The Battle for Pennasota: Even (Some) Republicans Are Concerned

To determine what it would take to hack a U.S. election, a team of cybersecurity experts turned to a fictional battleground state called Pennasota and a fictional gubernatorial race between Tom Jefferson and Johnny Adams. It's the year 2007, and the state uses electronic voting machines.

Jefferson was forecast to win the race by about 80,000 votes, or 2.3 percent of the vote. Adams's conspirators thought, "How easily can we manipulate the election results?"

The experts thought about all the ways to do it. And they concluded in a report issued yesterday that it would take only one person, with a sophisticated technical knowledge and timely access to the software that runs the voting machines, to change the outcome.

The report, which was unveiled at a Capitol Hill news conference by New York University's Brennan Center for Justice and billed as the most authoritative to date, tackles some of the most contentious questions about the security of electronic voting.

The report concluded that the three major electronic voting systems in use have significant security and reliability vulnerabilities. But it added that most of these vulnerabilities can be overcome by auditing printed voting records to spot irregularities. And while 26 states require paper records of votes, fewer than half of those require regular audits.

"With electronic voting systems, there are certain attacks that can reach enough voting machines . . . that you could affect the outcome of the statewide election," said Lawrence D. Norden, associate counsel of the Brennan Center.

Entire article here, including the news that a couple of Republicans can sense a problem:

Republican Reps. Tom Cole (Okla.) and Thomas M. Davis III (Va.), chairman of the House Government Reform Committee, joined Rep. Rush D. Holt (D-N.J.) in calling for a law that would set strict requirements for electronic voting machines. Howard Schmidt, former chief of security at Microsoft and President Bush's former cybersecurity adviser, also endorsed the Brennan report.

"It's not a question of 'if,' it's a question of 'when,' " Davis said of an attempt to manipulate election results.

And even the easiest possible fixes aren't being done:

The most widely used electronic-voting systems all have flaws that can be addressed relatively easily, but few states and counties have actually implemented recommended security measures, researchers concluded Tuesday.

Even the printing of paper records — widely seen as a countermeasure to hacking and other attacks on ATM-like touchscreen machines — does little good if audits aren't routinely and automatically performed, researchers said. Their report said that fewer than half of the 26 states requiring paper records also require regular audits.