“You Can’t Hack a Piece of Paper”: Jake Braun Talks U.S. Election Security

The 2016 hacking of the Democratic National Committee (DNC) provided an urgent and long-overdue wake-up call: U.S. balloting systems are not secure. In the run-up to the 2018 midterm elections and the 2020 presidential race, election security and cyber hygiene have never been more controversial—nor more important. The revelation that the 2016 hacks represent only one instance of Russian cyber warfare against Western democracies mandates prompt action. CPR writer Changwook Ju spoke with cybersecurity policy expert Jake Braun to learn more.

Changwook Ju: Election security in U.S. voting systems has been generating significant chatter since the beginning of the 21st century. Can you offer some historical insight?

Jake Braun: Obviously, the Russian attacks are the key issue. Russia has been doing this all over the world, not just to the U.S. They’ve been attacking building systems in Bulgaria, Ukraine, and their own country. They’ve been attacking information systems, like Facebook and Twitter, even more broadly. The historical perspective here is that Russia has taken its methods for influencing democratic elections and updated them for 21st century cybersecurity operations.

Ju: The recent DEFCON report reveals that hackers can breach election systems with trivial ease. In your view, which vulnerabilities in the technology are creating potential election fraud and hacks?

Braun: Number one, the way the voting machines are regulated. It can take two to three years for the U.S. federal government to approve any changes. So, you end up with ten-year-old technology that has ten-year-old vulnerabilities which everybody knows about.

Number two, there’s just a huge lack of understanding by local election officials about the nature of cybersecurity. You hear people saying things like “air gap” and “un-hackable equipment” that “doesn’t touch the Internet.” Using those words creates a false sense of security, so that’s the second thing: a lack of understanding of basic cybersecurity concepts and using meaningless buzzwords that people extrapolate.

The third thing is, you’re never going to “fix” this problem, meaning that you’re never going to come up with voting machines and software that are totally un-hackable—there’s always going to be some point of failure. Normally, there needs to be a lot of ways to ensure results are correct. In voting, that usually means there’s a human-marked paper ballot and a process by which people can go back and audit election results. Many states don’t have human-marked paper ballots, and many don’t have good auditing procedures. Because of this, there’s really no way to check if the machines have been hacked or not.

Ju: Several states, such as Virginia, have taken steps to remove touchscreen machines. However, some experts have cited accuracy, setbacks in elections schedules, and resource requirements as drawbacks of paper ballots. What do you think are the primary trade-offs between electronic voting machines and paper ballots?

Braun: I think electronic vote tabulation machines are a good option. You get to eliminate a lot of user error by having the machine count the ballots.

What are pretty much bad in any circumstance are the touch-screen voting machines. They create so many points of failure that there’s no good use for them, with the exception of accommodating the disabled, for which they are very relevant. But they can create really long lines, and if they break, people can’t vote for hours on end.

Of course, the voting jurisdictions can almost never buy enough voting machines to avoid long lines. Buying voting machines is not a good use of resources. What I’ve found out from some of the voting machine vendors is that they’re generally fine with doing paper ballots and paper ballot tabulators. They’ll build a system based on whatever is in the procurement requirements.

Ju: As a national security expert who frequently works with state legislators and politicians, can you propose some viable, constitutional tweaks that could mitigate these sorts of hacks and data compromises in the future elections? Or at least renew confidence in U.S. democracy?

Braun: It really goes back to these human-marked paper ballots and audits. Another transparency measure that few places in the U.S. use is to get a PDF of every single ballot and put it online. Then, anybody could download every ballot in the election. The number of people who actually go check and recount all of the ballots, the PDFs, would be incredibly small. But, just the fact that people know the government is required to put them up there would make them feel like “Well, somebody is going to check it,” and the transparency reassures that no one is going to cheat.

Ju: In light of “bad actors’” intentions to hack voting systems, how should we approach addressing election meddling and creating safer cyberspace in the future?

Braun: As it stands right now, the Russians seem to be trying to run a broad-based influence campaign in the U.S. They are pushing the campaign essentially to get us to not have faith in our democracy, elected leaders, or other global institutions that help prioritize American interests. I think what Russia figured out is they don’t necessarily need to hack into machines and flip votes to do that. They can just attack voter registration databases and change addresses so people can’t vote. It can be corrected, but it reduces confidence in the overall validity of the system.

A lot of times, people think, “Oh, is this just about whether the Russians could really hack into a machine and flip votes?” But I think that’s not really the question. The question is: Could Russia attack all the fail points or some of the fail points in our overall voting system in a way that’s going to undermine our confidence in the election? Unfortunately, the answer is yes.

They have already done so to some degree, and they’re not doing this for fun; they’re doing it because they have very specific policy objectives. They want to keep us focused on what’s going on internally so we’re debating the validity of our electoral outcomes as opposed to focusing on, ‘What are the Russians doing in Ukraine right now?’ ‘Are the Russians destabilizing that country?’ ‘Why are the Russians still backing Assad?’ And so on. Taking all that into account is really important when trying to think about how to deal with this issue.

___________________________________________________________

Jake Braun teaches cybersecurity policy at the University of Chicago Harris School of Public Policy and is also the Chief Executive Officer of Cambridge Global Advisors. He has more than 15 years of experience in the development and implementation of complex, high-profile national security initiatives. Prior to joining Cambridge Global, Braun was the Director of White House and Public Liaison for the Department of Homeland Security (DHS). Before that, he served as the National Deputy Field Director for the 2008 Obama for America campaign. In addition to his roles at the Harris School of Public Policy and Cambridge Global, Braun serves as a fellow for the Council on CyberSecurity and a strategic advisor to the DHS and the Pentagon. He holds an MA in International Relations from Troy University, an MA in Education from National Louis University in Chicago, and a BA in Philosophy from Loyola University Chicago.

Acknowledgments: A special thanks to Mary Hanley, Account Executive at Cambridge Global Advisors, who arranged this interview and provided constructive feedback.

Featured photo: cc/(bizoo_n, photo ID: 619772420, from iStock by Getty Images)