As States Consider Online Voting in Response to the COVID-19 Pandemic, Federal Agencies Issue Guidelines that Warn of Online Attacks

The Department of Homeland Security (DHS), the Federal Bureau of Investigation, the National Institute of Standards and Technology and the U.S. Election Assistance Commission (EAC) have drafted new guidelines outlining the severe dangers of returning ballots electronically – through fax, email or web portal – stating that the practice is a “significant security risk” and can potentially interfere with the integrity and tabulation of our elections at scale. 

The guidance was sent to election officials as some states have signaled interest to expand online voting for disabled voters due to the COVID-19 pandemic. Currently 32 states allow the military and citizens living abroad to submit ballots digitally with well over 140,000 ballots cast online in the 2018 midterm elections. 

“Clear, explicit guidance from DHS that internet voting is not secure or trustworthy is long, long overdue,” said Susan  Greenhalgh, Senior Advisor on Election Security for Free Speech For People. “It has failed for four years to codify and publish that guidance in an effort to avoid antagonizing some state officials.”

Following the 2016 revelations that Russian government agents were trying to tamper with elections in western democracies, the only two western European nations with online voting (France and Norway)  both suspended all online voting for their overseas citizens. Since 2016, the United States has purported to shore up its election security, however, the federal agencies overseeing election security have not addressed online voting until now. 

The document advises that securing the integrity of ballots cast online will be difficult if not impossible to achieve and could impact vote totals. The agencies also specifically warn that the use of web-based portals, file servers and applications may provide attackers opportunities to exploit vulnerabilities and gain access to other systems in the election infrastructure. In other words, using online ballot transmission systems can serve as an attack vector and put the entire state or county election system at risk for hackers. 

The Guardian obtained a version of the document put out by DHS alone that specifically recommended against the adoption of online voting, stating DHS ““discourages electronic ballot return technologies, which have not been demonstrated as capable of being secured from interference at this time.”

The document drafted by the four agencies omitted that sentence. According to the Wall Street Journal, a person familiar with the drafting claimed it was omitted for fear of litigation from the online voting system vendors against the government. 

The agencies also recommend developing a vulnerability management program so that well-meaning cyber security researchers may be able to responsibly disclose vulnerabilities to election officials so they may be mitigated or patched. No such program is currently in place. 

These guidelines are currently “for official use only” and it is unclear whether they will be made public in its present form. This, however, is an important step to ensuring that online voting not be expanded in the United States.

You can read the full article in The Guardian here.

Comments are closed.