The U.S. Congress is in the process of dismantling the Federal agency that provides assistance to the local election offices that run all U.S. elections, and to the states that oversee them. That is the U.S. Election Assistance Commission (EAC), a small agency that’s not well understood by a great many people — including several who have been asking me, and other election technology experts, whether dismantling it is wise, and what the effects will be.
I aim to answer all those questions, but in multiple short segments, of which this is first. I want to first lay out some of the issues that people need to decide for themselves whether it is a good or bad idea, or whether there are consequences that could be ugly. Then in other segments, I’ll get to some of the functions of the EAC that will be missed when it is gone, and the consequences of the gaps created by EAC’s exit.
Original Mission: Accomplished?
How you might think about dismantling the EAC is of course largely driven by what you think its function and value is. One of its original functions was part of a critical response to the hanging chad filled election dysfunction of the 2000 election — a good chunk of Federal funding to help states replace flawed voting systems with ones that didn’t depend inconsistent human interpretation of ballots (think of those photos of Florida election officials squinting at punch ballots to see exactly how the chad was hanging). A major function for EAC was to manage the disbursement of funds to states for eligible projects including but not limited voting system replacement.
That’s one reason why it might be good to dismantle EAC with a “mission accomplished” status: those funds are long gone, and the post-2000 voting replacement is finished. But what about EAC’s other election assistance activities? To be sure, states and localities are getting some ongoing support in terms of election management resources, research and data, and a small batch of ongoing grant money to disburse. But is it vital? How much value is really being delivered to EAC beneficiaries in state and local government? Clearly, some in Congress and elsewhere don’t think that the ongoing value is high, and most of the value desired by the original Help America Vote Act (HAVA), that created EAC, has already been delivered.
As a result, I think that it’s not a bad idea, and not even ugly, if you consider the value of the EAC in the original context of HAVA and EAC’s original mission. But that was well over a decade ago and a lot has changed. In following segments, I want to highlight some of the functions of the EAC that have evolved over time, and have become very important — indeed visibly very important in the last year. That change over time, the public visibility, means that a couple odd corners of EAC’s original mission might be quite important indeed. And, as EAC is being dismantled, there are important questions about how states and localities might or might not be able to pick up the slack in these important areas.
Here’s a teaser for those changes. Just in the last year, the public at large has learned what election experts have known for a while: the current voting systems (mostly paid for by HAVA) turned out not to be as wonderful as hoped, are wearing out, needing replacement, and were not and are not designed to be robust against manipulation against state sponsored adversaries. In short, we now know that U.S. elections are a target, a national security risk, and they run on antique insecure technology.
What’s EAC’s connection with that? More next time.
In a recent posting, I noted that despite current voting systems’ basic flaws, it is still possible to do more to provide the public with details that can provide peace of mind that close contests’ results are not invalid due to technology related problems. Now I should explain what I meant by basic security flaws, especially since that was the topic of a panel I was part of recently, a group of security and/or election professionals on addressing a DHS meeting on security tech transfer.
We agreed on three basic security and integrity requirements that are not met by any existing product:
- Fixed-function: each machine should run only one fixed set of software that passed accredited testing and government certification.
- Replace not modify: that fixed software set should be able to be modified, and can updated only by being replaced with another certified system.
- Validation: all critical components of these systems are required to support election officials’ ability to validate a machine before each election, to ensure that it remains in exactly the same certified configuration as before.
These critical properties are absent today, because of a basic decision made by vendors years ago, to quickly bring new voting technology to market by basing it on ordinary turn of the century PC technology that was, and remains in today’s market, fundamentally unable to support fixed function systems inherently capable of validation. All voting systems today lack these basic properties, and without them, all other security requirements are largely irrelevant — and compliance with current certification requirements is impossible.
Crazy, eh? Then add to that:
- the remarks of panelist and voting system security expert Matt Bishop of UC Davis on the many software-level security functional problems encountered in reviews of voting systems, problems found despite the official federal testing and certification process intended to find them; and
- Virginia’s Election Commissioner Edgardo Cortez’s examples of system-level security issues found in their review of voting system that was subsequently banned for use in VA. A few minds were blown in the audience.
The Consensus and One More Thing
The consensus at this DHS event, for both panel and audience, was that any future voting system that is worth having, should be validated by a future testing and certification process that among other goals, specifically required the architecture-level security requirements that I outlined, and focused on the types issues Cortez and Bishop described – and one more thing that’s important for completely different reasons.
That one more thing: future voting systems need to be designed from scratch for ease of use by election officials, so that they don’t have to take today’s extra-ordinary measures with so much human-level effort and human-error-prone work needed to operate these systems with reasonable security that can be demonstrated in the event of disputes.
So, leaving aside “known unknowns” about recent hacks or lack thereof, we have some really important “known knowns” – there is enormous potential for improvement in a wholesale replacement of voting tech that meets the 3 basic integrity requirements above, can be feasibly examined for the issues that our panelists discussed, and can be easily safely operated by ordinary election officials.
— John Sebes
There’s a lot of news media about the Green Party’s push for recounts. Some is accurate, some is wildly alarmist, but most of what I’ve read misses a really key point that you need to understand, in order to make up your own mind about these issues, especially claims of Russian hacking.
For example, University of Michigan’s Dr. Alex Halderman is advising the Green Party, and is considerably quoted recently about the possible attacks that could be made on election technology, especially on the “brains” of a voting system, the Election Management System (EMS) that “programs” all the voting machines, and collates their tallies, yet is really just some fairly basic desktop application software running on ancient MS Windows. Though sometimes complex to explain, Halderman and others are doing a good job explaining what is possible in terms of election-result-altering attacks.
In response to these explanations, several news articles note that DHS, DNI, and other government bodies take the view that it would be “extremely difficult” for nation state actors to carry out exploits of these vulnerabilities. I don’t doubt that DHS cyber-security experts would rank exploits of this kind (both effective and also successful in hiding themselves), as on the high end of the technical difficulty chart, out there with hacking Iranian uranium enrichment centrifuges.
Here’s the Problem: “extremely difficult” has nothing to do with how likely it is that critical election systems might or might not have been penetrated.
It is a completely different issue to compare the intrinsic difficulty level with the capabilities of specific attackers. We know full well that attacks of this kind, while high on technical difficulty, are totally feasible for a few nation state adversaries. It’s like noting that a particular class of technical Platform Diving has a high intrinsic difficulty level beyond the reach of most world class divers, but also noting that the Chinese team has multiple divers who are capable of performing those dives.
You can’t just say “extremely difficult” and completely fail to check whether one of those well known capable divers actually succeeded in an attempt — especially during a high stakes competition. And I think that all parties would agree that a U.S. Presidential election is pretty high stakes. So …
- 10 out of 10 points for security experts explaining what’s possible.
- 10 out of 10 points for DHS and others for assessing the possibilities as being extremely difficult to do.
- 10 out of 10 points for several news organizations reporting on these complex and scary issues; and
- 0 out of 10 points for news and media organizations concluding that because some attacks are difficult, they probably didn’t happen.
Personally, I don’t have any reason to believe such attacks occurred, but I’d hate to deter anybody from looking into it, as a result of confusing level of difficulty with level of probability.
— John Sebes