community of Hazelhurst cast ballots in the U.S. Senate race but not for president. It turned out to be a clerical error.
In 2014, hundreds of votes in a Stoughton municipal referendum were not initially counted, possibly because of "dust bunnies" that covered the optical scanners' lenses. In Monroe, election officials lost 110 ballots cast in the state Senate Democratic primary of 2014.
Such errors, she said, are not uncommon. A former Wisconsin Legislative Audit Bureau veteran, McKim not only identifies mistakes but seeks to correct them. Since 2012, she has been advocating post-election audits to verify the accuracy of election outcomes.
She favors a statistically based protocol known as a "risk-limiting audit" which involves counting a small sample of ballots. It is recommended by the Senate Intelligence Committee and has recently become a requirement in Colorado, Rhode Island and Virginia, according to the National Conference of State Legislatures.
Wisconsin law already requires election officials to conduct voting equipment audits after general elections. The procedure, however, does not verify the accuracy of election outcomes, only whether the machines functioned properly. But that could change.
Wisconsin Elections Commission Interim Administrator Meagan Wolfe said her staff recently observed Colorado's risk-limiting audit process. She said the agency is looking for ways to implement such audits consistent with existing law. The measure will be discussed at the next WEC meeting on Sept. 25, Wolfe said.
Although McDonell agrees risk-limiting post-election audits are probably a good idea, he does not plan to implement the measure anytime soon. He is confident in the integrity of Dane County's system, noting that software that tallies the votes and programs the machine to read the ballots "are not connected to the internet."
Said McDonell: "I'd say we're safe."
Like McDonell, the majority of municipal clerks are not particularly worried about hacking, said Barbara Goeckner, president of the Wisconsin Municipal Clerks Association.
"I know that the (Wisconsin Elections Commission) is overseeing election security in the equipment we use, the processes of the conducting of our elections and how our equipment is tested and certified," said Goeckner, adding that the diversity of Wisconsin's election systems is the best security check.
One advantage Wisconsin has over some other states: paper ballots. No matter what kind of machine is used, there is a paper ballot produced for every vote cast. In interviews with the Center, leading national experts said keeping the paper trail is not enough.
"That's the reason why you have paper — it shouldn't be for show," said Lawrence Norden, the deputy director of the Democracy Program at the Brennan Center for Justice at New York University School of Law. "There's no question Wisconsin doesn't do the kind of audits it should be doing."
In April, Halderman staged a demonstration on how to hack AccuVote TS and TSX touch-screen voting machines. The breached machines were in use in 2016 in about half of the states, including Wisconsin. As of Jan. 1 of this year, municipalities in the following Wisconsin counties were using AccuVote TSX machines for voters with disabilities: Calumet, Manitowoc, Walworth and Waushara counties.
In the demonstration, University of Michigan students were asked to pick the better school in a race with two candidates — Michigan itself and Ohio State University. From his office computer, Halderman remotely altered the tally, making Ohio State the winner in a race where the majority of voters picked Michigan.
During the DEFCON event, more than 25 voting machines and electronic poll books were breached. Some of them had default usernames and passwords, such as "admin" and "abcde," while others had parts manufactured in China, which could be designed to be vulnerable to manipulation, according to the DEFCON report.
While the voting systems hacked at DEFCON and by Halderman were touch screens, experts question whether optical scanners, in wide use in Wisconsin, also are hackable.
A recent New York Times Magazine report cited a machine in Pennsylvania's Venango County that was miscounting votes due to a calibration error. It contained software that allowed a county contractor to work on the machine remotely — but also made it vulnerable to hacking.
Some Wisconsin counties outsource pre-election programming to private companies. The Elections Commission "does not currently track which, or how many, counties, program their equipment in-house or by using a vendor," Wolfe said.
According to a leaked National Security Agency report published by The Intercept, an unnamed U.S. voting software supplier was the target of a cyberattack. It was allegedly conducted by the same Russian intelligence agency whose 12 officers were recently indicted as part of Special Counsel Robert Mueller's investigation. The attackers "sent spear-phishing emails to more than 100 local election officials just days before last November's presidential election," The Intercept reported.
This March, Congress passed a bipartisan measure allocating $380 million to boost election systems security in all 50 states. Wisconsin received $7 million.
Wisconsin's grant will pay for six full-time election and cybersecurity positions at the Wisconsin Elections Commission, to strengthen WisVote, the statewide voter registration system, and for election security trainings for local officials.
The next statewide election in Wisconsin is the Aug. 14 primary. Wolfe said all of the resources, including the six security-related positions, will be in place by the Nov. 6 general election.
McKim said questions over Wisconsin's election security could be "easily fixed."
"All they have to do is unseal those bags and count votes in public and prove that the voting machines are working right — but they don't."