Pentagon watchdogs scrutinize states’ push toward online voting
WASHINGTON — Nevada’s election chief says the state’s much-ballyhooed new system for electronically delivering absentee ballots to troops and other citizens overseas isn’t an “online” voting system, even if it offers those abroad the option of emailing marked ballots to county clerks.
But his boss, Nevada Secretary of State Ross Miller, described the system differently in testimony to Congress last year, boasting that it would allow voters abroad “to request, mark and deliver a ballot to their county without the need of a printer or a scanner.”
The office of Pentagon Inspector General John Rymer is taking a hard look at systems such as Nevada’s to see whether they’re violating a prohibition on the use of Defense Department grant money to create online voting systems, a spokeswoman for Rymer said. The prohibition was spurred by concerns that those systems are vulnerable to hackers.
Republican Rep. Joe Wilson of South Carolina, chairman of a House Armed Services subcommittee on military personnel, and the panel’s ranking Democrat, California Rep. Susan Davis, wrote to Rymer last June requesting “a full and thorough investigation” to determine whether they’re designed to return votes electronically.
So far, the inspector general’s office said, Rymer has ordered only an “assessment” of whether grant recipients are skirting the rules — a review not previously disclosed.
At Wilson’s and Davis’ request, the inspector general’s office also is examining how an obscure Pentagon unit, whose task is to facilitate absentee voting overseas, spent $85 million in research funding from 2009 to 2013, Rymer’s office said.
The Pentagon’s Federal Voting Assistance Program gave much of that money in grants to states and counties for voting system upgrades in what has become a race to capitalize on technology that makes it easier for troops stationed overseas to cast their ballots. About 30 states, most of which received grants from the program, have developed some form of online voting.
The problem is that numerous cybersecurity experts warn that votes cast over the Internet, including through email, are vulnerable to vote tampering or even large-scale schemes to rig elections. Another drawback is that they do not create a verifiable paper trail in the event of a recount, as do many state electronic voting systems.
When Hurricane Sandy battered New Jersey eight days before the 2012 election, an emergency order by New Jersey’s secretary of state allowing voters to email or fax their ballots broke a state law barring Internet voting and “made voting severely vulnerable,” a new report by the Constitutional Rights Group at Rutgers University’s law school concluded.
In 2004, Congress stopped Pentagon funding for online voting until the National Institute of Standards and Technology concluded it was secure. The agency has yet to issue an all-clear signal, stating in 2012 that secure Internet voting is not yet feasible.
Some states have seemed to ignore the red light, and the Voting Assistance Program under its former director, Bob Carey, was accused of encouraging them — allegations Carey has denied.
The program said Friday that “there is no directive from Congress that expressly prohibits online voting” until the National Institute of Standards and Technology “signs off,” but that it has “expressly” barred use of grant money for that purpose because of the lack of federal security standards.
Voting system vendors and a number of states easily circumvented its initial prohibition, imposed in 2012, on use of grant money to electronically return marked ballots. It cost nothing to email the ballots or little for states to buy an added feature providing for their electronic return.
After voting integrity groups protested and members of Congress took interest, new leaders of the Voting Assistance Program incorporated tougher language in grants awarded since last year. Applicants now are required to certify that they not use grant money “to develop a system for the electronic return of a marked ballot” nor “use the system components developed with grant funds after the award ends” for casting ballots electronically.
Even so, Miller, a Democrat who is now running for Nevada attorney general, told Congress in November 2013 that his state’s system copies one in Montana and is designed to “facilitate” the online return of a ballot.
Developed in-house with a $386,500 Pentagon grant, it uses troops’ encrypted Common Access Cards for security and allows them to use an electronic digital signature to register, obtain and sign absentee ballots, which they can either send via their own email accounts or print and mail to county clerks.
John Sebes, chief technology officer for the California-based Open Source Election Technology Foundation, said that email is “the most convenient and least secure transport mechanism,” and that there are multiple ways for hackers to tamper with the process.
However, Scott Gilles, who runs the Election Division in Miller’s office, said officials of the Voting Assistance Program approved the system and that it is “well within the boundaries of the law as well as the boundaries of the grant.” Program officials said that Nevada’s system is in compliance.
Gilles said the state also allowed emailed ballots under its previous system, and that at least 2,000 absentee voters transmitted their votes via email during the 2012 elections.
He said his office was merely carrying out the wishes of the Nevada legislature, which in 2011 authorized email voting for absentees and in 2013 allowed electronic signatures of affidavits — a necessity for online absentee voting.
However, it was Miller’s office that requested the legislative action. In 2011, Gilles told the legislature: “We foresee expanding the current process and creating a type of portal” for online voting.
“The key step is our office creating this portal where they can receive and send ballots electronically,” he said at the time.
Gilles said no expert has certified that Nevada’s system is secure, but “we haven’t had any problems with it.”
However, it’s unclear whether election officials would know if a hacker had tampered with the results.
Sebes said the biggest vulnerability occurs at the point where electronic documents arrive at an election data center.
Even if there is no mischief, he said, election officials advocating email voting are asking for “a whole new different type of trust.”
“We’re now trusting computer people with the election outcome, and that’s kind of a weird thing to do, at least for most Americans.”