Gehrke: Utah needs to think about security above all as it buys new voting machines

Francisco Kjolseth | The Salt Lake Tribune The Salt Lake Tribune staff portraits. Robert Gehrke.

State elections officials held an open house earlier this month to demonstrate five election systems vying to replace the voting machines that have been chugging away for the past 13 years.

Just a few days earlier, a group of hackers in Las Vegas took part in a demonstration of their own, designed to show how easily they could exploit the machines used around the country and potentially compromise our elections process.

The results were alarming.

The first voting machine was hacked within 90 minutes. By the end of the afternoon, all five had been compromised. One was reprogrammed to play Rick Astley’s 1987 hit “Never Gonna Give You Up.” The whole thing had been Rick Rolled.

To be fair, these hackers had an unfair advantage. Given a whole afternoon with unfettered physical access, the machines never had a chance. It was, largely an abstract exercise.

What is not abstract is that there are people who very much would like to compromise our elections.

A national assessment declassified earlier this year showed that the intelligence community, unanimously, believes that hackers tied to Russia tried to penetrate voting machine software vendors and numerous county clerk offices around the country, presumably in an attempt to influence the election.

In his testimony in June, fired FBI Director James Comey told a congressional committee the Russians targeted “hundreds” and possibly more than 1,000 election-related entities.

Nobody, including Utah elections officials, know if our state was among those attacked by the Russian hackers, but it should give us pause, not just because it happened but because, as Comey warned, “they will be back.”

(Francisco Kjolseth | The Salt Lake Tribune) Companies demonstrate new voting machines that can also be navigated by the visually impaired during a hands on presentation at the Capitol on Wednesday, Aug. 2, 2017. The state is considering buying new voting machines.

Barbara Simons, president of Verified Voting, has been sounding the alarm about voting machine security — or lack thereof — for years.

But even she was skeptical before the DefCon hacker exercise that the hackers would be able to compromise the machines. She was wrong. And the Russian interest in hacking election equipment makes her doubly concerned.

“What 2016 showed me is we are vulnerable and if we don’t fix our voting systems, who knows what might happen? North Korea, ISIS, the Mafia — I’m sure you don’t have the Mafia in Utah, but still,” she said.

The good news is that Utah has an opportunity, as it overhauls its voting machines, to get it right — or at least as right as it can.

The best option, Simons says, is to go old-school: paper ballots and optical scanners. Then, there needs to be a robust manual audit to verify that the results match the actual ballots that are cast.

Mark Thomas, the director of state elections, says he is confident that Utah has done everything it can do to safeguard elections, but nothing is perfect.

“I think it’s foolish of anyone to say that ’Our equipment is bulletproof. It can’t be hacked. I think if you have that type of mentality you’re asking for trouble,” he said. “We have to be very vigilant in understanding what the threats are, understanding where there might be weaknesses and doing the best we can to ensure we have a secure election.”

In Utah, the aging voting machines are kept under lock and key and closely tracked. They have tamper-proof seals — not foolproof, but a start — to prevent them from being tinkered with. They are not connected to the internet, but that doesn’t mean that data loaded onto them doesn’t come from machines that are.

There are multiple layers of password protection meant to keep malicious code from being loaded onto them, assuming someone can access the machine. In the last election, a password error in Washington County knocked several machines offline, creating long lines.

And, while it’s not the kind of paper ballot Simons would like to see, Utah’s old machines do print a sort of receipt and a selection of those receipts — 1,000 ballots per state House district — are compared against the reported results to check the counts.

“It’s not one thing that protects us. It’s everything,” Thomas said.

Voting by mail, which is in place in 22 counties, has reduced dependence on voting machines. Last time the state was taking bids for machines in 2003, it spent $29 million. This time it expects to spend just $10 million, because fewer people vote on Election Day.

But Utah still needs top quality voting machines. The state will award the contract within the next few weeks and as it vets its proposals, the security of the system is of paramount importance. Because, as we’ve seen, no machine is invincible, there absolutely are people with malicious motives, and the integrity of our democracy is only as sound as the impenetrability of our machines.