January 13, 2017

The Honorable Lindsey Graham

290 Russell Senate Office Building
Washington, DC 20510
(via email: mailto:Senator@lgraham.senate.gov)
Dear Senator Graham:
We enthusiastically support your dedicated leadership efforts to investigate the
cybersecurity vulnerabilities in our countrys 2016 election process. We are a group of
volunteer election systems technical experts and citizen advocates for secure and
transparent elections. The purpose of our letter is to encourage you to expand the
scope of your inquiries to include vulnerable elements of the election system that are
being overlooked in the public discussions.
There is a very common misunderstanding that voting systems are not vulnerable and
that it would be difficult to alter election outcomes. This meme has been repeated in
many public forums.
During the January 5 Armed Services Committee hearing on Russian hacking, we were
troubled to hear Mr. Clapper seem to affirm Senator Cottons statement that it would be
most difficult for anyone including nation states to affect ballot counts, and that there is
no evidence that vote tallies were manipulated or altered in any way. Such
unsupported claims have rapidly come to be much-repeated and exaggerated
assertions almost universally adopted by the media and government officials.
President-elect Trump tweeted Intelligence stated very strongly there was absolutely
no evidence that hacking affected the election results. Voting machines not touched!1
Speaker Ryan also appears to have similarly misinterpreted the findings, given his
statement, We must also be clear that there is no evidence that there was any
interference in the voting or balloting process.2 While we are aware of no evidence of
Russian hacking into the voting and tabulation systems, it is our strong belief that little
or no investigation has been conducted on the vulnerable components of the systems
that would justify such reassuring claims. Indeed, in fifteen states some of the
components of the voting systems lack the necessary evidence of voter intent to carry
out a legitimate audit.
The significant cybersecurity weaknesses in our election system are well known to
many computer security professionals as well as unfriendly nations and domestic
criminals. Yet federal, state, and private monitoring, analysis, and oversight to protect
the very foundation of our democracy is minimal. Even while the Department of
Homeland Security made its services available to election jurisdictions nationwide in the
pre-election period, to our knowledge they were not examining voting and vote tallying
systems for vulnerabilities, but rather scanning voter registration databases and
systems for breaches.

Unfortunately, the full scope of that threat to the election process is not well understood
by many decision-makers and their advisors. Contrary to the claims made during and
following the hearing, as citizen experts in election mechanics, we know that it is not at
all difficult to manipulate election results through cybersecurity intrusions.
We would be happy to brief you with the extensive research that has proven this fact.
Although there may be no evidence currently presented of manipulation of the 2016
election, we are confident in our view that no one has performed the required extensive
testing to provide such assurances. We write to implore you and the Committee to
increase the scope of your investigation to include such essential testing before drawing
conclusions. Both the Committee and the public deserve well-researched
documentation to confirm any conclusion of no manipulation of voter databases or
vote tallies.
The chronic vulnerabilities of the election system mechanics are misunderstood by
many government officials and media, some of whom have recently sought to calm
voters fears by inaccurately claiming that the voting machines and tabulators are
protected from cyberattacks because such machines are purportedly never connected
to the Internet. These claims, even repeated by EAC officials,3 are simply inaccurate.
An Internet connection is not necessary for malware to infect an entire countys
machinery, as was dramatically demonstrated by the Stuxnet virus. Additionally, many
components actually are connected to the Internet, sometimes in violation of state laws.
These and other inaccurate claims should be debunked in a Congressional investigation
of our election system cybersecurity risks, as we hope your Committee will undertake.
Former CIA Director James Woolsey recently commented on CNN about allegations of
Russian hacking: "Well, the degree to which they intervened in the process is something
we really need to get a handle on, but at this point, it doesn't look as if they were
interfering with the voting, and in so far as that's the case, it's a very different thing than
if they were hacking into the voting machines and by the way, they shouldn't be involved
period, but we have to make sure that two years from now and four years from
now we are protecting our voting machines and a lot of people and counties and
so forth have added essentially touch screens and you can't check up on hacking
with that. You gotta have some kind of a paper trail...." 4
We wholeheartedly agree with Mr. Woolseys views concerning the need for voting
system protection. Given the inherent risks, the 2016 election data must be promptly
studied by objective investigators and scientists under Congressional authority. We are
certain that alarming cybersecurity weaknesses will be exposed when the systems are
scrutinized by independent experts. In our view, a broad-based in-depth investigation
would demonstrate the urgent and compelling need for legislation providing both
resources and statutory requirements for enhanced election cybersecurity, whether
future threats emanate from foreign states or domestic criminals. We encourage you to
incorporate election system cybersecurity in the Committees investigation.

On January 6, DHS Secretary Johnson declared that he would designate election

systems as critical infrastructure. We urge the Committee to ensure that harmful
practices are not permitted to be built into that designation that would shield public
election system records from public scrutiny. It is essential that the public be able to
verify the proper operation of voting systems without engaging in FOIA challenges. It is
critical that the working policies in this designation provide clarity and transparency.
That goal is likely to require Congressional support and oversight.
We are eager to be of assistance. Some of us are computer security and voting
systems experts available to lend our expertise to this urgent mission. We can
recommend other nationally recognized scientists and experts to advise the technical
efforts of the Committee on these election system topics. We would be delighted to
meet with you or your staff in Washington or South Carolina to further outline our
perspective on the urgent need for these issues to be addressed as a national security
matter.
We have included an appendix that lists some of the critical components of our voting
systems, together in some cases with some high level recommendations for protecting
those systems from cyber-threats.
Thank you for your leadership and for your consideration of this critically important
matter.
Sincerely,
The Undersigned

Signatories
(Affiliations for informational purposes only)
Duncan Buell
Professor
Computer Science and Engineering
NCR Chair in Computer Science and Engineering
University of South Carolina
buell@acm.org
803.777.7848
JoAnne Day
Julie Hussey
League of Women Voters of South Carolina
POB 8453
Columbia, SC 29202
jvday@yahoo.com
copresident.lwvsc@gmail.com
803-251-2726
J. Alex Halderman
Professor
Electrical Engineering and Computer Science
University of Michigan
Ann Arbor MI
Eleanor Hare
Associate Professor Emerita of Computer Science
Clemson University
864.654.4417
eleanorhare@gmail.com
Frank Heindel
171 Hobcaw Drive
Mount Pleasant SC 29464
Candice Hoke
Co-Director, Center for Cybersecurity & Privacy Protection
Professor of Law
C|M Law, Cleveland State University
216.687.2313 office
216.798.4643 mobile
shoke@me.com
s.hoke@csuohio.edu

Joseph Kiniry
CEO and Chief Scientist, Free & Fair
Principal Investigator, Galois
kiniry@freeandfair.us
kiniry@galois.com
421 SW 6th Ave., Suite 300
Portland OR 97204-1622
Marilyn Marks
Executive Director, Rocky Mountain Foundation
Marilyn@AspenOffice.com
7035 Marching Duck Drive E504
Charlotte, NC 28210
704.552.1618
Neal McBurnett
Elections Integrity Consultant
Boulder CO
http://neal.mcburnett.org/
Stephanie Singer
Former Chair, Philadelphia County Board of Elections
Data Strategist
Portland, OR
sfsinger@campaignscientific.com
Jason Grant Smith
I Voted? Director/Producer
Jason@ivotedmovie.com
Philip B. Stark
Associate Dean, Mathematical and Physical Sciences
Professor, Department of Statistics
University of California
Berkeley, CA 94720-3860 | 510-394-5077
statistics.berkeley.edu/~stark |
@philipbstark

Dr. Daniel M. Zimmerman
Computer Scientist
Galois / Free & Fair
dmz@acm.org
503.808.7224

Appendix 1: Components and architectures at risk

We urge you to include the following components and architecture of the nations voting
systems in the scope of the Armed Services Committee investigation. Please consider
incorporating both domestic and foreign intruder-generated election system risks in the
scope of the committees or appropriate sub-committees investigation. End-to-end
election system framework should be assessed for vulnerabilities and included in riskmitigation efforts in resulting legislation. In addition, the Committee should address both
the threat of corruptionthe purposeful changing of resultsand the threat of
disruption, including the introduction of chaos and uncertainty into the election process,
that would create significant public distrust in the results of the election.
Cybersecurity threats can significantly undermine the election system through attacks
on any of the following components:
--electronic voting machines,
--on-line and electronic ballot marking devices,
--ballot scanning software,
--vote tabulation software,
--Internet voting applications,
--on-line voter registration applications,
--voter registration databases,
--on-line absentee ballot requests and issuance,
--voter information communications,
--electronic poll-book applications,
--confidential voter information files,--automatic signature verification equipment,
--results reporting applications, and
--post-election audit programs.
Our experts are prepared to provide extensive specific, technical information on how
these component weaknesses can be exploited.
Appendix 2: Analyzing vulnerabilities revealed by the 2016 election
Security risks have multiplied as computers have been integrated into all components of
the election system, although few resources have been devoted to system
modernization and security. From on-line voter registration and electronic poll-book
maintenance to computerized vote tabulation and results reporting, the opportunities for
electronic compromises of the system grow every year. The growing number of voters
permitted to vote via Internet poses an increasing cyber-threat.
We believe that significant federal resources and legislation will be required to
adequately mitigate material risks that will be exposed in an investigation by a
Congressional Committee. We would encourage such a committee to include the
following topics in its investigation and assessment of the 2016 election:

--detect attempts to access or compromise the voter registration system or database,

--detect attempts to access or compromise vote recording and tabulating system
components,
--information obtained by DHS after its offer to assist states in protecting voting
systems,5,6
--analysis of selected counties electronic voting system logs to review for unexpected
events,
--electronic audits7 of vote data in selected counties employing touchscreen technology,
--attempts to infiltrate voting system vendors information systems,8
--statically significant anomalies in under-votes, over-votes or results, and their likely
causes, and
--a post-election audit should be performed for the presidential contest in selected
counties. 9
Appendix 3: Suggestions for mitigating some of the cybersecurity threats.
We are confident that thoughtful, measured federal legislation can serve to mitigate
many of the cybersecurity risks to elections. Badly needed new equipment funding
could provide the mechanism for imposing security standards in federal elections for
states choosing to obtain grants for funding. Needed provisions include:
--providing funding for new election systems that meet specified security and voter
privacy requirements,
--requiring paper ballots and prohibiting touchscreen machines for federally-funded
equipment,10
--prohibiting Internet voting,11
--mandating post-election manual audits of results on new equipment,
--requiring anonymous/secret ballots,
--protecting private voter information,
--requiring fundamental transparency that would permit public verification of results
without formal recounts,
--providing funding for federal technical assistance and guidelines for election
cybersecurity reviews and risk assessment, and
--providing funding for cybersecurity safeguards of the voter registration system.
We recognize that any federal legislation must be crafted within Constitutional restraints
respecting the states responsibilities to conduct their elections.
Appendix 4: Additional resource references
Scores of articles have been recently published, highlighting the increasing national
security risks of cyberattacks on our election framework. We have included links to
several of the articles that you may find helpful in the end notes and references A-F
here.

A. Post-recount, experts say electronic voting remains shockingly

vulnerable
https://www.the-parallax.com/2016/12/30/electronic-voting-shockinglyvulnerable/
B. Recount 2016: An Uninvited Security Audit of the U.S. Presidential
(Talk by Dr. Alex Halderman and Matt Berhard on findings in 2016 presidential
recount efforts)
https://www.youtube.com/watch?v=PUUJqUXlEzg
C. Hacking a voting machine http://www.rawstory.com/2016/08/computerexpert-hacks-into-common-voting-machine-in-minutes-to-reveal-shocking-2016election-threat/
D. Politico: States unprepared for Election Day cyber attack
http://www.politico.com/story/2016/10/states-unprepared-for-election-day-cyberattack-230415
E. PBS Newshour: Heres how hackers might mess with electronic voting on
Election Day http://www.pbs.org/newshour/updates/heres-how-hackers-couldmess-with-electronic-voting/
F. Documentary: I Voted? http://www.ivotedmovie.com Executive produced by
Katie Couric, this non-partisan documentary examines the capture and counting
of ballots in American elections.

End notes:
1

https://twitter.com/realDonaldTrump/status/817701436096126977

http://www.speaker.gov/press-release/statement-ic-report-russian-hacking

C-Span-- Cybersecurity and Voting Machine Security (October 4, 2016)

(Dr. Alex Halderman)
https://www.c-span.org/video/?415879-4/washington-journal-j-alex-haldermancybersecurity-voting-machines
Timestamp 4:50-- inaccurate EAC statement re: protection of voting systems

Woolsey to CNN (12/30/16)

http://edition.cnn.com/TRANSCRIPTS/1612/30/cg.01.html [16:16:31]
5

ABC News: Nearly Every State Has Asked for Federal Help to Protect Voting
Systems From Hacks

http://abcnews.go.com/Politics/state-asked-federal-protect-voting-systemshacks/story?id=43197682
Yahoo News: Russian Hackers Targeted Nearly Half of States' Voter Registration
Systems, Successfully Infiltrated 4
https://gma.yahoo.com/russian-hackers-targeted-nearly-half-states-voter-registration113205790--abc-news-topstories.html
6

Auditing a DRE-based election in South Carolina

http://www.lwvsc.org/files/fiveauthor.pdf
8

CNN: Feds believe Russians hacked Florida election-systems vendor

http://www.cnn.com/2016/10/12/politics/florida-election-hack/
9

USAToday Column Rivest/Stark: Still Time for an Election Audit

http://www.usatoday.com/story/opinion/2016/11/18/election-audit-paper-machinescolumn/93803752/
10

James Woolsey to CNN on need for paper ballots:

Woolsey, Did they go further and use the computers to do something effective this last time
around? It looks like they may have tried but not succeed. And what we have to worry about is
what our weaknesses are in that dimension. So one of the things we've absolutely got to do is get
away from having a quarter of our voting machines be touch screen only and not have paper
backup. Those changes were made after the craziness of year 2000 and the change of some of
them were made in the wrong direction ...
Without a paper backup, you can't have a voting count that means a damn thing.
http://www.cnn.com/TRANSCRIPTS/1612/16/acd.01.html
10

Heritage Foundation--Hans von Spakovsky: Dangers of Internet Voting

http://www.heritage.org/research/reports/2015/07/the-dangers-of-internet-voting