There’s a room on the second floor of King County Elections headquarters that the priests of ancient Jerusalem might recognize.
Like the biblical Holy of Holies, this is a room that only a select few may enter; a room that symbolizes something important about the society that created it.
In our case, a casino-security company helped build it to house the computers that count our election results. (You can watch livestreams of the counting in action at King County Elections HQ here.)
We’ve heard a lot this election year about hacking. The federal government has formally accused Russia of cyber espionage aimed at influencing our votes. In September, KUOW reported that suspected Russian hackers had probed Washington State’s voter registration system in August, making us one of a large number of states to be targeted. And on Friday, NBC News reported on U.S. military warnings to the Kremlin that American hackers have penetrated critical Russian systems and will retaliate against any cyber attacks.
So how worried should we be that someone might hack the election?
Kim Wyman, Washington’s secretary of state and the official in charge of our voting systems, told KUOW that “we have a number of layers of security, both electronic and then some of them are physical. For example, all of the tabulation systems in each of the 39 counties are not connected to the Internet by design, they call it air-gapping.”
Air gapping is one of the most fundamental protections American election systems have in place. Keeping computers disconnected from the Internet makes them far harder to break into remotely, and most (if not all) election systems in the country follow this practice.
Prompted by KUOW’s reporting, Pierce County Auditor Julie Anderson says her office audited their system’s air gap, and implemented an undisclosed technical solution in order to “completely ensure no Internet access to the tabulation system could be made. The technical solution was implemented and is monitored.”
Air gapping is so important and so powerful a technique that many of the officials we spoke to for this story seemed perplexed as we kept asking them questions about security. If the computers aren’t connected to the Internet, how can they be hacked?
Although they’re extremely effective, air gaps aren’t perfect. In 2009, Iran’s highly guarded uranium enrichment facility at Natanz was the site of an attack by a computer worm called Stuxnet. The worm successfully jumped the air gap by hitching a ride on an ordinary thumb drive; once inside the plant, it wreaked havoc on hundreds of centrifuges.
Other documented instances of attacks jumping air gaps are rare, but real. And American election jurisdictions - several thousand across the country - almost all rely heavily on air gaps as a critical feature of their security against cyberattack.
One consequence is that some of the most basic security measures, like regularly installing patches and updates, don’t happen to the most important computers in American democracy.
It makes sense once you think about it. If you want to protect a computer, keep it off the Internet. But that means you can’t use the Internet for updates. And anything you plug into that computer might carry a virus.
The federal Election Assistance Commission is responsible for reviewing and certifying the software that our election tabulation machines use. But since it would take too long and be too difficult to certify every single update, tabulation machines can go years without installing any. In King County, the computers haven’t been updated since they were installed in 2009, and that’s common across the country.
The experts we talked to said that, since no system is perfect, the next-best thing is to be able to audit results after they’ve been counted. And this is an area where Washington’s system, which involves a physical paper ballot for nearly every voter, offers some reassurance to those concerned about hacking.
Kendall Hodson, King County Elections chief of staff, told KUOW that voting by mail gives Washington an important safeguard.
"If there was something wrong with [a] particular computer ... it's something where we would still have those original results and we'd be like this is not right. We need to fix that," he said. "So there is that kind of failsafe … of what the results are."
The experts we spoke to agreed that being able to fall back to hand-counting paper ballots provides a nearly ironclad guarantee of ultimate reliability. If something doesn’t look right in the eyes of the county official in charge, almost every vote exists on paper and can be recounted.
But there’s a catch: Washington’s laws may not go far enough.
While county officials have the ability to examine results that don’t look right to them, there’s no requirement that mail-in ballots in any particular race be audited. Other states, including Oregon and New Mexico, specify which races get spot-checked and generally require more extensive checks than Washington does.
Washington’s law calls for party observers in each county to collectively agree on at most one race to be audited, rather than automatically taking a look at every race. Stanford computer science professor David Dill, founder of the non-partisan VerifiedVoting.org, says that checking more races is important, for reasons that go beyond worries about cyber attacks.
Aside from hacking concerns, “[t]here can be other things that are off for various reasons, either software errors or configuration problems or human errors of various kinds that can and have been detected by these audits. So it’s like a quality-control measure, the same kind of thing that a good manufacturer would do, just to make sure the election results are accurate.”
The experts we spoke to emphasized that much of the debate about cyber security doesn’t reflect reality. Talk of “rigged elections” isn’t supported by the evidence they’ve reviewed over the years.
And yet, despite all the turmoil and politicized hysteria over whether the Russians will hack the election, Dill sees a silver lining.
“My hope is that some of the worries that have been raised in this election - both the legitimate ones and the ones that are less well-founded - will focus our attention on constructive measures to improve security.”