[OPINION: The views expressed by Investopedia columnists are those of the author and do not necessarily reflect the views of the website.]
Following the release by Wikileaks of confidential internal communications of the Democratic National Committee, the U.S. Department of Homeland Security is weighing measures to enhance the security of the U.S. voting process against possible cyber intrusions ahead of the November 2016 Presidential election.
They are considering whether the electronic ballot-casting system can be designated "critical infrastructure" on par with utility and transportation systems. In September 2015, the Brennan Center estimated the national cost to replace obsolete equipment would exceed $1bn, but a "critical infrastructure" designation would likely produce substantial federal funds to cover costs of accelerated replacement. At the same time, shifting the technology platform used to support election systems from a PC architecture to a more "cloud & mobile" computing approach may lead to higher transition costs, but lower long-term operating expenses.
If the system is designated “critical infrastructure,” the task of upgrading the existing hodge podge of heterogenous standards and outdated non-secure equipment will fall to state and local election boards with significant federal agency oversight. Given that there are less than 100 days to the election, the likelihood of accomplishing that is slim.
Back in 2002, following the debacle of Florida's paper ballot system in the 2000 election, Congress passed the Help America Vote Act (HAVA) which allocated $4bn in federal funds to allow states to acquire new voting equipment and established the Election Assistance Commission (EAC) to develop voting standards and oversee federal testing and certification of new voting equipment. However, as the NYU Law School Brennan Center for Justice highlighted in its September 2015 report, the electronic voting machines purchased with HAVA funds are now woefully obsolete. In 2016, 43 states are using electronic voting machines that are at least 10 years old and in 14 of these states (e.g. Florida, Kentucky, Massachusetts, New Hampshire, Texas, Virginia, Washington) the machines are 15 years or older.
Underscoring obsolescence, many electronic voting machines depend on the Windows XP operating system which Microsoft ceased supporting on April 8, 2014. For example, in California almost all the electronic voting machines run Windows XP. These machines are susceptible to malware as well as vulnerable to a well-timed denial of service attack, which means they would either not work or work so slowly as to prevent people from voting. (See also: Microsoft to Start Charging Users for Windows Upgrade)
Even though the technology is obsolete, however, the risks to the system are in part offset by the fact that three-quarters of the country will vote on a paper ballot in November, according to Verified Voting. Also, more than half of the states conduct post-election auditing in which vote totals are checked against paper records to ensure accurate vote counts. However, not every state employs post-election audits with more than a dozen states having no audit procedure whatsoever. Furthermore, some states that require a post-election audit by law (e.g. Pennsylvania, an important swing state, and Kentucky) do not use voter-verifiable paper trails, thus compromising a post-election audit. Meanwhile, other swing states are in reasonably good shape with Florida having an audit requirement in place and Ohio having an automatic recount provision wherein a close race triggers a manual recount. However, states using "direct recording electronic" (DRE) machines exclusively (i.e. Delaware, Georgia, Louisiana, New Jersey, South Carolina) without a paper audit trail are thought to represent a risk of failure.
Opinion is divided as to whether the November 2016 U.S. presidential election is really at significant risk of manipulation from cyberintrusion. Certainly cyberintrusions are occuring on a daily basis in a widening range of areas. Given the nature of cyberintrusion, the identity of the perpetrators is most likely known, if ever, well after the fact, but is increasingly seen to be the activity of foreign state-sponsored organizations. If the integrity of the upcoming U.S. presidential election is at risk, federal protection is warrented. Elections should be decided at home, not from abroad. But perhaps the greater risk, to our economy and trust in the nation, is the belief that our election system is at risk, a notion that Donald Trump is already popularizing. "I'm telling you, Nov. 8, we'd better be careful, because that election is going to be rigged," Trump told Fox News earlier this week. If that belief takes hold, then the security of the election process will already have been breached.
About the author:
David Garrity is Principal of GVA Research, a New York-based consulting firm. He has more than 25 years of experience in the financial services industry. He has served in many senior roles including CFO and Board Director for both publicly-held and private companies, and has extensive experience in several disciplines including advisory, operating and research. David is a thought leader in technology sector developments and their application to the broadening of the financial sector, as well as in the areas of banking and finance, capital markets, and technology innovation. He is a sought-after advisor for technology companies and consults with The World Bank Group on financial inclusion and mobile technology, as well as the development of technology strategy for health initiatives in southern Africa. His paper on mobile money and disaster relief is published in "Technologies for Development: What is Essential?" (Springer Verlag, June 2015). You can find him on LinkedIn here and follow him on Twitter @GVAResearch.