The ballot box is the foundation of any democracy. It’s not too grand to say that if there’s a failure in the ballot box, then democracy fails.
With the United States midterm elections less than a month away, it’s now abundantly clear that the US election systems are vulnerable to attack, despite previous, laudable cybersecurity efforts. In fact, the US midterm elections are already under attack, via false or misleading stories posted and shared on social media, known as disinformation attacks. As the election date approaches and these systems are subjected to further scrutiny, it’s obvious that the US election infrastructure is also vulnerable to more serious subversion attacks, where digital components of the election systems (such as voting machines, voter registration databases, vote tabulation and reporting servers) are targeted and compromised to alter or manipulate the actual casting of ballots and tabulation of results.
How did the US reach this crisis point, where this critical infrastructure is now so vulnerable that every election now seems like a gamble on the very integrity of democracy? Why does the security of these critical systems seem so poor and unreliable? Is there any way to remedy this threat to the most fundamental building block of a healthy democracy, a secure and reliable voting system?
A brief history of digital voting vulnerabilities
In the recent feature article in the New York Times, The Crisis of Election Security, author Kim Zetter traces the history of electronic voting in the US, from the controversial 2000 presidential election between Bush and Gore to today, and illuminates how the problems developed over the last two decades to reach the current crisis:
“The real problems were the machines used to cast and tally votes and the voter-registration databases the Russians had already shown interest in hacking. The entire system — a Rube Goldberg mix of poorly designed machinery, from websites and databases that registered and tracked voters, to electronic poll books that verified their eligibility, to the various black-box systems that recorded, tallied and reported results — was vulnerable.”
The US Federal government has not been idle in the face of these threats, but the response to date has been inadequate, “largely Band-Aid measures [that] don’t address core vulnerabilities in voting machines or the systems used to program them,” says Zetter.
Fixes inhibited by proprietary election software
These problems aren’t new in US election systems, nor are they limited to the US. Why haven’t election officials been able to fix them? Even if they could, is it their responsibility to do so? The primary reason, says Zetter, is proprietary election software:
The voting machines are made by well-connected private companies that wield immense control over their proprietary software, often fighting vigorously in court to prevent anyone from examining it when things go awry.
Presidential candidate John Kerry ran headlong into this after he lost the 2004 presidential race, “following numerous election irregularities,” notes Zetter, notably in Ohio. Determined to find out what exactly had happened, Kerry’s team asked to audit Ohio’s voting-machine software, but were denied access. Kerry explained in a recent interview on WNYC’s “Brian Lehrer Show.”
We were told by the court that you were not able to get that algorithm to check it, because it was proprietary information … the purview of privately owned machines, where the public doesn’t have the right to know whether the algorithm has been checked or whether they’re hackable or not. And we now know they are hackable.
Problems with current voting machines
Today, three privately held commercial companies — Dominion, ES&S and Hart InterCivic — control 80% of the approximately 350,000 voting machines in use in the US.
The voting machine industry is profitable, with around $300 million in annual revenue, but the industry “has long been as troubling as the machines it makes, known for its secrecy,” explains Zetter.
Not only do these companies fight every effort to audit the software that runs their machines, but they continue to sell the same flawed machines with the same security holes. These voting machines fall into one of two categories: optical-scan machines or direct-recording electronic machines. Each of them suffers from significant security problems.
Zetter identifies the problems with the current optical-scan machines, where voters fill out paper ballots, which are fed into the optical scanners that create a digital image of the ballot and records the votes on a removable memory card. This approach seems pretty secure, since “the paper ballot, in theory, provides an audit trail that can be used to verify digital tallies,” says Zetter.
But there are serious problems with optical scan machines. Zetter explains:
- “Not all states perform audits, and many that do simply run the paper ballots through a scanner a second time”
- “Fewer than half the states do manual audits, and they typically examine ballots from randomly chosen precincts in a county, instead of a percentage of ballots from all precincts”
At least optical scanners require a paper ballot to function. Direct-recording election machines (DREs) use touch screens so voters select from digital-only ballots. DREs store votes electronically; many will also print a “voter-verifiable paper audit trail — a scroll of paper, behind a window, that voters can review before casting their ballots,” says Zetter. Sounds secure, but she points out the many security holes:
- “a hacker could conceivably rig the machine to print a voter’s selections correctly on the paper while recording something else on the memory card.”
- “Five states still use paperless DREs exclusively, and an additional [thirteen] states use paperless DREs in some jurisdictions.” (see the Notes, below, for a list of the 18 states that use some kind of paperless DRE machines.)
In fact, even with an extensive paper trail of printed ballots,
states don’t conduct robust post election audits — a manual comparison of paper ballots to digital tallies is the best method we have to detect when something has gone wrong in an election — and there’s a good chance we simply won’t know if someone has altered the digital votes in the next election.
Problems with the US voting infrastructure
Not only does each type of voting machine come with its own set of security flaws (made much worse because the companies block security audits of their code) but there are other vulnerabilities that all of the commercial voting machines share. Zetter notes that hackers can:
- “access voting machines via the cellular modems used to transmit unofficial results”
- “subvert back-end election-management systems … and spread malicious code to voting machines through them”
- “design their code to bypass pre-election testing and kick in only at the end of an election … and erase itself afterward to avoid detection”
- “produce election results with wide margins to avoid triggering automatic manual recounts”
many voting machines that elections officials insist are disconnected from the internet — and therefore beyond the reach of hackers — are in fact accessible by way of the modems they use to transmit vote totals on election night.
If an attacker wanted to alter election results, they would most likely focus on these critical points in the election process: the computers that tally votes.
Once again, the voting machine vendor’s insistence on protecting their proprietary code from scrutiny, security audits, and testing means the chances of these types of hacks increases, and there’s no way to even tell if their voting machines have been compromised.
Voting machine companies already potentially compromised
We already know that these commercial voting machine companies have made many security mistakes. For instance,
Last year a security researcher stumbled across an unsecured ES&S server that left passwords exposed for its employee accounts … a malicious actor able to get into ES&S’s network could conceivably corrupt these files.
But even when these security problems come to light, Zetter continues, “researchers face hostility and sometimes even legal threats from vendors, who want to prevent them from finding and exposing problems with the machines.”
What’s the solution?
Some people have advocated the idea of banning digital voting machines altogether. But Zetter notes,
computers had been used in elections ever since the 1960s, when punch cards and computerized card readers and tabulators were introduced. And experts had been warning for just as long about the danger of placing too much trust in them.
Since then, the use of machine readable paper ballots has proven again and again to be an essential part of a secure backup and paper trail that facilitates audits of election results.
Despite all the difficulties and security holes that digital voting machines have introduced, these machines have also demonstrated clear benefits. “Even the problematic DRE machines offered many advantages,” says Zetter:
With direct recording, counties no longer had to print hundreds of thousands of paper ballots or store them for 22 months after a federal election, as federal law required. And the machines could be adapted to voter needs, by displaying digital ballots in multiple languages and font sizes. They also satisfied the accessibility requirement … offering Braille keyboards, audio instruction and other aids for physically impaired voters.
Is there any way to realize the benefits of electronic voting systems without undermining the reliability and integrity of a country’s election system?
Public software: open source; open for audits
The biggest problems with proprietary voting machines are related to the fact that they are proprietary:
- Commercial voting machine companies don’t want outsiders, like security researchers, viewing or auditing their proprietary code.
- Because their voting machines run on proprietary software, the machines are expensive, difficult to service, and again, the commercial vendors are reluctant to allow audits or reviews of their hardware.
There is a simple solution, and it’s the idea behind the TrustTheVote™ Project: build voting systems on a foundation of public (open-source) software. Public software is simply a computer program that opens its source code for review and audits, often available to use, modify or extend free of charge.
Most public software is licensed in a way that ensures that any enhancements or repairs added into the original code is available to use under the same “open source” license. This means that anyone, at any time can analyze, review, or scrutinize the quality, reliability, and security of the open source (public) software.
By using public software to run election administration and voting machinery, election officials ensure that security researchers and computer experts can audit every aspect of public voting system software — and in most cases, the associated hardware.
The OSET Institute argues that, given election technology is now designated as critical infrastructure by the Department of Homeland Security, there is no logical business advantage to hiding the software from auditors, or to use expensive and proprietary hardware to build the voting systems.
Furthermore, using proprietary (instead of public) software for critical election infrastructure effectively makes it impossible for the public, who depends on the integrity of these systems, to verify that the proprietary software works correctly and has not been compromised.
Advantages of public software for voting systems
What are the advantages of the public (open source) software approach of the TrustTheVote Project?
- Security researchers, election officials, and concerned citizens can audit and verify the integrity of public (open source) software used in election systems and voting machines.
- Other public (open source) software projects, like Linux™, already run a significant portion of enterprise computing networks today and the vast majority of the global Internet’s critical infrastructure. This means that the open source software (OSS) model is proven and continually tested. There are many examples of OSS projects that are commercially viable, well supported, and offer demonstrated security advantages. Some examples include the Apache™ web server deployed for a majority of web sites worldwide; the Android mobile operating system powering a significant portion of smartphones; and thousands of other OSS projects.
- Governments all over the world use OSS for information systems, including mission-critical applications within aerospace, finance, and national defense systems.
- When security flaws are detected in open source software, fixes or patches can be published as soon as possible. With proprietary software, on the other hand, there can be business reasons and risks for the companies that produce and sell the software to obscure — and in some cases even deny — the existence of any such problems.
- There are many examples of companies that have published flawed proprietary software, and then attempt to make internal fixes to protect sales, before their customers learn about these software flaws. In some cases, this reluctance to publicize problems with proprietary software creates a significant security risk for the customers who paid to license the software. OSS presents no such incentive to hide its flaws, since the source code is already open for scrutiny (of course, this assumes, but is often the case, than many eyes are scrutinizing).
There’s nothing more critical to defending democracy than ensuring the security and integrity of its election administration and voting systems. Public election software is the best way to ensure that critical election technology infrastructure can be robust and reliable. This is precisely because public software is open to the scrutiny required to ensure the integrity of the voting machines and election systems that are the foundation of a trustworthy election.
As Kim Zetter observes, however, the commercial voting system manufacturers have lobbied for their proprietary election solutions, replete with their hidden vulnerabilities, to become the standard for US elections. And of course, it would be in their best business interest to pursue such. However, there’s no reason this should be the case, and there’s a better option: projects like the TrustTheVote™ Project, based on public, open source election software, subjected to peer-review, the scrutiny of security and software experts, and the very public this software serves.
Sign up now to receive updates and new articles about voting security delivered to your inbox:
Five (5) states use DRE machines with no paper trail whatsoever: Delaware, Georgia, Louisiana, New Jersey and South Carolina; 13 states use DREs with no paper train in some jurisdictions: Arkansas, Delaware, Georgia, Indiana, Kansas, Kentucky, Louisiana, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee and Texas.
To cast your ballot in the upcoming 2018 U.S. midterm election, you must be registered to vote. The TrustTheVote Project builds and maintains Rock The Vote’s online voter registration system. Register today, or learn more about your state’s registration requirements.
The U.S. midterm elections are less than 50 days away. There are many reasons to be concerned that some adversaries of the United States will attempt, again, to sow chaos in the upcoming U.S. election, and undermine the legitimacy of these contests.
Christine Santoro, Esq., (Chief Legal Officer, OSET Institute) in her Sep. 20th, 2018 article, Will Foreign Adversaries Attack U.S. Midterm Elections or Elsewhere?, analyzes the threat:
Most experts believe that Russia … will continue to interfere in U.S. elections on some level(s). Others are raising concerns about China and even Iran.
Three Types of Attacks
This interference will be in the form of three different types of attacks, first identified in OSET’s Critical Democracy Infrastructure Briefing. The three types of attacks are:
- Defamation: de-legitimizing elections by “using weaponized content or generating false content to undermine voters’ confidence in the election”
- Disruption: disrupting the election process, before or during voting, or afterwards to disrupt reporting of the election result. This type of attack is especially dangerous when accompanied by a defamation attack, as both combine to throw the legitimacy of the election into doubt even without altering the votes cast or tallied.
- Subversion is the “direct manipulation of [election] devices, machinery or systems .. the most dangerous and insidious type of attack.” This direct digital attack of voting machinery “will unlikely occur effectively at the ballot casting device but rather target tabulation and tally equipment.”
Attacks are happening now, and will increase
Already, Dan Coats, the Director of National Intelligence, has sounded the alarm regarding imminent and ongoing defamation attacks from Russia against the U.S.:
Russia is trying to spread propaganda on hot-button issues using social media … Moscow’s strategy is to exacerbate sociopolitical divisions … We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States.
FBI Director Christopher Wray stated in August that Russian intelligence is focused on “malign influence operations,” which he called “information warfare.” Later that month, Facebook shut down over 30 pages and accounts with suspected ties to Russia.
The U.S. is not the only country whose elections are being targeted by Russian attacks:
- Anders Fogh Rasmussen, Co-chair of Transatlantic Commission on Election Integrity (TCEI), says, “I have no doubt Moscow will deploy the full playbook of measures to spread confusion and fear: cyber-attacks, assassinations, disinformation, conventional attacks in Eastern Ukraine. We cannot allow this to happen.”
- Victor Pinchuk, based on his work with the Ukraine Elections Task Force, warns: “if we do not prevent it, what might happen in Ukraine in 2019 may also be repeated across the West in 2020.”
What will happen in the 2018 U.S. midterms?
Counselor Santoro identifies the most likely attacks that will occur in the next two months:
- Defamation attacks are happening now: “Russia continues to taunt the U.S. with Type-I attacks using disinformation, fake news, and instigation of social warfare on Facebook and other media sites.”
- Disruption attacks are less likely: “the window for [voter registration attacks] may have passed … there [remains] possibility of attempts to hack election results sites.” Fortunately, “the official tabulation records and tabulators are not on-line,” so remain safe from Russian attacks, at least for now.
- Subversion attacks are very unlikely, in part because this year is not a Presidential election year: “the stakes are not as lofty in the midterm elections, so foreign adversaries can afford to save their dry powder for this one.”
Although this sounds like relatively good news, the danger is, if anything, increasing:
Our foreign adversaries (again, in particular the Kremlin), are in for the very long game … they’re monitoring and preparing in the misguided belief they can successfully subvert our election and manipulate our government when the stakes are high enough in 2020.
What can we do to protect our election systems?
We aren’t helpless in the face of this gathering storm. But we must take action to protect U.S. electoral systems. Ms. Santoro identifies the most important steps we must take. Our voting systems must be:
- “completely rid of remote access capability“
- “fortified with paper ballots of record” and
- “tabulation and tally devices must somehow become truly hardened“
Beyond simply securing voting machines,
- digital election infrastructure must be rebuilt “for higher integrity … driven by a new critical infrastructure mindset in terms of security-centric engineering.”
Although we know that Russia is currently pursuing defamation attacks against the U.S. election system, and will continue to do so until the 2018 midterms are concluded, we may be able to prevent the much more dangerous disruption and subversion attacks in 2020, but only if we start working now to secure the U.S. election infrastructure.
The OSET Institute‘s TrustTheVote Project addresses these issues with our modular ElectOS public software framework/platform, designed from the ground up to deliver verifiable, accurate, secure, and transparent (in process) elections.
More information and how you can help
- Read Christine Santoro‘s original article, Will Foreign Adversaries Attack U.S. Midterm Elections or Elsewhere?, on the OSET Institute website.
- Read Counselor Santoro‘s related and provocative article last year examining the question of whether foreign state hacking of an election is tantamount to an act of war.
- Read the Critical Democracy Infrastructure Briefing to learn more about the vulnerabilities of current digital election systems
- Learn more about the TrustTheVote Election Technology Framework and how the TrustTheVote Project counters the three types of attacks.
- If you are an election official, get involved with the TrustTheVote Project to help guide the development of public technology to increase integrity, lower costs, and improve future elections.