The 2020 presidential election is raising the question of why voting for U.S. elections isn’t held online…yet. “I can shop online. Why can’t I vote online?” “Why isn’t there an app that allows me to vote in my local congressional elections or even vote for president?” Voters will express their frustration with the time it takes to take off work or leave their family to drive, wait in line, and use seemingly, antiquated machines to cast their votes.

Even though 32 states permit various kinds of online voting for small subsets of voters, most are having shaky results. In 2018, Alaska shut down a Web portal it had been using to accept absentee ballots from overseas voters. The Democratic National Committee made a similar judgment call in 2019 to stop efforts towards remote caucusing in Iowa and Nevada due to election security concerns.

Other states, like West Virginia and counties in Utah, Oregon, and Colorado, are attempting to implement a new Internet voting app to allow overseas and military voters to cast votes using their smartphones. These systems are professed to be more secure because of blockchain technology, they have not been tested rigorously by any federal certification program, and many cybersecurity experts are, formally, expressing urgent concerns due to the election security risks that come with platforms like these.

While the main perceived benefit to online voting is increasing voter participation (among other benefits), cybersecurity risks, still, far outweigh those benefits. And, the risks to the security of our elections are significant enough that they make online voting unfeasible.

Here are eight cybersecurity reasons why the election security may be too significant to make online voting a reality:

Reason 1: Election security cannot be guaranteed

This reason, essentially, summarizes the next seven points. It’s safe to bet that quite a few the readers of this article have had their credit card hacked while shopping online or know someone who has.

According to Aviel Rubin, technical director of Johns Hopkins University’s Information Security Institute, online voting isn’t possible yet. There would be far too many vulnerable points in the voting chain – the application itself, the operating system on your phone, and the servers your data will travel along to their final destination for tabulation.

Reason 2: Internet voting increases cybersecurity risk

National voting via the Internet expands the opportunity for an attacker to engage in damaging disruption and denial-of-service attacks. These would aim at disabling the system, prohibiting voters from casting ballots, and undermining voter trust in the election – all major election security risks.

Reason 3: No computer or system is 100% “unhackable”

The complexity of the systems, computers, and applications that would be required for online voting contain bugs and errors that can be leveraged. This complexity and need for corresponding cybersecurity protection are growing faster than the methods to keep up with them.

Reason 4: Election hacking may go undetected

Cybersecurity experts can, eventually, detect e–commerce errors and fraud. Practices like transaction receipts, double–entry bookkeeping, and financial audit records are maintained for every transaction. The ability to track and audit online elections would be exceeding difficult without an auditable information trail that couldn’t be falsely manipulated.

Therefore, we may never be able to detect online election fraud or its source accurately.

Reason 5: Identity verification may be impossible

Reason number five and six go hand-in-hand. To have proper election security, we would require an impenetrable identity verification system.

The U.S. does not have a federalized election infrastructure. That means states and localities have the freedom to oversee voting how they see fit, with little oversight from the federal government. Plus, unlike countries who have embarked on online voting like Estonia, the U.S. does not issue national identity cards with embedded private keys. Additionally, U.S. computers and mobile devices are not equipped with devices to read these cards securely.

Reason 6: U.S. elections prioritize anonymity

National elections are still anonymous, and many state elections are as well. Many U.S. citizens believe that voting should remain a private process. Online voting could enable voter surveillance, and votes would require archival, also, making them more vulnerable to hacking.

Reason 7: Online voting is potentially easier to attack than online shopping

Online shopping and banking aren’t secure, either. Cyberattacks are reported to occur, globally, every 39 seconds. Companies bear the burden of millions of dollars in losses as a cost of doing online business. One report found that almost 90 percent of login attempts made on online retailers’ websites were hackers using stolen data.

DDoS attacks can prevent users from accessing the online voting platform. These attacks on US elections could easily target a state or political party, including device malware attacks and server penetration attacks.

Reason 8: The cost of setting up, maintaining, and securing online elections may outweigh benefits

Estimated cost reduction, many times, don’t adequately assess the cost to try and mitigate the election security risks with an online voting system. The benefits of such a system would need to be higher than these risks and costs.

At this point in our cybersecurity and technology evolution, the U.S. cannot adequately ensure the accuracy, anonymity, security, and validity of an election held online. Issues abound like server penetration attacks, client-device malware, denial-of-service attacks that would threaten election results, as well as voter systems, devices, and identities.

What do you think about online voting and cybersecurity risks? Tweet to us @CyLumena.

While some organizations will see this cybersecurity checklist as basic, these are the fundamentals where many executives don’t have adequate knowledge or oversight. Addressing them can eliminate cybersecurity blind spots and highlight your systemic risk sources.

An executive’s first duty is to the health and growth of the organization. Today, we would posit that protecting the organization from threats should be obligation number one.

Contact Us

Insight Contributor:

Luke Wawrzeniak, Manager

Luke Wawrzeniak is a cybersecurity consulting professional with extensive experience in the development and implementation of governance, risk, and compliance management strategies and project execution.

He has helped several clients mitigate regulatory and audit findings by achieving compliance with the following frameworks: NIST, ISO 27001, HIPAA, PCI, SOC2, and HITRUST CSF. Luke is also well-versed in Lean Six Sigma best practices and their application to drive process improvement through the use of data analytics.