Popularized at the village over the past couple of years, the perception that voting machines can be hacked and votes flipped is now common. Republican officials have pushed or are pushing for audits not just in Arizona but also in Pennsylvania, Michigan, Wisconsin, Georgia, Florida, Virginia, Texas, and even Utah, which broke for Trump by 21 points in 2020. Perhaps more troubling, the paranoia around voting machines is interfering with the administration of elections. In May, the Ohio Supreme Court had to order the Stark County commissioners to appropriate funds for a new set of voting machines after the all-Republican group refused. That same month, an elections supervisor in Colorado allegedly granted unauthorized access to her county’s voting machines, whose passwords ended up on a far-right conspiracy theory website. And in Michigan in October, a Republican township clerk who was later stripped of her duties had QAnon memes on her social media and refused to allow routine maintenance on a voting machine, which then went missing.
With its sensationalist rhetoric, flashy theatrics, unstructured hacking, and lack of context about how elections operate, DEFCON also emphasizes the vulnerabilities that are possible, even when they’re not necessarily probable.
If you use a hand-marked paper ballot, whether at the poll site or via the mail, it’s almost certainly counted using an optical scanner, and even if you’re simply registered to vote but have never actually done so, your personal data—potentially your birthday, home address, party affiliation, Social Security number, and a photo of your signature—are stored in a database connected to the internet. However, no one—not the EAC, the voting machine manufacturers, or election officials—seriously argues that these machines are 100 percent secure.
The people at the village came because they love hacking, not voting.
Some see this line of argument, and the activists behind it, as not just misguided but also downright dangerous. “Trump used their arguments after they've claimed without evidence for years that the machines were hacked,” said David Becker, executive director and founder of the Center for Election Innovation and Research, a nonprofit that helps election officials secure their election technology. “They're wrong, they're hurting democracy, and they're still doing it, aiding Trump in the process.”Over the last few years, questioning election security has slowly moved to the mainstream. “There have always been rumors in the election space,” said Michelle Shafer, a former senior executive in the election technology industry and now an elections consultant. She points to the 2006 conspiracy theory, now living a second life, that Venezuela secretly controls our elections. “But [the conspiracies] were more things that people laughed about. Like, it didn't reach the level of consciousness where everyday people on the street would have heard of any of these [voting machine] companies.”
“They're wrong, they're hurting democracy, and they're still doing it, aiding Trump in the process.”
Some argue that being asked to provide evidence before they’ve been given permission to examine the machines is an impossible dilemma. However, claims that were unsuccessful in court have found a receptive audience at DEFCON. During a presentation in 2018, Halderman inserted his own code into a DRE during the same step of the pre-election process when election officials would upload the layout of the ballot. In Halderman’s mock election, George Washington earned the most votes, but the winner was Benedict Arnold (hackers are nothing if not cheeky). “Every U.S. voting machine subjected to rigorous independent security review suffered vulnerabilities that would enable vote-stealing attacks,” Halderman told the audience.
Claims that were unsuccessful in court have found a receptive audience at DEFCON.
Under these real-world conditions, are the feats at DEFCON realistic? Hursti is evasive on this point. “When you do vulnerability research, you do whatever is needed to find a vulnerability,” he said. “How it’s weaponized is not part of ethical hacking.” Instead, Hursti tends to focus on how those security protocols aren’t properly followed, and in a country where elections are administered locally, with over 10,000 jurisdictions total, there’s always someone messing up.
“If someone demonstrates to you that there's a bullet in the revolver chamber and you choose to play Russian roulette with that gun, who’s at fault?”
However, very few states require that all ballots be potentially subjected to an audit, though the situation is improving. Last year, during the height of the pandemic, Michigan remotely trained election administrators in 277 jurisdictions how to conduct a risk-limiting audit. To do that for every federal race in the country, Halderman estimates it would cost just $25 million—though even that small amount of funding (and time and organization) is in limited supply. At the end of the day, most experts are actually arguing over a seemingly small point. After someone votes on the BMD, it prints out a summary of their choices, but is anyone actually confirming that what the paper says matches who they voted for? If they trust what the machine printed and don’t verify the ballot, then it doesn’t matter how much paper we audit. The record is meaningless.Fundamentally, though, no system can be fully secure. But that doesn’t necessarily mean it’s been compromised either. “If we wanted the most secure system ever, we could require every single voter to go into a single location at a single point in time, give a DNA blood sample, and record their vote on an engraved stone table that would last for 100 years,” said Becker. After the convention, Hursti flew to South Dakota to serve as CNN’s media expert for Mike Lindell’s Cyber Symposium. “This is a big fat nothing and a distraction,” he told the Washington Post after Lindell failed to produce the bombshell evidence he had promised for the symposium. Hursti also said that he didn’t consent to having his work included in the “Kraken” briefs, which several lawyers working to overturn the 2020 results confirmed. In person, he also emphasizes the difference between what’s possible and what’s probable. “Being vulnerable isn’t evidence of being actually hacked,” he said. “If you have a bad lock in your house, it doesn’t mean that burglars have entered. It means get a better lock.”
Fundamentally, though, no system can be fully secure. But that doesn’t necessarily mean it’s been compromised either.
However, many security researchers have a borderline religious belief in the power of transparency. “Only really irresponsible people take vulnerabilities as proof that something's actually happened,” said election security advocate Jennifer Cohn.
DEFCON is perfectly suited to encouraging the kind of paranoia that now threatens even routine election administration.