How we know voting systems are secure
(CNN) — Former President Donald Trump and one of his most vocal supporters, tech billionaire Elon Musk, have alleged without evidence that the potential for voter fraud is a major threat.
For instance, Trump has claimed, without providing proof, that there is “cheating” in Pennsylvania. Musk has used X to spread unfounded allegations about voting systems, laying groundwork to question the election before it happens.
Voting is ultimately an act of faith in democracy, and undercutting the system, despite all the evidence to the contrary, is clearly a strategy on the part of Trump’s allies.
To better understand the security of US voting systems and why there’s no indication that they’re not secure, I talked to CNN’s Zachary Cohen, who covers national security, and Sean Lyngaas, who covers cybersecurity. They’re both part of a larger team of reporters at CNN who are focused on election security.
Our conversation, edited for clarity, is below:
Let’s start with Dominion Voting Systems
WOLF: The company most people have heard of is Dominion, which won a $787 million settlement with Fox News related to 2020 election lies. How much of the country uses Dominion? And are there alternatives?
LYNGAAS: A big portion of the country, numerous states, use Dominion in some form. There are three large election equipment vendors in the US: Dominion; ES&S, or Election Systems and Software; and Hart InterCivic. They constitute the vast majority of election infrastructure. You cover a big portion of the country with that.
However, there are a lot of other smaller vendors. Dominion is very, very common, but in a given election office, I think you have multiple vendors. They’re not putting all their chips in one basket, so if something catastrophic were to happen, they have a backup plan.
How does the process work?
WOLF: How does the process of voting generally work with these systems?
LYNGAAS: You have different equipment that handles the voter registration database, so when you show up on voting day or whenever you go to vote, they can compare what’s in that voter registration to what’s in front of them in terms of their records.
About 97% of votes are cast with a paper record. Federal officials, election officials are using that as a point of reference to try to convince people that their vote is secure and accurate, which it is.
Voting machines – some are a touch tablet where you have a panel, and you make your choice and print that out. In other systems, a voter fills out the ballot with a pen and then feeds it into a voting machine.
COHEN: There’s a common misconception that the voting machines are the complete process. In reality, they’re one part of a bigger system that goes into casting, then storing and counting votes. In a lot of states, a county will transfer the data they get from the machines themselves via USB and go manually plug that into a computer.
All that data is then gathered and collected online by the secretary of states or by whoever is in charge, ultimately, of preserving that data. Then there is obviously the paper ballot part of it, which is more about reassuring the voter, but also can be used as an audit tool as well.
How are things different this year?
WOLF: What are the consequential changes that we’ve seen since 2020?
COHEN: The biggest thing has been a sort of war over what is fact and what is fiction as it relates to voting machines. Because of the prevalence of Dominion systems specifically, that’s the reason why these purveyors of disinformation have really harped on Dominion and alleged a lot of conspiracies about vote flipping.
We’re seeing a lot of those same narratives resurface now. Because Dominion is used across so many different states, if you highlight an alleged problem with one system in one state, you could then make an argument that it’s impacting the entire vote across the country.
That’s what we’ve seen – these pro-Trump operatives and lawyers trying to argue ahead of 2024 that these systems are unreliable, that there’s already evidence that they’re being manipulated. But there is no evidence that votes have been flipped or that somebody has hacked these systems already or in past elections – so it’s sort of a war about truth rather than a war about the system themselves.
What are the protections?
WOLF: If you’re talking about USB ports and hard drives, that’s pretty low-tech. What are the guarantees these systems are secure? What are the precautions against hacking?
LYNGAAS: One of the main precautions is the chain of custody over the data. With the exception last cycle of the Coffee County (Georgia) break-in, where you had people who were authorized to have access to the facility let someone in.
That’s hopefully a rare exception, because 99.9% of the people running elections don’t do that. It’s closely guarded who has access to the tabulators and the backend data that’s used to make sure all the voters are in the system, and then the paper trail is probably the biggest safeguard.
COHEN: I think it’s really important to note that something that has changed since 2020 is that we’ve learned there are legitimate concerns about vulnerabilities, particularly when it comes to the backend part of the voting system.
Sean was referencing the break-in the Coffee County Elections Office, where an election worker gave people who didn’t have authorization access to those systems – basically unfettered access to copy the entire software platform that that county was using. We saw something similar in Mesa County, Colorado.
We’ve seen in Michigan, these pro-Trump operatives and lawyers spent the last four years trying to get access to these systems that they are not supposed to have access to.
In Georgia, we’ve already seen local Republican officials cite not just the Coffee County data and election software that they were able to copy as part of a lawsuit, raising questions preemptively about the validity of the 2024 count. But we’ve seen them imply and suggest the vulnerabilities themselves are reason enough to file lawsuits and ultimately signal that they intend to use that to challenge the outcome if Trump loses.
LYNGAAS: All software has vulnerabilities, but we still don’t have any evidence that a vulnerability in Dominion software, or any other software, has been exploited in any election to cause any kind of impact.
The other thing I’d say is that not just since 2020, but in years prior too, there’s been what we call penetration testing of a lot of this equipment. An election vendor, whether it be ES&S or Dominion or Hart, they’ll send it out to Idaho National Labs, for one, which is under the Department of Energy, where they have some of the smartest cyber people in the game. And they’ll break apart the system and see what vulnerabilities do exist out there.
Election security advocates have wanted that type of program to step up more, and to be highlighted and to be front and center. It’s still going on.
But in this post-2020 environment, when you talk about any kind of vulnerability in the system, it gets weaponized in terms of how people consume that information. I’m a cybersecurity reporter, and I love covering when there is a vulnerability and it’s fixed and it’s a good news story. But people don’t see the good news for what it is.
The last thing I’d say in terms of a reassurance to folks is that a lot of these software flaws that are found in some voting equipment, to be able to take advantage of them, you often need to be standing right near the machine. People would see something going on. So that helps.
I think unfortunately, the public dialogue has been poisoned by this notion that any kind of flaw is proof of fraud, which is just absolutely false. I can’t say that enough.
What’s behind the misinformation?
WOLF: Somebody like Elon Musk is smart enough to know that there’s no evidence of this stuff, but he continues to push the conspiracy theories. What do we think is to be gained from undercutting people’s faith in the system?
COHEN: All the evidence to this point suggests that effort is almost entirely geared toward preemptively sowing doubt about the process itself, so that if Donald Trump or if Kamala Harris wanted, they could use that as the basis of post-election litigation.
Say they lose a key swing state, or any key swing states, because they all do use Dominion systems – it’s about creating a record that allows them to potentially file lawsuits to call the outcome of the election into question.
One of the vulnerabilities that is real but hasn’t actually been exploited in a previous election: there’s really no way to know. They don’t really need to prove that these vulnerabilities were manipulated or exploited. They just need to create enough doubt in the process to give a judge pause.
WOLF: At the end of the day, casting a ballot is an act of faith in the system.
2020 audits found nothing
COHEN: Think about the Maricopa audit after the 2020 election. That went on for months after January 6 (2021). That was funded by right-wing MAGA dark money groups with the intention of proving this theory that Trump actually won Arizona, and at the end of the day, Doug Logan and the Cyber Ninjas proved the opposite, that (Joe) Biden won.
LYNGAAS: It gets less attention that they found nothing and they validated the outcome.
On Musk, he has turned to this issue with all the platform that he has – hundreds of millions of followers on the platform that he owns, and it’s causing real problems for people who run elections and people who are trying to get the truth out.
Stephen Richer, the county recorder in Maricopa County, Arizona, has tried to tweet at Musk to try to just pierce, to put a little dent in the massive noise of conspiracies that (Musk is) putting out. Richer told CNN he has tried to get intermediaries to pass Musk notes about the integrity of elections, to no avail. No one’s been able to change Musk’s mind.
COHEN: You talk about something that’s changed since 2020. In 2020, we didn’t have the CEO and owner of one of the most used social media platforms pick a side and have a stated political agenda in what view he’s amplifying – not just through his own account, but through the algorithm of his platform. He’s on Team Trump, and so therefore everything that he is amplifying and pushing out there should be viewed within that context.
What needs to change?
WOLF: You said there are natural vulnerabilities for any system. What are the vulnerabilities that are making election officials nervous, or what are the ones that need to be addressed?
LYNGAAS: In an ideal world, there would be a robust pipeline of this, where we would be finding and fixing them. That’s still happening, but people are much more reluctant to talk about it publicly because of the way it gets distorted and weaponized.
The short answer to your question is: I don’t know of any glaring software vulnerability in election infrastructure that hasn’t been addressed.
COHEN: At the same time, though, we can’t ignore the reality that we’ve learned since 2020 that election officials themselves, even if it’s a very, very small percentage of them, are susceptible to the same misinformation / disinformation narratives as you and I are. It’s been proven out that some election officials will take it upon themselves to do things that they’re not supposed to do in the name of that disinformation.
LYNGAAS: Yeah, I think the biggest threat is an insider threat. When you have someone who wants to subvert the process, that’s a huge problem, and so you’re reliant on their colleagues speaking up. Or if it gets to criminal behavior, the FBI being aware of it and investigating it.
Everyone I talk to says the sentencing of Tina Peters to nine years in Colorado could be a huge deterrent. If you listen to the judge, it’s almost like he was talking to someone else when he was sentencing, that it was a message for anyone else who would do that, because that’s where the really serious harm comes in.
COHEN: We know people, these pro-Trump operatives and lawyers, have already gotten access to election software – voting software, voting systems in Georgia, copied the entire election database from several counties.
But at the end of the day, they’ve proven that the access itself can be used, regardless of whether they can prove it’s been exploited, to file this post-election litigation and basically try to cast the entire process into chaos. That’s the thing people need to be aware of.
The-CNN-Wire
™ & © 2024 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.
