Georgia election officials say the protections are strong enough to safeguard votes from hacking attempts or tampering, with upgraded voting equipment that adds a paper ballot for the first time in 18 years.
But election security experts aren’t convinced. They say the system remains vulnerable because it still relies on electronics and retains a link to the internet. They fear computer-generated paper ballots will prove to be meaningless if most voters fail to check them for accuracy.
Across Georgia, all voters who go to the polls to cast ballots in the June 9 primary will use the $104 million system, which features fresh touchscreens, printers, check-in tablets and tabulation servers. Old equipment has been put in storage, never to be touched by voters again.
Gabriel Sterling, who oversaw the installation of the voting system, said it’s independent from any potential flaws in Georgia’s outdated electronic voting machines. Even if they had been compromised, Sterling said the old computers wouldn’t contaminate the new ones.
“It’s all new machinery across the board. It’s completely independent. We’ve done everything we can to build up security in the system,” said Sterling, the system’s implementation manager in the secretary of state’s office. “Having the paper ballots is the long-term security key that we all need to be looking at that’s going to make us have faith in the outcomes.”
Sterling said the secretary of state’s office instituted rigorous protection measures, including firewalls, network traffic monitors, strong passwords, encryption, training and physical equipment security.
Election computers, however, aren’t free from the threats of the online world.
The voting system includes a wireless connection to the internet, used in counties when voter registration information is loaded onto tablets. The internet access point is only turned on for a couple of minutes, information is encrypted, and information can be exchanged with specifically identified tablets.
Those restrictions might be insufficient, said Duncan Buell, a University of South Carolina computer science professor.
“Two minutes is a very long time if someone wants to hack you,” Buell said. “The notion that counties can protect themselves against nation-state attackers is just wrong. I think it’s an excess of hubris, and I think it’s naive.”
The danger, Buell said, is that a hacker could disrupt an election by making computers show that voters aren’t registered or changing their addresses so they can’t cast a ballot.
Election officials have minimized those risks on the voter check-in tablets, called Poll Pads, said Merritt Beaver, the chief information officer for the secretary of state’s office. Poll Pads are used to program green voter access cards, which voters insert into touchscreens. The cards tell the machine to display the ballot that matches each voter’s district and political party in the primary.
“Systems like Poll Pads have very limited network access and are configured and locked down to only communicate with known sources at specific time windows,” Beaver said. “All communication is encrypted, and all nonessential applications are removed to limit functionality of the devices.”
At least one vestige of Georgia’s previous voting system remains: the state’s voter registration system installed in 2013.
Because voter registration information was transferred into the new voting system, the possibility exists that malware could have spread, University of Michigan electronic voting expert Alex Halderman wrote in court documents in an election security lawsuit.
“If attackers infiltrated any of the components … they likely continue to have access to those components, because it is difficult to expel sophisticated attackers from a computer system once it is breached,” Halderman, a computer science professor, wrote in an affidavit in January.
State election officials say they prevented problems by loading voter registration information from a text file that was scanned for malware. In addition, an elections worker hand-typed voting district information into a new database to avoid exchanging old files.
There’s no indication Georgia voter registration records have been infected, but it’s possible that problems have gone undetected. Precincts must keep paper copies of voter registration records available as a backup.
Though all voting systems have potential vulnerabilities, officials should do everything they can to protect the integrity of the elections process and reassure voters, said Matt Masterson, a senior cybersecurity adviser for the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
“We know our adversaries want to undermine our confidence in our democratic institutions,” Masterson said. “The best response is for Georgians to get involved and participate.”
Voters should check their printed-out paper ballots to ensure they’re correct, but a study this year found few people do so. Just 16 percent of voters reported ballot errors even after they were warned by poll workers in a simulated election that their paper ballot was the official record of their vote, according to the study by Halderman and his peers at the University of Michigan.
Election officials plan to conduct audits of paper ballots to verify the accuracy of election results. Voting rights groups that prefer paper ballots filled out by hand say audits of printed-out ballots won’t ensure accurate results unless voters review them.
©2020 The Atlanta Journal-Constitution (Atlanta, Ga.) Distributed by Tribune Content Agency, LLC.
