Arrow’s impossibility theorem states, “Any constitution that respects transitivity, independence of irrelevant alternatives, and unanimity is a dictatorship.” In other words, no democratic voting system can be perfect. With the archaic Electoral College system still in place and the Democratic and Republican parties fully entrenched in certain states, the United States’ electoral system is, quite undoubtedly, imperfect. However, recent reports of voting fraud and the vulnerability of the voting process to cyber attacks have raised concerns over aspects of the U.S.’ democratic system that, though highly threatening to the electoral process overall, are perhaps more easy to improve. Therefore, a pertinent question facing democracy in the U.S. is, could someone actually steal an election today?
To fully answer this question it is necessary to explore not only the voter registration system, the absentee ballot system, and the design and manufacturing of voting machines, but also the training of poll workers, the design of ballots and all of the other intricate details of the modern voting system. Since many of these topics alone could consume an entire dissertation, I decided to focus on providing a high-level synthesis of these topics in order to determine how dangerous potential flaws are in the broader context.
I chose to focus on the presidential election in order to avoid many of the idiosyncrasies that exist in different voting districts across the U.S. and remain focused on the largest issues at play. Likewise, I compressed many different models of voting machines into broader classes of machines. I also operated under the assumption that potential attackers would likely have the goal of covertly stealing the presidential election, as this type of attack has the most serious ramifications. As the recent revelation of the cyber attack on Miami-Dade County’s absentee balloting system demonstrates, the U.S. has only seen the beginning of cyber attacks on its voting systems and therefore should take interest in exploring its vulnerabilities. However, I also make note that some attacks are highly unlikely on a national scale, but could have a decisive impact on smaller, more localized elections.
In order to understand the flaws of the current voting system, I first began with a historical review of the development of voting machines. This exploration revealed that repeated and rapid shifts in priorities of privacy, usability, transparency, and cost have played a serious role in the development of flawed machines. This is primarily because new voting systems were often created solely to fix the main issues of the prior system without regard to other past issues or potential issues in future elections.
I then focused on the specific types of attacks that can be perpetrated against modern voting systems and found that attacks against both the voting machines themselves and the larger system in which they operate have varying degrees of scalability, risk, and potential reward. In particular, system design attacks, such as denial of service attacks, can be very powerful, but do not have strong data to support their effectiveness. I found, instead, that in general the most successful attacks are vote-changing attacks on touch-screen voting machines operating in key districts of swing states. Moreover, such attacks—even if carried out in only a few key districts—can greatly impact the outcome of a national election.
From this analysis it became clear that a few specific changes could be made to improve voting systems. In the short term, paper trails and audits are effective measures to radically increase the difficulty of attack by providing an out-of-band check on ballot integrity. In addition, voter education is a vital part of any security strategy as many key vote-changing attacks rely on voter ignorance of the ballot-casting process. Lastly, safeguards against insider influence on the voting process are needed to limit the scalability of an attack, especially by securing the machines that run the overall election management system. In the long term, systems need to be designed to balance privacy, usability, transparency and cost. Only systems that ensure that voters can easily and privately vote, and election officials can easily tabulate and administer the election at a reasonable cost, will be effective in the long run.
Fortunately, many of these provisions are present in the recent Voter Modernization Act of 2013 (H.R. 12 and its companion bill S. 123). Among other provisions, this legislation mandates the use of paper trails, calls for audits, and expands early voting and no fault absentee balloting. The bill also allocates federal funds to pay for upgrades to voting systems, which in the past had been the responsibility of cash-strapped counties.
However, careful attention should be paid moving forward to the decrease in privacy brought on by more remote (non-precinct) voting systems such as no-fault absentee balloting. Most importantly, the recent experiment by the District of Columbia confirms that the U.S. is not ready for Internet voting, as modern computer security is not yet up to the task of fully securing elections. Ultimately, though the U.S.’ election process remain vulnerable to attack today, small changes are helping to secure elections in the short term, while carefully designed new systems are moving towards realizing permanent solutions for the long term.
