Editor’s note: This commentary is by John Odum, who is the elected city clerk of Montpelier and a certified ethical hacker.
On Dec. 3, I was privileged to attend a roundtable discussion with other election professionals at every level, along with representatives from Homeland Security and the intelligence community and an assortment of businesses and nonprofits that engage with elections. The topic was (of course) election cybersecurity – both a reflection on the recent general election as well as a look forward to 2020.
Without going into detail, it was illuminating and encouraging to hear that so many serious strategies to plug some of the biggest vulnerabilities are already underway in states across the country, and that securing our elections long ago left the “serious conversation” phase and has moved well into real action.
One of the themes that did come up repeatedly was communication, specifically, how election officials can communicate with citizens honestly and openly unduly scaring folks. It’s a real concern because cybersecurity, information systems, and computer technology in general are still mysterious or unfathomable things to many – and most people tend to have an instinctive fear (or at least mistrust) of what they don’t understand. That potentially makes the discussion of these issues in many contexts a bit of a minefield.
Let’s just dive right into the big question, then – do we need to be concerned? I’m fortunate to be in a unique position to approach these issues. As a certified municipal clerk, I am an election administrator. As a certified ethical hacker, I understand the threats in a hands-on way. So what’s the answer to this question that I give to my own constituents?
Well, yes and no.
Or perhaps it’s more accurate to respond, yes worry – but no, there’s no need to panic.
Here is the fact; no system is unhackable (although in fairness, systems like Vermont’s are probably about as close as you can expect to get). What this means is that eventually someone, somewhere is going to hack an election and interfere with voter rolls or with election night preliminary results reporting. Sure, that someone could be a person aligned with a foreign government, but it’s just as likely to be someone of the classic teenager-in-the-basement stereotype. That’s the bad news.
VTDigger is underwritten by:
Now for the good news.
The good news is that, in the final analysis, it doesn’t have to matter. The truth is if we’re doing everything right – everything we should be doing – it won’t make a whit of difference when the dust settles.
We all remember those cases where final election results were put on hold because boxes of absentee ballots had been misplaced and the like. It’s not even ancient history. When this kind of issue cropped up, the back-up procedures designed to make the election system fault tolerant kicked in. It could create delays before final election certification of weeks, sometimes even months — but when the process ran its course, we could always feel confident in the final results.
If we similarly have the proper fault tolerance procedures in place, this is exactly how election hacks will go. You could even say that it will be the lost-ballots paradigm of the 21st century, as – again – it’s going to happen eventually.
But again, in the end, it simply doesn’t have to matter if we don’t let it.
Although there is always room for improvement, in Vermont we have those fallback systems in place. A hardened elections website and network, good logon security, good public policy (such as Election Day registration) and – perhaps most importantly – that ballot paper trail. These are the systems that can (and will) enable us to tolerate such mischief and be sure that, at the end of the day, the correct results to any election are known, finalized, and that the infrastructure of our very democracy is proven resilient.