For the better part of the past year, I served as the cybersecurity expert to Georgia’s “Secure, Accessible, and Fair Elections (SAFE) Commission” – a group tasked with recommending new, more secure voting equipment and procedures in our state. The result of much discussion is that I (along with 24 other computer scientists at universities, labs, industry and the nonpartisan organization Verified Voting) advocated for a return to paper ballots. Now, as Congress examines the same, more states could move in this direction. I’d like to explain the irony behind why cybersecurity experts recommend voting on paper and new approaches we all must reconsider going forward.
1. Nation-state threats to cybersecurity are real. The public should be concerned about foreign manipulation of our elections despite hard evidence any has occurred.
I work annually with America’s military and Fortune 100 companies to develop new cybersecurity methods and I’ve published nearly 150 research findings. I’ve watched cyberthreats grow in sophistication since the late ’90s. I know that competition and malicious intent by other nations is intense.
The former acting director of the CIA, Michael Morell, told an audience of students and business leaders at Georgia Tech last fall that “failures to imagine” how adversaries would attack us have been our biggest and most devastating failures as a nation. As a result, he also said the CIA now holds the most top-secret information on paper only.
His comment is one of many reasons that I strongly recommended Georgia return to hand-marked paper ballots. The right technology for these times may not be the most cutting-edge. Paper provides the trail of evidence for post-election audits to determine if software caused an error in election outcomes and does so without re-running an entire election. Paper is human readable and manually countable when needed. No system is 100 percent cybersecure, and nearly zero risk should be tolerated when safeguarding something as pivotal as elections.
2. States should lease rather than own election equipment. A well-known cybersecurity defense is to patch our personal devices, operating systems and apps as soon as vendor updates are released. States that purchase costly election equipment have shown that they, and their vendors, do not maintain the same cyber-hygiene – thereby putting every voter and democratic outcomes at grave risk.
A case in point is Georgia. Its voting machinery was purchased in 2002 (largely with federal funds) and has been unsupported by the vendor since 2005. Imagine — no patches, updates or improvements in 14 years as the very sophistication of cyberattacks has evolved from simply defacing a website to today’s ransomware that holds hostage an entire city (Atlanta, 2018) or hospital systems (nationwide, 2016).
The better alternative for all states, regardless of which type of voting equipment they use, is to lease rather than own. This shifts the maintenance responsibility and some liability for cyber-defense back to the vendor. It allows states to regularly re-examine voting equipment against the latest technological landscape. Finally, it could be far less expensive.
3. Cybersecurity is now a primary responsibility of every Secretary of State’s office. Long considered a neutral office largely free from political strife, Secretaries of State are now in the middle of a tempest. The amount of data and processes they manage make Secretaries of State prime targets for cyber manipulation, data theft, and nation-state malfeasance. Cybersecurity here should not be a task assigned to just a few IT employees; it is essential to every function of the Secretary of State’s office. Personnel need widespread training on cybersecurity defense. These offices deserve to be appropriately staffed and funded for such an important mission. State legislators must re-examine – not only which new election systems to adopt – but also how much to appropriate for cybersecurity staffing and training.
The public has a right to be concerned about election security despite any hard evidence of tampering to change votes. Cyberattack is the new, “perfect” weapon, and is being continuously developed and targeted at our valuable assets. Our nation is watching Georgia, and Georgia has waited too long to act. It has famously become the epicenter of debate over voter disenfranchisement and election mismanagement. Yet, regardless of political affiliation or bias, I hope the country realizes that we all have a stake in this debate. For everyone’s sake, I hope the points made here remind us how united we can stand.
Wenke Lee, Ph.D., is a professor of computer science and John P. Imlay Jr. Chair at the Georgia Institute of Technology, where he also serves as co-executive director of the Institute for Information Security & Privacy. He has published nearly 150 research articles about cybersecurity and is a Fellow of the Association of Computer Machinery (ACM).He became an American citizen in 2000.
