Security experts: Wisconsin

voting systems can be hacked

MADISON, Wis. (AP) — Visiting Wisconsin on June 28, President Donald

Trump tweeted “Russia continues to say they had nothing to do with
Meddling in our Election!” It was not the first time the president cast doubt
on Russian interference in the 2016 election, contradicting conclusions of the
FBI, CIA and National Security Agency, as well as reports by bipartisan
committees in both chambers of Congress.

But Russians have been testing the vulnerability of elections in Wisconsin

and other states for years, and top U.S. intelligence officials have warned the
2018 midterm elections are a potential target of Russian cyberattacks and
disinformation.
A key swing state, Wisconsin was the scene of Russian measures in 2016 that
utilized social media and also probed the websites of government agencies.

Wisconsin and other battleground states were targeted by a sophisticated

social media campaign, according to a recent University of Wisconsin-
Madison study headed by journalism professor Young Mie Kim. This
campaign tapped into divisive issues like race, gun control and gay and
transgender rights.

---

The nonprofit news outlet Wisconsin Center for Investigative Journalism

provided this article to The Associated Press through a collaboration with
Institute for Nonprofit News.

---

Alleged Kremlin-linked operatives also probed the website of the Democratic

Party of Wisconsin. The websites of Ashland, Bayfield and Washburn in
northern Wisconsin were targeted from Internet Protocol addresses listed in
the joint FBI and Department of Homeland Security report on Russian
malicious activity. And in July 2016, Russian government operatives attacked
the Wisconsin Department of Workforce Development website, state officials
reported.

Early in May, the U.S. Senate Intelligence Committee reported that “in 2016,
cyberactors affiliated with the Russian Government conducted an
unprecedented, coordinated nationwide cyber-campaign against state
election infrastructures.”

“Russian actors scanned databases for vulnerabilities, attempted intrusions,

and in a small number of cases successfully penetrated a voter registration
database,” the committee found, adding that it had not uncovered any
alterations in vote tallies or voter information.
Five top elections experts told the Wisconsin Center for Investigative
Journalism that Wisconsin’s voting systems are vulnerable. Some pointed to
the Voting Machine Hacking Village demonstration last July at DEFCON, the
annual cybersecurity conference held in Las Vegas.

“By the end of the (four-day) conference, every piece of equipment in the
Voting Village was effectively breached in some manner,” according to a
report released after the conference. “Participants with little prior knowledge
and only limited tools and resources were quite capable of undermining the
confidentiality, integrity and availability of these systems.”

However, municipal and county clerks interviewed by the Center say they are
not worried about a cyberattack, citing the fact that voting in Wisconsin is not
centrally coordinated but conducted on a local level by 1,854 communities.
They also note that the voting machines are not connected to the internet.

The U.S. Senate Committee on Homeland Security and Governmental Affairs

chaired by Wisconsin Sen. Ron Johnson, has heard testimony from experts
warning of Russia’s continued activities. Yet the Republican is not convinced
it is a big problem.

“The election interference ... is not the greatest threat to our democracy.
We’ve blown it way out of proportion,” he told the Washington Examiner.

Others are not so sure. The left-leaning Center for American Progress
concluded that Wisconsin’s “failure to carry out post-election audits that test
the accuracy of election outcomes leaves the state open to undetected hacking
and other Election Day problems.”

“Diversity can be a strength, but in a statewide contest, I don’t have to hack

all the machines,” added J. Alex Halderman, director of the University of
Michigan’s Center for Computer Security and Society, citing Trump’s narrow
22,748-vote win in Wisconsin. “I just have to hack some machines.”
Wisconsin’s 2016 presidential vote recount, requested by Green Party
presidential candidate Jill Stein, found no evidence of election tampering or
foreign interference, but it did uncover thousands of miscounted votes.

“Our best estimate is that at least one in 117 votes (statewide) was
miscounted, and probably more,” said Barry Burden, political science
professor at the UW-Madison. Burden, who is a director of the UW Elections
Research Center, led a study of the 2016 recount.

“As a voter, to think that there’s one in a hundred chance that my ballot
would be miscounted — that would be alarming,” Burden said.

But many Wisconsin election officials said the concern is overblown. Dane
County Clerk Scott McDonell told the Center that “Even now, with what
happened with Russians intentionally trying to affect the election, I’m still
more worried about a tornado or flood.”

Karen McKim is coordinator for the Madison-based grassroots group

Wisconsin Election Integrity, which focuses on “appropriate” use of
technology to secure Wisconsin’s elections. McKim has many stories of
election errors.

In the 2016 general election, she noticed that hundreds of voters in the
Oneida County community of Hazelhurst cast ballots in the U.S. Senate race
but not for president. It turned out to be a clerical error.

In 2014, hundreds of votes in a Stoughton municipal referendum were not

initially counted, possibly because of “dust bunnies” that covered the optical
scanners’ lenses. In Monroe, election officials lost 110 ballots cast in the state
Senate Democratic primary of 2014.

Such errors, she said, are not uncommon. A former Wisconsin Legislative
Audit Bureau veteran, McKim not only identifies mistakes but seeks to
correct them. Since 2012, she has been advocating post-election audits to
verify the accuracy of election outcomes.

She favors a statistically based protocol known as a “risk-limiting audit”

which involves counting a small sample of ballots. It is recommended by the
Senate Intelligence Committee and has recently become a requirement in
Colorado, Rhode Island and Virginia, according to the National Conference of
State Legislatures.

Wisconsin law already requires election officials to conduct voting equipment

audits after general elections. The procedure, however, does not verify the
accuracy of election outcomes, only whether the machines functioned
properly. But that could change.

Wisconsin Elections Commission Interim Administrator Meagan Wolfe said

her staff recently observed Colorado’s risk-limiting audit process. She said the
agency is looking for ways to implement such audits consistent with existing
law. The measure will be discussed at the next WEC meeting on Sept. 25,
Wolfe said.

Although McDonell agrees risk-limiting post-election audits are probably a

good idea, he does not plan to implement the measure anytime soon. He is
confident in the integrity of Dane County’s system, noting that software that
tallies the votes and programs the machine to read the ballots “are not
connected to the internet.”

Said McDonell: “I’d say we’re safe.”

Like McDonell, the majority of municipal clerks are not particularly worried
about hacking, said Barbara Goeckner, president of the Wisconsin Municipal
Clerks Association.

“I know that the (Wisconsin Elections Commission) is overseeing election

security in the equipment we use, the processes of the conducting of our
elections and how our equipment is tested and certified,” said Goeckner,
adding that the diversity of Wisconsin’s election systems is the best security
check.

One advantage Wisconsin has over some other states: paper ballots. No
matter what kind of machine is used, there is a paper ballot produced for
every vote cast. In interviews with the Center, leading national experts said
keeping the paper trail is not enough.

“That’s the reason why you have paper — it shouldn’t be for show,” said
Lawrence Norden, the deputy director of the Democracy Program at the
Brennan Center for Justice at New York University School of Law. “There’s no
question Wisconsin doesn’t do the kind of audits it should be doing.”

In April, Halderman staged a demonstration on how to hack AccuVote TS and

TSX touch-screen voting machines. The breached machines were in use in
2016 in about half of the states, including Wisconsin. As of Jan. 1 of this year,
municipalities in the following Wisconsin counties were using AccuVote TSX
machines for voters with disabilities: Calumet, Manitowoc, Walworth and
Waushara counties.

In the demonstration, University of Michigan students were asked to pick the

better school in a race with two candidates — Michigan itself and Ohio State
University. From his office computer, Halderman remotely altered the tally,
making Ohio State the winner in a race where the majority of voters picked
Michigan.

During the DEFCON event, more than 25 voting machines and electronic poll
books were breached. Some of them had default usernames and passwords,
such as “admin” and “abcde,” while others had parts manufactured in China,
which could be designed to be vulnerable to manipulation, according to the
DEFCON report.

While the voting systems hacked at DEFCON and by Halderman were touch
screens, experts question whether optical scanners, in wide use in Wisconsin,
also are hackable.

A recent New York Times Magazine report cited a machine in Pennsylvania’s

Venango County that was miscounting votes due to a calibration error. It
contained software that allowed a county contractor to work on the machine
remotely — but also made it vulnerable to hacking.

Some Wisconsin counties outsource pre-election programming to private

companies. The Elections Commission “does not currently track which, or
how many, counties, program their equipment in-house or by using a
vendor,” Wolfe said.

According to a leaked National Security Agency report published by The

Intercept, an unnamed U.S. voting software supplier was the target of a
cyberattack. It was allegedly conducted by the same Russian intelligence
agency whose 12 officers were recently indicted as part of Special Counsel
Robert Mueller’s investigation. The attackers “sent spear-phishing emails to
more than 100 local election officials just days before last November’s
presidential election,” The Intercept reported.

This March, Congress passed a bipartisan measure allocating $380 million to

boost election systems security in all 50 states. Wisconsin received $7 million.

Wisconsin’s grant will pay for six full-time election and cybersecurity
positions at the Wisconsin Elections Commission, to strengthen WisVote, the
statewide voter registration system, and for election security trainings for
local officials.

The next statewide election in Wisconsin is the Aug. 14 primary. Wolfe said
all of the resources, including the six security-related positions, will be in
place by the Nov. 6 general election.

McKim said questions over Wisconsin’s election security could be “easily

fixed.”
“All they have to do is unseal those bags and count votes in public and prove
that the voting machines are working right — but they don’t.”