Top U.S. cybersecurity expert on mail-in voting: "If you've got paper, you've got receipts"

Growing concerns about interference in U.S. elections

The world's top cybersecurity experts worry about how to protect election systems from hackers. But one thing they're not concerned about is mail-in ballots.

Mail-in and absentee voting systems are resilient and secure because they generate paper trails that can be audited, said Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). 

Mail-in and in-person voting both use similar methods to count votes, but not all electronic voting booths generate a paper back-up for each vote. Each state is responsible for its own election process, said Krebs, which makes it hard for hackers to meddle with votes on a national level. While manual paper vote-counting can be time-consuming, even if the tabulation process goes awry in some areas, paper ballots help auditors verify accurate results. 

"If you're able to detect any sort of anomaly or something seems out of the ordinary, you want to be able to roll back the tape," Krebs told CNET. "And if you've got paper, you've got receipts. So you can build back up to what the accurate count is."

His office is coordinating with private cybersecurity researchers and state governments to identify and report digital vulnerabilities. CISA recently released guides designed to help states identify election vulnerabilities by partnering with both the federal government and election security experts in the private sector.

Krebs rolled out the election security plan in August at the annual Black Hat cybersecurity conference, which was held virtually.

"Disclosure is the key part in improving the cybersecurity of [election] services and systems," Krebs said. "Our goal is if [election officials] discover any sort of vulnerability or gap in the security posture, [they] have a process that you can work to close out that vulnerability." 

Other high-profile security researchers also affirmed the value of mail-in systems at Black Hat. In his virtual keynote address, Georgetown Law professor Matt Blaze said that while mail-in and absentee voting systems are not foolproof, the systems are reliable, widely available, and lack many of the risks that plague digital voting systems.

"[Absentee voting] is available everywhere and it's a fairly predictable, well-established concept in general," said Blaze. 

Blaze emphasized that every election can be exploited by bad actors, and that while mail-in voting is safe it is also logistically challenging and would require states to scale up election infrastructure in a short period of time before the general election.

"I don't think I've ever encountered a problem that's harder than the security integrity of civil elections," said Blaze. "In fact, every current voting system that's been examined is terrible in some way and probably exploitable."

Jake Braun, a Black Hat presenter and the executive director of the University of Chicago's Cyber Policy Initiative, also spoke at the conference in support of mail-in voting.

"Beyond the obvious social distancing benefits of absentee voting in a COVID environment, absentee voting extends the amount of time people have to vote from a few hours on Election Day to weeks," Braun told CBS News. "It ensures voters avoid long lines caused by technical problems with touch-screen voting machines and electronic poll booths like we saw in Georgia and Wisconsin" during the primaries.  

Braun also expressed concern that state voting sites could be targeted with a variety of attacks, including ransomware designed to disrupt voting machines and state computers, and hacks that display false information like an incorrect election date on state websites.    

"Ransomware attacks on voter registration databases a week or two before the election would cause chaos tracking and counting absentee ballots," said Braun. "Attacks on official government election websites that alter information about voting procedures or even election results would also cause chaos."

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.