How Safe Are Voting Machines? DOD-Funded Lab IDs Vulnerabilities

Could a voting machine be lost or stolen? Would a loose wire in the machine skew the tally? Could a sophisticated cyberattack go undetected?

A team of students and researchers from Towson University and the University of Maryland is trying to chart every conceivable way of breaching the voting machines used by most Americans to ensure no flaws are overlooked and that election officials can address vulnerabilities.

By also evaluating the relative likelihood of each scenario, the team hopes its preliminary analysis will reassure voters battered by conflicting and false claims about the integrity of the 2020 presidential vote and continuing worries about how the 2024 election will be conducted.

“States and localities put a lot of effort into security and have many failsafes, mitigations and paper trails already in place,” said Natalie M. Scala, co-director of the Empowering Secure Elections Lab. “You need a free and fair election by default in a healthy democracy, but you also need your citizens to believe that it is fair. We hope this adds to education and to public discourse and helps those who may have some concerns.”

The lab is in just the first year of the three-year grant from the U.S. Department of Defense aimed at risk assessment of critical infrastructure, but Scala said the latest results are promising. Unlike other approaches, this project considers cyber, physical and insider threats, making it valuable for assessing other critical infrastructure such as the power grid.

The project focuses on possible vulnerabilities in precinct count optical scanners, which make up about 70% of the voting machines that will be used this year. The lab is also looking at how hard it would be for election officials to discover security breaches.

“It's extremely important because states and localities have limited budgets. So when you're talking about hundreds or thousands of risks and you have a limited budget, where do you start? Understanding where that relative risk is can help you focus and make mitigations that actually have impact,” said Scala, an associate professor and fellow at Towson’s Center for Interdisciplinary and Innovative Cybersecurity and faculty affiliate at UMD’s Applied Research Lab for Intelligence and Security (ARLIS).

UMD students Noah Hibbler ’25 and Aaryan Patel ’26 have adapted publicly available JavaScript code to help discover the election security “what-ifs.” Their results look a little like the org chart of a very large company. Known as an “attack tree,” the graphic shows cascading rows of small blocks linked by lines, depicting possible issues such as stolen equipment or a cyberattack.

Without the code contributed by Patel and Hibbler, students would’ve had to manually trace the paths and do the calculations and analysis by hand, Scala said.

The analysis considers “how expensive it is for an attacker to do, how technically difficult it is for an attacker and then how hard is it for the defender to find that something went wrong,” said Hibbler, who is working on an Advanced Cybersecurity Experience for Students (ACES) minor and plans to finetune the tool in the fall semester.

The work adds to the intelligence about vulnerabilities previously compiled by the U.S. Election Assistance Commission. But since technology continues to change, the analysis must also keep pace, said Scala.

“Hearing how the project will be used to actually improve critical infrastructure, it’s really mind-blowing,” said Patel, a sophomore in the Honors ACES program. “You often struggle to see how the work you do in class can really be applied to what you’re going to do in the future.”

The lab has previously provided training for poll workers in Anne Arundel County—a project that won an award from the commission— and surveyed voters about issues that could prevent or discourage them from going to the polls. Results from the survey will be included in the attack tree that UMD students worked on, Scala said.

“One of the really nice things about having a partnership with folks that are in academia … is that you can get more plugged into what's out there technologically,” said David Garreis, director of the Anne Arundel County Board of Elections. “I think an extremely valuable part of the process for cybersecurity is when you plan exercises (to) attack the system to try and see what would happen … and that's how you kind of identify where your holes are and where your vulnerabilities are.”