For years, the security researchers behind Defcon’s Voting Machine Hacking Village have been trying to get lawmakers’ attention on vulnerabilities with outdated election infrastructure. Hackers regularly showed how easy it was to change ballots with full access to voting machines, with warnings that these security vulnerabilities could shake the confidence of elections if there are no paper backups.
Three years after it kicked off at the hacking conference in Las Vegas, the group finally got the attention of the highest office in the US. It only took losing the 2020 election by an estimated 5 million votes for President Donald Trump to get there.
For more like this
Subscribe to the Bioreports Now newsletter for our editors’ picks of the most important stories of the day.
On Nov. 14, Trump tweeted an NBC News segment from the hacking village in 2019 without any context — only showing the parts where hackers were able to break into voting machines from Dominion Voting Systems.
On Monday, he followed up and wrote, “Dominion is running our Election. Rigged!”
Trump’s claims come from a series of false conspiracy theories about the voting machines switching votes for President-elect Joe Biden, part of a broader push by the president to undermine confidence in the election system and its results. They come after the Cybersecurity and Infrastructure Security Agency, the National Association of Secretaries of State, the National Association of State Election Directors and members of the Election Infrastructure Sector Coordinating Council filed a joint statement, calling 2020’s election the “most secure in American history.”
“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary,” the joint statement said. “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
Several election officials have debunked the Dominion claims, including Michigan’s secretary of state, Joceyln Benson, who released a statement noting that while one county’s machines had flaws because of human mistakes, the problem was quickly fixed and would not have affected the election’s outcome.
Dominion Voting Systems has also rebuked the president’s claims, with a “Setting the Record Straight” page pointing out that the votes its machines tallied are completely auditable.
“No credible reports or evidence of any software issues exist,” Dominion Voting Systems said in its statement. “Human errors related to reporting tabulated results have arisen in a few counties, including some using Dominion equipment, but appropriate procedural actions were made by the county to address these errors prior to the canvass process.”
The election officials are confident in the security and results of the election because of paper audits of the votes. While votes could be digitally altered if a hacker had full access to the machines, the paper ballots themselves would be much more difficult to change.
The Voting Machine Hacking Village at Defcon has helped point out the many flaws with trusting technology completely, and its organizers have called on Congress for years to pass legislation that would improve this paper trail.
Trump had never tweeted about Dominion’s voting machines or the flaws with voting technology until after he lost the election. Lawmakers gave Trump plenty of opportunities to improve election security during his presidency.
In 2018, Sen. Ron Wyden, a Democrat from Oregon on the Senate Intelligence Committee, proposed an election security bill that would require paper ballots. It had been blocked by Senate Majority Leader Mitch McConnell, who later supported a $250 million election security funding bill that didn’t mandate paper ballots.
“Donald Trump is grasping for any possible excuse to avoid admitting he lost the election,” Wyden said. “If Trump really cared about securing our elections, he would have embraced paper ballots and voting by mail, instead of spending months lying to the American people about them. I wrote, and the House passed, the toughest election security bill ever produced, which Mitch McConnell killed when it reached the Senate, and Trump didn’t lift a finger to save it.”
When Defcon first started looking at election infrastructure in 2017, election officials and voting machine makers weren’t quick to embrace the approach. Voting machine manufacturers historically closed off access to their hardware, preventing security researchers from being able to test them for flaws.
The National Association of Secretaries of State also criticized how the village operated, noting that the researchers have unlimited access to voting machines, unlike during an actual election where poll workers would be watching for tampering and paper audits would detect abnormalities.
But the village gave important insight for states to switch to paper ballots. Virginia’s election officials changed its systems to paper ballots in 2017 after hackers from Defcon demonstrated flaws with machines used in the state.
It’s also led the voting machine manufacturers to change their attitudes toward security researchers. Dominion Voting Systems established its own vulnerability disclosure policy in 2019, allowing security researchers to tamper with their machines and report flaws for the first time.
At the Black Hat hacker conference in August, Election Systems & Software, the largest voting machine maker in the US, also announced its own vulnerability disclosure policy.
In October, Iowa’s election officials launched its own vulnerability disclosure policy through Bugcrowd, a bug bounty platform that lets hackers get paid for finding security flaws. Casey Ellis, Bugcrowd’s founder, said these programs served as “neighborhood watch for voting technology” and created transparency with election technology issues.
The same way that an unlocked door doesn’t mean that you’ve been robbed, vulnerabilities in software don’t mean that votes have been hacked. The point of the vulnerability disclosure programs is so that companies can fix these issues, and use secure measures, like paper audits.
“Election security experts are in an excellent position to explain that there is a very big difference between a vulnerability in an individual system, and vulnerabilities being covertly exploited at scale in order to rig an election,” Ellis said. “It’s easy for the public to see footage of voting machines being torn apart and draw equivalency with the integrity of the election itself. This isn’t the case, and we’re the ones who are in the most objective position to explain this.”