This fall you may be voting with obsolete voting machines and ancient software – By Cynthia McFadden and Kevin Monahan (nbcnews.com) / Sept 7 2018
In this fall’s midterms, your local election officials may be using obsolete voting machines and software “held together with spare parts,” say experts.
SPRINGFIELD, Ill. — The state of Illinois has improved its cyber defenses since hackers broke into its voter database in 2016 — but the actual machines that will record votes in this fall’s midterms are another story.
Most of the state’s voting machines need to be replaced, says Steve Sandvoss, executive director of the Illinois State Board of Elections.
How many? “It depends on which counties you ask,” said Sandvoss, “but I would say 80, maybe 90 percent. That’s the figure I’m hearing.”
Illinois is not alone. Despite compromises of election systems in seven states in 2016, NBC News has interviewed a wide variety of experts in the two years since that election who say a majority of both the nation’s voting machines and the PCs that tally the votes are just not reliable. Most of the nation’s voting machines, for example, are close to 15 years old.
Greg Miller, cofounder of Open Source Election Technology (OSET), a nonprofit that conducts election technology research, says the outcome of the midterms will be determined by votes recorded on “obsolete hardware [and] software that relies on a diet of spare parts.”
“You have equipment that was introduced in 2005,” marvels Miller. “In that time frame, how many times have you changed your mobile phone? And how many times have we replaced our laptops?”
Though personal data was stolen from the Illinois voter database, no votes were changed and no outcomes were affected by any of the cyber breaches around the country in 2016. Similarly, there is no evidence that individual voting machines were hacked during that election.
But the other cofounder of OSET, John Sebes, showed NBC News how easy it would be for an unscrupulous person to manipulate the data.
Regardless of the voting machine used, said Sebes, the tallying comes down to a computer in a back office. In many jurisdictions, officials use a CD or a USB flash drive to bring results to a central location that tabulates the total.
Sebes fed data into an aging computer with aging election software. A fictional candidate named Thorfer had received more than 3,000 votes, and an equally imaginary foe named Varda had won just 100.
“This is where a trustworthy election official on election night is basically feeding the machine to get all the votes onto it and have the machine rack and stack the votes,” said Sebes.
He then used a CD to feed some malicious software — “malware” — into the same computer.
“Look,” said Sebes, “now it’s candidate Varda who has 3,000-odd votes, and Thorfer has 100.”
“If you look closely, the numbers are the same. We just had the candidates get swapped.”
Sebes said the switch was “not a difficult job for fairly ordinary adversaries to do.”
Election officials told NBC News that they secure access to the computers to present this kind of scenario, but experts worry that some precincts are better at it than others.
There is also a concern about what happens after the votes are counted. Fourteen states — including battlegrounds like Pennsylvania, Texas, Georgia, and Florida — still have at least some voting districts with no paper backup for their machines, meaning those districts could not do a paper recount if necessary.
Top national security officials went to the White House in August to offering assurances they are doing everything they can to make sure the Russians — or any other would-be hackers — don’t interfere in the mid-term elections.
The states, including Illinois, also say they are doing the best they can before the midterms.
Congress, however, hasn’t helped them very much. It appropriated only $380 million to help the states upgrade their election infrastructure and security. It allocated 10 times as much to upgrade voting machines around the country after the disputed 2000 presidential election.
The Illinois share of the federal money was $13 million. It was enough to help strengthen cybersecurity defenses, said Sandvoss, but not the aging infrastructure that Illinois voters will be using in November.
Would more money help?
Said Sandvoss, “The short answer is, yes it would.”