This story is part of Elections 2020, CNET’s coverage of the voting in November and its aftermath.
For years, the security researchers behind Defcon’s Voting Machine Hacking Village have been trying to get lawmakers’ attention on vulnerabilities with outdated election infrastructure. Hackers regularly showed how easy it was to change ballots with full access to voting machines, with warnings that these security vulnerabilities could shake the confidence of elections if there are no paper backups.
Three years after it kicked off at the hacking conference in Las Vegas, the group finally got the attention of the highest office in the US. It only took losing the 2020 election by an estimated 5 million votes for President Donald Trump to get there.
On Nov. 14, Trump tweeted an NBC News segment from the hacking village in 2019 without any context — only showing the parts where hackers were able to break into voting machines from Dominion Voting Systems.
On Monday, he followed up and wrote, “Dominion is running our Election. Rigged!”
Trump’s claims come from a series of false conspiracy theories about the voting machines switching votes to advantage President-elect Joe Biden, part of a broader push by Trump to undermine confidence in the election system and its results. They come after the Cybersecurity and Infrastructure Security Agency, the National Association of Secretaries of State, the National Association of State Election Directors and members of the Election Infrastructure Sector Coordinating Council filed a joint statement calling 2020’s election the “most secure in American history.”
“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary,” the joint statement said. “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
Several election officials have debunked the Dominion claims, including Michigan’s secretary of state, Joceyln Benson, who released a statement noting that though one county’s machines had flaws because of human mistakes, the problem was quickly fixed and wouldn’t have affected the election’s outcome.
Dominion Voting Systems has also rebuked Trump’s claims, with a Setting the Record Straight page pointing out that the votes its machines tallied are completely auditable.
“No credible reports or evidence of any software issues exist,” Dominion Voting Systems said in its statement. “Human errors related to reporting tabulated results have arisen in a few counties, including some using Dominion equipment, but appropriate procedural actions were made by the county to address these errors prior to the canvass process.”
On Monday, a group of 59 election security experts signed a letter saying they’ve found no credible evidence of computer fraud with the 2020 election’s outcome, calling claims of a “rigged” election “simply speculation.”
The researchers, including Defcon Voting Hacking Village co-founders Harri Hursti, Matt Blaze and Maggie MacAlpine, point out that the existence of vulnerabilities doesn’t mean an attack happened or altered the election’s outcome.
“In every case of which we are aware, these claims either have been unsubstantiated or are technically incoherent,” the letter said. “To our collective knowledge, no credible evidence has been put forth that supports a conclusion that the 2020 election outcome in any state has been altered through technical compromise.”
The election officials are confident in the security and results of the election because of paper audits of the votes. Though votes could be digitally altered if a hacker had full access to the machines, the paper ballots themselves would be much more difficult to change.
The Voting Machine Hacking Village at Defcon has helped point out the many flaws with trusting technology completely, and its organizers have called on Congress for years to pass legislation that would improve this paper trail.
Trump had never tweeted about Dominion’s voting machines or the flaws with voting technology until after he lost the election. Lawmakers gave Trump plenty of opportunities to improve election security during his presidency.
In 2018, Sen. Ron Wyden, a Democrat from Oregon who’s also on the Senate intelligence committee, proposed an election security bill that would require paper ballots. It had been blocked by Senate Majority Leader Mitch McConnell, who later supported a $250 million election security funding bill that didn’t mandate paper ballots.
“Donald Trump is grasping for any possible excuse to avoid admitting he lost the election,” Wyden said. “If Trump really cared about securing our elections, he would have embraced paper ballots and voting by mail, instead of spending months lying to the American people about them. I wrote, and the House passed, the toughest election security bill ever produced, which Mitch McConnell killed when it reached the Senate, and Trump didn’t lift a finger to save it.”
When Defcon first started looking at election infrastructure, in 2017, election officials and voting machine makers weren’t quick to embrace the approach. Voting machine manufacturers historically closed off access to their hardware, preventing security researchers from being able to test it for flaws.
The National Association of Secretaries of State also criticized how the village operated, noting that the researchers have unlimited access to voting machines, unlike during an actual election where poll workers would be watching for tampering and paper audits would detect abnormalities.
But the village gave important insight involving switching to paper ballots. Virginia’s election officials changed the state’s systems to paper ballots in 2017 after hackers from Defcon demonstrated flaws with machines used in the state.
The village has also led the voting machine manufacturers to change their attitudes toward security researchers. Dominion Voting Systems established its own vulnerability disclosure policy in 2019, allowing, for the first time, security researchers to tamper with its machines and report flaws.
At the Black Hat hacker conference in August, Election Systems & Software, the largest maker of voting machines in the US, also announced its own vulnerability disclosure policy.
In October, Iowa’s election officials launched the state’s own vulnerability disclosure policy through Bugcrowd, a bug bounty platform that lets hackers get paid for finding security flaws. Casey Ellis, Bugcrowd’s founder, said these programs served as “neighborhood watch for voting technology” and created transparency with election technology issues.
The same way that an unlocked door doesn’t mean you’ve been robbed, vulnerabilities in software don’t mean votes have been hacked. The point of the vulnerability disclosure programs is so companies can fix these issues, and use secure measures such as paper audits.
“Election security experts are in an excellent position to explain that there is a very big difference between a vulnerability in an individual system, and vulnerabilities being covertly exploited at scale in order to rig an election,” Ellis said. “It’s easy for the public to see footage of voting machines being torn apart and draw equivalency with the integrity of the election itself. This isn’t the case, and we’re the ones who are in the most objective position to explain this.”