When Richard DeMillo first began his career in computer science in the 1970s, the concept of cybersecurity did not exist. Fast forward to today and you will find him, along with other top computer scientists across the U.S., fighting to counteract cyberattacks that threaten the country’s democracy. As demonstrated all too clearly in the last two federal elections, electronic voting systems are vulnerable to hacking and pose a serious threat to the integrity of the U.S. electoral system.
DeMillo specializes in evaluating existing voting technologies for vulnerabilities, as well as evaluating security measures that could help make elections more secure. For example, he recently assessed whether an approach by voters to confirm their electronic votes could be successful (it’s not). For DeMillo, these issues cut close to home. As a cybersecurity researcher and Distinguished Professor of Computing at the Georgia Institute of Technology, he resides in a state that’s widely considered by experts to have the most outdated and vulnerable electronic voting infrastructure. When electronic voting systems first became an option in the early 2000s, Georgia was among the first states to adopt the technology – an action with severe repercussions that persist today.
“The technology was not ready and it had not been evaluated from the point of view of election security. It was different place and time – the Internet was not as ubiquitous as it is today, so the idea that someone from Russia or somewhere else could infiltrate our election system wasn’t well understood,” explains DeMillo. “So since the first voting machines first came live 2003, there has been a consistent push on the part of – at first a small group and then a growing group – of scientists and activists to at least confront the weaknesses of the election system.”
In 2002, he left his position as Chief Technology Officer for Hewlett-Packard and became the Dean of Computing at Georgia Tech. While holding this position, he was asked to help conduct a confidential assessment of the vulnerabilities of Georgia’s voting infrastructure; that assessment revealed many human-associated weaknesses related to poor training and management practices. DeMillo says that when he and his colleagues sought to assess the voting machines, they were directed by the Secretary of State to stop, as well as redact any references to the machines in the original report.
After that, DeMillo continued his research on cybersecurity and in 2004 was honored as an AAAS Fellow. His focus on election infrastructure fell dormant – until the 2016 federal election. As it happens, one of the voting tech centers he was asked to stop investigating back in the early 2000s, at Kennesaw State University, was hacked during the 2016 election.
Unfortunately, the hacking at this tech center was just one example. Numerous reports show that Russians hackers succeeded in infiltrating voting infrastructure across the United States during that election, as well as the 2018 mid-term election. Although reports suggest that no votes were directly changed, the hackers very well could have altered voting records if they chose to, a concern that remains widely unaddressed as the 2020 election approaches.
DeMillo says the solution is to forgo the use of all machines for voting, with the exception of votes from people with disabilities who require the technology. “The root of the problem is inserting computers where they are not needed into a process that’s extraordinarily difficult to manage. So the solution is to get as many computers out of the election process as you can,” he emphasizes. “In the U.S.’s case, that means moving from ballot machines to hand marked paper ballots.”
Along with a handful of other cybersecurity experts, DeMillo has been working hard to convey these vulnerabilities to the public and government in the hopes of spurring a shift away from electronic voting systems. This involves undertakings such as providing testimonies in court and posting on social media.
He says that often these efforts are analogous to the challenges that climate change scientists face, where the science is complex and must be communicated to the public, while scientists must keep pushing the frontiers of knowledge forward. Similarly, researchers in this field often encounter resistance from decision-makers. For these reasons, DeMillo says the cybersecurity community often looks to climate scientists for inspiration on how to implement policies.
Despite efforts by researchers and activists to reembrace paper ballots, the Georgia government just recently authorized $150 million towards new voting electronic voting machines, which critics say will still harbor vulnerabilities to hacking.
However, DeMillo says that scientists are having an impact on the situation in Georgia, by supporting fact-based policy-making and legislating. A more recent court ruling by a federal judge mandates that, if the newer voting machines are not ready by the 2020 federal election, Georgia must adopt a paper-based voting system. DeMillo acknowledges that cybersecurity is a difficult career to pursue, both technically and politically, but it can be rewarding.
In the cyber world, he notes, there is always someone looking to exploit tools. “As a cyber security researcher, you get to not only confront those people actually and virtually – you get to invent technologies and do the math that prevents them from succeeding in what they want to do,” he says. “In most of science, your adversary is a natural process and you’re trying to figure out what’s going on. In cybersecurity, it’s an adversary who thinks and is there to outsmart you. And that intellectual challenge makes it a really rewarding area to work in.”