U.S. voting systems remain vulnerable to cyberattacks three years after documented efforts to penetrate election machines, according to a report released Thursday.

The report is based on the findings of the white-hat hacker DEF CON Voting Village, an annual gathering of hackers that uses election machines to find vulnerabilities that could allow someone to interfere with the voting process.

ADVERTISEMENT

This year’s event allowed hackers to test voting equipment, including e-poll books, optical scan paper voting devices and direct recording electronic voting machines — all certified for use in at least one U.S. voting jurisdiction.

“Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room in ways that could alter stored vote tallies, change ballots displayed to voters, or alter the internal software that controls the machines,” the report said.

Despite the “disturbing” findings of the report, the authors wrote that the findings were “not surprising,” particularly in light of the fact that many of the election equipment cyber vulnerabilities found were “reported almost a decade earlier.”

Equipment that was tested included those made by leading voting machines companies Election Systems and Software (ES&S) and Dominion Systems.

A spokesperson for ES&S told The Hill that the company "works with federal officials and state and local jurisdictions to ensure risks are minimized and elections continue to be secure. For example, we encourage all jurisdictions to set the credentials on their pollbook devices to non-default values and change them per election, as well as enable encryption for all devices."

A spokesperson for Dominion told The Hill that "as we have done in past years, we will review and verify any identified critical security issues and take appropriate steps with state and local election authorities to address them in timely and reasonable fashion."

The Dominion spokesperson noted that one of its systems, the ImageCast Precinct demo unit, analyzed by DEF CON hackers was "never certified for use," meaning that it is not in use in any election jurisdiction.

The authors emphasized the need to secure the supply chain involved in building election equipment, noting the vulnerabilities posed by using components originating in foreign countries.

They emphasized there is an “urgent need for paper-ballots and risk-limiting audits.”

The authors also noted that the vulnerabilities found are particularly pressing given the lack of information technology expertise involved in running elections at the state and local level.

“With rapid deployment of new IT technology into the election infrastructure, election offices are especially exposed to remote attack (including by hostile state actors),” the authors wrote. “Unfortunately, very few election offices have the resources to effectively counter this increasingly serious type of threat.”

The report's release follows the findings of a Senate Intelligence Committee investigation into Russian interference efforts from 2016. The committee found that “as of the end of 2018, the Russian cyber actors had successfully penetrated Illinois's voter registration database, viewed multiple database tables, and accessed up to 200,000 voter registration records.”

Mueller testified before Congress in July that he not only expected the Russians to attempt to interfere in the 2020 U.S. elections, but that they were doing so "as we sit here."

The findings of the 2019 Voting Village report build on the vulnerabilities found by hackers at past events. In 2018, an 11-year-old was able to hack into a replica of Florida’s voting website and change the election results in less than 10 minutes.

This year's report was rolled out during an event on Capitol Hill on Thursday, during which Sen. Ron Wyden Ronald (Ron) Lee WydenHillicon Valley: Subpoenas for Facebook, Google and Twitter on the cards | Wray rebuffs mail-in voting conspiracies | Reps. raise mass surveillance concerns On The Money: Anxious Democrats push for vote on COVID-19 aid | Pelosi, Mnuchin ready to restart talks | Weekly jobless claims increase | Senate treads close to shutdown deadline Democratic senators ask inspector general to investigate IRS use of location tracking service MORE (D-Ore.) and Reps Jackie Speier Karen (Jackie) Lorraine Jacqueline SpeierOvernight Defense: House to vote on military justice bill spurred by Vanessa Guillén death | Biden courts veterans after Trump's military controversies House to vote on 'I Am Vanessa Guillén' bill Overnight Defense: Trump's battle with Pentagon poses risks in November | Lawmakers launch Fort Hood probe | Military members can't opt out of tax deferral MORE (D-Calif.) and John Katko John Michael KatkoHillicon Valley: Productivity, fatigue, cybersecurity emerge as top concerns amid pandemic | Facebook critics launch alternative oversight board | Google to temporarily bar election ads after polls close Lawmakers introduce legislation to boost cybersecurity of local governments, small businesses Underwood takes over as chair of House cybersecurity panel MORE (R-N.Y.) sounded the alarm about existing vulnerabilities in voting systems.

Wyden said that he and Speier would aim to get a copy of the 2019 Voting Village report into the hands of every member of Congress.

Speier said she felt the only way to get certain lawmakers to support legislation on the topic was to “scare the living bejesus” out of them that voting systems can be “rigged against them."

Wyden, who has been one of the key leaders in pushing for action on election security, cautioned that the time to take action to secure the 2020 elections may have already passed.

”We’ve got a really short time window folks,” Wyden said. “As of today, I am concerned that a window has closed, and certainly the next few weeks are going to decide if we are actually prepared for 2020.”

-Updated at 7:05 p.m. to reflect input from election equipment companies.