By Hans von Spakovsky and John Fund
WALL STREET JOURNAL Sept. 13, 2016 — Defense Secretary Ash Carter warned Russia last week that Americans “will not ignore attempts to interfere with our democratic processes.” Rumors are rife about hackers, Russian or otherwise, getting into the U.S. election system in November, and Homeland Security Secretary Jeh Johnson has what he considers a solution: He wants to use his authority under a post-9/11 federal law designed to protect the country against terrorist attacks to designate the election system as “critical infrastructure.”
Yet many state election officials have told Mr. Johnson they don’t need federal help. And the secretary conceded in a recent telephone conference call with state officials that there is no credible threat of a successful cyberattack on the voting and ballot-counting process, despite revelations about recent attacks on the voter-registration systems in Arizona and Illinois. If everyone understood how decentralized the election process is and the way the current election system is organized, they’d realize how mistaken it would be to call in the feds.
First, the voter-registration systems maintained by states and county governments are separate and distinct from the voting machines that will be used on Election Day in tens of thousands of polling places across the country. That’s also true for the vote-tabulation equipment used in county election departments to count the ballots.
The hacks in Arizona and Illinois, in which voter-registration data were copied but not altered, illustrate the danger of online voter registration. But they are not an indication of the vulnerability of ballot casting and vote counting.
Registering to vote is extremely easy—you can do it by mailing in a one-page form, or you can register at numerous locations, including state driver’s-license and public-assistance offices. Online registration increases the risk of fraud by giving hackers a way into the system with the ability to alter registration data, and to register bogus or nonexistent voters. That is also why states should avoid all internet-voting proposals. These would make the election process highly vulnerable to cyberattacks such as the hacking of the Democratic National Committee’s computer system or the federal Office of Personnel Management’s personnel files.
But hacking into voting machines used by American voters in precincts would be extremely difficult. Three out of five counties nationwide use optical-scan technology, not electronic voting machines. Only two out of every five counties use electronic equipment, and a very few still use hand-counted paper ballots, according to the Caltech/MIT Voting Technology Project. Opti-scan technology uses computer scanners to tabulate paper ballots completed by voters. The scanners are not connected to the internet, and if there is any question about their software, you have an audit trail—the actual paper ballots completed by voters.
In jurisdictions that use electronic voting machines, the vast majority are also not tied into the internet. They are stand-alone machines with a recording cartridge that is physically transported to the county elections department for tabulation at the end of Election Day.
There is legitimate concern that the election-management software being developed by some companies may include a wireless capability that could potentially be exploited. Election officials need to ensure that such capabilities are either completely shut down or taken out of the software they use.
The security on some of these individual electronic voting machines is poor. But hacking them requires unobserved physical access to the machine. That is difficult to do in secured warehouses where they are kept before Election Day or at polling sites where election officials are monitoring their use. Perhaps if the Russians could recruit thousands of hackers to go into polling places to hack individual machines without being noticed, they could steal a presidential election. Otherwise, they don’t have a chance.
Nothing prevents Secretary Johnson from issuing recommendations on security improvements if he is really worried about this issue. So why is he talking about designating the election system as “critical infrastructure?”
Under a 2013 presidential directive, such a designation gives the Justice Department authority to “investigate, disrupt, prosecute, and otherwise reduce” threats to that infrastructure—while DHS is given the power to “coordinate the overall Federal effort” to ensure the security of the infrastructure. Administration officials could use this designation as a way of giving federal officials access as “observers” or investigators to voting precincts across the country, as well as election and voting systems.
This could be the first step in federalizing election administration. An Obama administration that has already attacked election-integrity reforms across the country by filing lawsuits against common-sense voter ID laws, and has disputed state rules on early voting and same-day registration (or the lack thereof), could use the hacker threat as an excuse to try to dictate what states should and shouldn’t do when they are exercising their constitutional authority to run elections. That is a greater danger than any Russian hackers.
