IRA FLATOW: This is Science Friday. I’m Ira Flatow. There is less than a month until the midterm elections on November 6. And there’s a lot of talk about hacking and voter security. The federal government has said, hackers targeted the election systems of 21 states before the 2016 presidential election. But reportedly, no information was changed or manipulated.

Yet for the second year in a row, the Def Con Underground Hacking Conference, well it showed how hackers could break into voting machines. So what are the real risks to our voting infrastructure? And how can we secure these systems? How does all of this affect voting behavior?

And our question for you listeners is, what is your top concern about voting security heading into the midterm elections? We want to hear from you. Give us a call. Our number, 844-724-8255, 844-SCI-TALK. You can also tweet us @scifri. What concerns you most about voting security heading into these midterms?

Let me bring on my guest. Lawrence Norton is a deputy director of the Brennan Center Democracy Program at New York University. Welcome to Science Friday.

LAWRENCE NORTON: Thanks, Ira.

IRA FLATOW: You’re welcome. Charles Stewart III is a professor of political science and the founding director of the Election Data and Science Lab at MIT. Welcome to Science Friday.

CHARLES STEWART III: Hi. Glad to be here.

IRA FLATOW: And it’s nice to have you. Larry, I mentioned the Russians hacking during the last presidential election. What areas were the Russians or were the hackers compromising and what were they trying to do there?

LAWRENCE NORTON: I’m not sure that we know entirely what they were trying to do. First of all, I think it’s really important when we’re talking about– there’s a lot of conversation about Russian interference in the election in 2016. There are a couple of things that we’re talking about when we mention that. One is attacks on the election infrastructure. But there’s also the kind of purges of political ads, social media propaganda, and attack on campaigns and their emails. Those are two separate things.

If we’re focusing on the election infrastructure itself, we saw them targeting voter registration databases. Again, not entirely clear what they were trying to do there. And of course, voter registration databases are the roles that have the names of people and says whether or not they’re eligible to vote, where they live, where they can vote.

And there were phishing attacks against election officials. We know that it looks like at least one election systems vendor which manufactures epoll books was attacked. But I think we don’t know exactly what was going on, unclear. Just that there was certainly a lot of looking around on their part.

IRA FLATOW: What was that– is that the vendor company that was putting PC anywhere on the machines as maintenance but the software wasn’t taken off? Is that what you’re talking about in that case? Or is it something different?

LAWRENCE NORTON: No. No. What I’m talking about is there is a company VR Systems– actually I think they may still not have confirmed whether or not they are– there certainly was an attempt to hack them. And again, they manufacture epoll books and deal with registration databases. Electronic poll books are what are used. They’re often tablets or computers that are used to check people in.

And as I said, last I checked, I think they may have denied that they were actually successfully breached. But at least in one of the Mueller indictments, there was an indication that there was some vendor, and it sounded like them, that was actually breached.

IRA FLATOW: Charles Stewart, we were talking about these kind of hacks. But how else could a voting machine be compromised?

CHARLES STEWART III: Well, that’s actually quite a controversial question. You mentioned– well, so let’s start off by making distinctions. And Larry really helped in making the distinctions among the Russians, what they were doing in various ways perhaps to influence the elections ranging from affecting the campaigns to maybe affecting the infrastructures.

I think if we’re asking about what can be done to hack into machines and systems, and the first distinction we would make is between the voter registration systems which Larry was just talking a bit about, you alluded to, with the 21 states that got attacked, the voter registration systems. And then there are the voting machines themselves which can either be electronic voting machines that are used in several states or potentially the scanners that are used to scan paper ballots.

And if we’re thinking about the voting machines themselves, either the electronic ones or the scanners, that’s actually the answer to that question is actually quite controversial. You made a reference to the Def Con activities. And so what we do know is that if you have access to a voting machine and especially if you have access for a long, long time and the vulnerabilities are well known, that a decently competent computer science student can open up the machine and do things to it.

What election officials will say is that first of all, in general, the machines that have been broken into in Def Con either have been retired or are in the process of being retired. And then secondly, that the types of attacks that have been demonstrated to be successful against these machines require such a degree of direct access that in order to have actually an effective attack on them, you would need some sort of inside job that would require a lot of attention to particular machines and would be easily detected.

But I mean, I think that’s where the controversy is. It’s my sense that the computer science community thinks it’s easier to actually affect this type of brute force attack against the guts of the voting machines than the election officials do.

IRA FLATOW: Are they right?

CHARLES STEWART III: Well, I mean, I tend to kind of, if I have to go with one side or the other, I tend to– my take on it is I’ve learned a lot from Def Con about what the vulnerabilities are. I think that the election officials are aware of those vulnerabilities and are taking steps to try to deal with them. I think the important thing, nonetheless, is that the election officials that are using electronic machines, especially the ones that don’t have any sort of paper record of the election,

I mean, they’re in a position where they have to say, well, you know, given everything we do to try to protect the machines physically we’re confident that they’re not being attacked. And we’re confident because of the logic and accuracy testing we’re doing that there weren’t mistakes made. But a skeptic can, I think rightfully– so even if you think the election officials have done everything they could, I think there is still room for a skeptic to say, yeah, but wouldn’t it be great if one could independently verify that the machines weren’t monkeyed with and there weren’t mistakes in the programming.

So I tend to fall on the side of thinking that the machines, right now for 2018, are well taken care of and are highly unlikely to be subject to the sorts of attacks that we see at Def Con. But it would be good for the states to move in directions to make it easier to demonstrate to skeptics that that was true.

LAWRENCE NORTON: Ira, if I could just jump in real quick on that point.

IRA FLATOW: Sure, please.

LAWRENCE NORTON: I think to build on what Charles just said, I do have a concern. I’m not sure that I really buy the argument because these machines are generally not connected to the internet that we don’t have to worry about problems with them and potentially somebody reaching them in various ways. But more importantly, there’s a lot of the election infrastructure, of course, that is connected to the internet.

And an example of that– an obvious example is election night reporting which comes out and that’s how we get the unofficial results, although we don’t call them that, on election night very quickly. That comes up on websites and gets reported out. And we have seen, in fact, not in the United States that I know of but in other countries election night reporting attacked.

And if you get incorrect numbers there, in the environment that we have today, the hyperpartisan environment where there is a lot of false information put out on social media. I was talking earlier about that level of interference from the Russians in the 2016 election casting doubts on election outcomes. If you don’t have, as we don’t in 13 states, at least in some polling places in 13 states, a paper backup that you can go back to afterwards and say, yeah, maybe there’s been doubt cast on these elections but we can go back and we have something that’s independent of the software to tell us the results, I think that’s very dangerous. And I am hopeful that in the 13 states where we still have these paperless systems that we’ll be replacing them before the 2020 election.

IRA FLATOW: Yeah. You know, because in the last few weeks ago, when I voted in my primary, half the machines were down. The voting machines were down. But I was voting on an electronic paper ballot and they just collected all the ballots and said, we’ll run them through the machines when we get them fixed. So they had that very important paper trail to fall back on.

LAWRENCE NORTON: That’s a huge important point to make. Obviously there are only about 25 days until the election so we’re not going to be doing any massive revamping of our election infrastructure. In fact, people are, as you point out, people are already voting. But making sure that we have redundancies in place so that people can still vote and that if there are problems we figure out a way to count those ballots is really important.

And in some states, there are no paper ballots. In parts of 23 states I believe, there are no paper ballots. People are voting directly onto electronic machines. And it’s really important in those states for them to have emergency paper ballots that they can break out if machines go down. And I would say they should have two to three hours worth on election day.

CHARLES STEWART III: And if I could just pipe in here, I think that there’s a big general point to what Larry is saying. And it’s a point that’s being made a lot these days in the election space is that there’s been a lot of focus on how do we secure the various election systems, whether it be the machines or the voting registration systems.

There’s also the matter of building resilience into the system. Because we know that at some time amd some place, things will either break down like you experienced or there’ll be mistakes or there will in fact be attacks. And so then the question is, what is the backup and what is the backup plan. In the case of if you have paper ballots, although you might have electronic ballot marking devices, that’s a backup. If the voter registration system is down, if you’re prepared with enough provisional ballots, or even a paper backup of an electronic voting system then you can move ahead.

And those are the sorts of things where when I look at state and local officials, you know, that’s what I want to know about is what sort of resilience and emergency planning is going into the operation just as much as I’m interested in, well, you know, do you have this sensor on your servers. Do you have this sort of two factor authentication on your email, et cetera.

IRA FLATOW: Lawrence, is the Brennan Center more concerned about the voting system or the possible suppression of the voting registration of candidates?

LAWRENCE NORTON: Yeah. I mean, we’re concerned about both for sure. And I think both of them contribute to cynicism about the process, to concern about the process. I do think, you know, we’ve seen an unusual number of voter purges in the last couple of years since the Shelby decision that struck down an important part of the Voting Rights Act in states that were covered before and that had to get pre-clearance for doing things like purging voters. We’ve seen a massive increase in states like Georgia and Texas and Florida and North Carolina.

And, you know, I think when people see that, people that legitimately should be entitled to vote and show up at the polls and told they’re not on the roles for whatever reason– and it could be because there were mistakes, programming errors, or it could be because they were improperly purged– that creates a lot of doubt in the integrity of the system.

One thing that I would say to everybody in the run up to the election is they should be checking their voter registration. That’s an easy thing to do online.

IRA FLATOW: Even if they think they are registered, they may not be.

LAWRENCE NORTON: Yes. Absolutely. And in fact, that can be an early warning sign for election officials that, hey, maybe I need to figure out what’s going on here. Maybe there’s a problem. So I think that’s really important to do for the voter because it’ll also remind them of where they should be going to vote. And they can feel confident about when they show up on election day. But I think it’s also important for the system generally.

IRA FLATOW: I’m Ira Flatow. This is Science Friday from WNYC Studios. Charles, you looked at how the public sentiment towards election security, what it feels, if they think our voting systems are secure. Do they?

CHARLES STEWART III: Well, actually, they do for the most part. I did a survey just over the weekend on last weekend which replicated something I did in May. And I asked a representative sample of voters, potential voters, whether they’re confident at least that their own county or locality is prepared for this November in terms of computer hacking. And about 60% or so of the respondents said that they were at least somewhat confident in what was likely to happen in November with, not surprisingly maybe, Republicans being a bit more confident than Democrats.

And that partisan divide, by the way, is one of the reasons why I always kind of put an asterisk on any public opinion research being done on public attitudes about confidence in voting, whether it be in cybersecurity or just the vote count in general and that these days, everything is partisan. And you know, voters’ expectations about what’s going to happen in November and whether we’re prepared on the cyber security side is as likely to be determined by their partisanship as attitudes about almost any other issue.

IRA FLATOW: Is voting security a politically partisan issue?

CHARLES STEWART III: A little bit. I mean, it’s surprisingly nonpartisan in the sense that, I mean, there are Democrat and Republican differences on the cybersecurity front. But they are the sort that a political scientist would write home about. But maybe everybody else would yawn at when you compare it to attitudes about abortion or health care, for instance.

But when you look at other survey research that I’ve done, Democrats, for instance, are more likely to be concerned about foreign attacks, foreign influence on elections. Republicans are more likely to be concerned about internal cybersecurity problems, which is I think consistent with Republican concerns in general about fraud and other things that happen domestically.

So there are those kind of differences that are reflective of the 2016 election. But nonetheless, Republicans and Democrats alike are both concerned about cybersecurity in elections. And both of them on the whole are confident that their local officials are doing the right thing.

IRA FLATOW: All right. Very interesting topic. We’ll have to take it up more and maybe even before the weeks before the elections and get an analysis when the elections are over. I want to thank both my guests Lawrence Norton, deputy director of the Brennan Center Democracy Program at New York University. Charles Stewart III, professor of political science, founding director of the Election Data and Science Lab at MIT. Thank you both for taking time to be with us.

We’re going to take a break and come back and have a progress report on how the world is doing with curbing carbon emissions, a new IPCC report. Stay with us. We’ll be right back after this break.

Copyright © 2018 Science Friday Initiative. All rights reserved. Science Friday transcripts are produced on a tight deadline by 3Play Media. Fidelity to the original aired/published audio or video file might vary, and text might be updated or amended in the future. For the authoritative record of Science Friday’s programming, please visit the original aired/published recording. For terms of use and more information, visit our policies pages at http://www.sciencefriday.com/about/policies/