Updated with correction: The Election Assistance Commission handles voting-machine certification, not the Federal Election Commission.
WASHINGTON, D.C. -- Voting machines are the last thing you have to worry about getting hacked during this year's election cycle. So said a group of voting-security experts during a panel discussion at the ShmooCon hacker conference here this past weekend.
But, they added, you still have plenty of reason to worry.
Voting-machine security, while not great, is better than it used to be. What hasn't been fixed is everything else in the huge, complicated American electoral system: state lists of voters, communications between polling places and vote-tabulation centers, voter-registration systems, the websites, email systems and databases used by political parties and campaigns, and even our social-media platforms.
"You can hack into the feeds from the polling places on Election Night," said Casey Ellis, who founded and serves as the CTO of Bugcrowd, a crowdsourced security platform. "You can alter the rolls of registered voters."
"If I were an attacker, I would DDoS the election systems a week before the election," to take the systems offline by overwhelming them with bogus requests for data, said Tod Beardsley, director of security research with Boston security firm Rapid7. "It would take some time to recover from that."
"In 2016, the Russians were targeting voter infrastructure, targeting political campaigns, targeting parties," said Jack Cable, a Stanford sophomore who's already a renowned white-hat hacker.
"The DNC hack had real impact," Cable added. "They also targeted voters over social media. In 2016, the infrastructure hack didn't have much impact, but that might not be true this year. Overall, it weakened our confidence in the electoral system."
The Russians (and others that might join in) don't even need to guarantee that one candidate wins over another, the experts said. They just need to make Americans think that the vote was hacked, even if it wasn't.
"We run the real risk of making people think their votes won't count," said Kimber Dowsett, director of security engineering at San Francisco security firm TrussWorks.
Not one election system, but hundreds
One of the big problems, the panelists agreed, is that the U.S. electoral system is huge, disorganized and decentralized.
"Each state handles their own voter registration, has their own system," said Dowsett. "It's not consistent across states, or even across counties."
"The only thing that's regulated by the FEC [Federal Election Commission] are the voting machines themselves," pointed out panel moderator Amelie Koran, senior technology advocate at data-search software maker Splunk. (Koran reached out to Tom's Guide after this story was published to clarify that it's actually the Election Assistance Commission, a different federal agency, that does this.)
The EAC does certify voting machines as being safe to use, but otherwise, the old adage still holds: We don't hold national elections, even in a presidential election year. Instead, we hold 51 separate state elections, including in the District of Columbia.
The states run different voting and tabulation equipment and software, have different methods of accountability if something goes wrong, have different standards of judging whether something went wrong, and set their own rules for who can vote in party primaries and in general elections.
"The Feds don't supervise elections," said Ellis. "States do, and they don't like being told what to do by the feds."
As for elections themselves, the storage, maintenance, delivery, installation and removal of the voting machines is often handled by counties or municipalities, as are the running of polling places on primary and election days.
The voting machines have largely been assessed, but we really don't know how many security vulnerabilities exist in all the back-end systems.
Who do you call if something's wrong with an election system?
Since this discussion was at a hacker conference, moderator Amelie Koran asked the experts what kind of action they would recommend to someone who found a security vulnerability in an election-related computer system.
Many state and local election organization might not have contact information listed, or might not know where to pass your report up the chain.
"Lots of election systems don't provide any way of reporting vulnerabilities, especially at the local level," said Dowsett.
Cable related how, a few years ago, he had found a SQL-injection vulnerability -- a fairly basic flaw in a web-facing database -- in a voter-registration website.
"I didn't know who to reach out to," Cable said. Even after he did, he said, "it took about six months to get it fixed."
Fortunately, there's now a way to take your concerns to the very top if you find such a flaw.
"If you happen to find vulnerabilities, don't be frustrated. Reach out to CISA," Beardsley said, referring to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. "They're very researcher-forward and are more than willing to help."
Things are also improving at the state level, the panelists said, even if the improvement is piecemeal.
"Colorado is instituting a vulnerability-disclosure process, and other states are moving toward that," said Cable. Beardsley added that Illinois was making improvements along the same lines.
"Colorado I like because they do mail-in ballots," said Dowsett. "On the flip side, West Virginia is experimenting with blockchain," she added, drawing a big laugh from the crowd.
What can you do to protect the election?
So, asked Koran, what can hackers -- or anyone -- do to combat disinformation and make sure the vote is free, fair and valid?
"The best way is to go out and vote," said Ellis. "I actually kind of favor turning up the stupid [on disinformation] so that the frog will jump out of the pot and people will recognize disinformation for what it is."
"Go vote," said Dowsett, but she had a special message for voting-security experts. "When you talk to reporters, don't just emphasize the bad stuff. You don't want to deter folks from voting."
Dowsett and Beardsley both recommended volunteering as a poll worker on Election Day.
"I am a poll volunteer in my local community," said Beardsley. "It's a 16-hour day, but it's a lot of fun. I love talking to people about voter security while they're standing in line to vote."
Still, despite that positive note, the panelists were still worried about the worst thing that could happen: The perception of a rigged or invalid vote, and candidates who refuse to concede an election loss because of it.
"The purpose of elections is to convince losers that they lost," said Beardsley. "Yet we're announcing winners and losers on Election Night, weeks before the vote is certified. I hope that the losers of the upcoming primaries and elections act gracefully and take the loss."
As Matt Blaze, an election-security expert who wasn't on this panel, said at a different ShmooCon panel this past weekend: "There's an election coming up in this country, and I'm trying to make sure it's not the last one."