From DHS Symposium — The Three Basic Requirements for Voting System Security
In a recent posting, I noted that despite current voting systems’ basic flaws, it is still possible to do more to provide the public with details that can provide peace of mind that close contests’ results are not invalid due to technology related problems. Now I should explain what I meant by basic security flaws, especially since that was the topic of a panel I was part of recently, a group of security and/or election professionals on addressing a DHS meeting on security tech transfer.
We agreed on three basic security and integrity requirements that are not met by any existing product:
- Fixed-function: each machine should run only one fixed set of software that passed accredited testing and government certification.
- Replace not modify: that fixed software set should be able to be modified, and can updated only by being replaced with another certified system.
- Validation: all critical components of these systems are required to support election officials’ ability to validate a machine before each election, to ensure that it remains in exactly the same certified configuration as before.
These critical properties are absent today, because of a basic decision made by vendors years ago, to quickly bring new voting technology to market by basing it on ordinary turn of the century PC technology that was, and remains in today’s market, fundamentally unable to support fixed function systems inherently capable of validation. All voting systems today lack these basic properties, and without them, all other security requirements are largely irrelevant — and compliance with current certification requirements is impossible.
Crazy, eh? Then add to that:
- the remarks of panelist and voting system security expert Matt Bishop of UC Davis on the many software-level security functional problems encountered in reviews of voting systems, problems found despite the official federal testing and certification process intended to find them; and
- Virginia’s Election Commissioner Edgardo Cortez’s examples of system-level security issues found in their review of voting system that was subsequently banned for use in VA. A few minds were blown in the audience.
The Consensus and One More Thing
The consensus at this DHS event, for both panel and audience, was that any future voting system that is worth having, should be validated by a future testing and certification process that among other goals, specifically required the architecture-level security requirements that I outlined, and focused on the types issues Cortez and Bishop described – and one more thing that’s important for completely different reasons.
That one more thing: future voting systems need to be designed from scratch for ease of use by election officials, so that they don’t have to take today’s extra-ordinary measures with so much human-level effort and human-error-prone work needed to operate these systems with reasonable security that can be demonstrated in the event of disputes.
So, leaving aside “known unknowns” about recent hacks or lack thereof, we have some really important “known knowns” – there is enormous potential for improvement in a wholesale replacement of voting tech that meets the 3 basic integrity requirements above, can be feasibly examined for the issues that our panelists discussed, and can be easily safely operated by ordinary election officials.
— John Sebes
Recounts, Russian Hackers, and Misunderstood Claims
There’s a lot of news media about the Green Party’s push for recounts. Some is accurate, some is wildly alarmist, but most of what I’ve read misses a really key point that you need to understand, in order to make up your own mind about these issues, especially claims of Russian hacking.
For example, University of Michigan’s Dr. Alex Halderman is advising the Green Party, and is considerably quoted recently about the possible attacks that could be made on election technology, especially on the “brains” of a voting system, the Election Management System (EMS) that “programs” all the voting machines, and collates their tallies, yet is really just some fairly basic desktop application software running on ancient MS Windows. Though sometimes complex to explain, Halderman and others are doing a good job explaining what is possible in terms of election-result-altering attacks.
In response to these explanations, several news articles note that DHS, DNI, and other government bodies take the view that it would be “extremely difficult” for nation state actors to carry out exploits of these vulnerabilities. I don’t doubt that DHS cyber-security experts would rank exploits of this kind (both effective and also successful in hiding themselves), as on the high end of the technical difficulty chart, out there with hacking Iranian uranium enrichment centrifuges.
Here’s the Problem: “extremely difficult” has nothing to do with how likely it is that critical election systems might or might not have been penetrated.
It is a completely different issue to compare the intrinsic difficulty level with the capabilities of specific attackers. We know full well that attacks of this kind, while high on technical difficulty, are totally feasible for a few nation state adversaries. It’s like noting that a particular class of technical Platform Diving has a high intrinsic difficulty level beyond the reach of most world class divers, but also noting that the Chinese team has multiple divers who are capable of performing those dives.
You can’t just say “extremely difficult” and completely fail to check whether one of those well known capable divers actually succeeded in an attempt — especially during a high stakes competition. And I think that all parties would agree that a U.S. Presidential election is pretty high stakes. So …
- 10 out of 10 points for security experts explaining what’s possible.
- 10 out of 10 points for DHS and others for assessing the possibilities as being extremely difficult to do.
- 10 out of 10 points for several news organizations reporting on these complex and scary issues; and
- 0 out of 10 points for news and media organizations concluding that because some attacks are difficult, they probably didn’t happen.
Personally, I don’t have any reason to believe such attacks occurred, but I’d hate to deter anybody from looking into it, as a result of confusing level of difficulty with level of probability.
— John Sebes
Accurate Election Results in Michigan and Wisconsin is Not a Partisan Issue
In the last few days, we’ve been getting several questions that are variations on:
Should there be recounts in Michigan in order to make sure that the election results are accurate?
For the word “accurate” people also use any of:
- “not hacked”
- “not subject to voting machine malfunction”
- “not the result of tampered voting machine”
- “not poorly operated voting machines” or
- “not falling apart unreliable voting machines”
The short answer to the question is:
Maybe a recount, but absolutely there should be an audit because audits can do nearly anything a recount can do.
Before explaining that key point, a nod to University of Michigan computer scientists pointing out why we don’t yet have full confidence in the election results in their State’s close presidential election, and possibly other States as well. A good summary is here and and even better explanation is here.
A Basic Democracy Issue, not Partisan
The not-at-all partisan or even political issue is election assurance – giving the public every assurance that the election results are the correct results, despite the fact that bug-prone computers and human error are part of the process. Today, we don’t know what we don’t know, in part because the current voting technology not only fails to meet the three (3) most basic technical security requirements, but really doesn’t support election assurance very well. And we need to solve that! (More on the solution below.)
A recount, however, is a political process and a legal process that’s hard to see as anything other than partisan. A recount can happen when one candidate or party looks for election assurance and does not find it. So it is really up to the legal process to determine whether to do a recount.
While that process plays out let’s focus instead on what’s needed to get the election assurance that we don’t have yet, whether it comes via a recount or from audits — and indeed, what can be done, right now.
Three Basic Steps
Leaving aside a future in which the basic technical security requirements can be met, right now, today, there is a plain pathway to election assurance of the recent election. This path has three basic steps that election officials can take.
- Standardized Uniform Election Audit Process
- State-Level Review of All Counties’ Audit Records
- State Public Release of All Counties Audit Records Once Finalized
The first step is the essential auditing process that should happen in every election in every county. Whether we are talking about the initial count, or a recount, it is essential that humans do the required cross-check of the computers’ work to detect and correct any malfunction, regardless of origin. That cross-check is a ballot-polling audit, where humans manually count a batch of paper ballots that the computers counted, to see if the human results and machine results match. It has to be a truly random sample, and it needs to be statistically significant, but even in the close election, it is far less work than a recount. And it works regardless of how a machine malfunction was caused, whether hacking, manipulation, software bugs, hardware glitches, or anything.
This first step should already have been taken by each county in Michigan, but at this point it is hard to be certain. Though less work than a recount, a routine ballot polling audit is still real work, and made harder by the current voting technology not aiding the process very well. (Did I mention we need to solve that?)
The second step should be a state-level review of all the records of the counties’ audits. The public needs assurance that every county did its audit correctly, and further, documented the process and its findings. If a county can’t produce detailed documentation and findings that pass muster at the State level, then alas the county will need to re-do the audit. The same would apply if the documentation turned up an error in the audit process, or a significant anomaly in a difference between the human count and the machine count.
That second step is not common everywhere, but the third step would be unusual but very beneficial and a model for the future: when a State is satisfied that all counties’ election results have been properly validated by ballot polling audit, the State elections body could publicly release all the records of all the counties’ audit process. Then anyone could independently come to the same conclusion as the State did, but especially election scientists, data scientists, and election tech experts. I know that Michigan has diligent and hardworking State election officials who are capable of doing all this, and indeed do much of it as part of the process toward the State election certification.
This Needs to Be Solved – and We Are
The fundamental objective for any election is public assurance in the result. And where the election technology is getting in the way of that happening, it needs to be replaced with something better. That’s what we’re working toward at the OSET Institute and through the TrustTheVote Project.
No one wants the next few years to be dogged by uncertainly about whether the right person is in the Oval Office or the Senate. That will be hard for this election because of the failing voting machines that were not designed for high assurance. But America must say never again, so that in two short years and four years from now, we have election infrastructure in place that was designed from ground-up and purpose-built to make it far easier for election officials to deliver election results and election assurance.
There are several matters to address:
- Meeting the three basic security requirements;
- Publicly demonstrating the absence of the vulnerabilities in current voting technology;
- Supporting evidenced-based audits that maximize confidence and minimize election officials’ efforts; and
- Making it easy to publish detailed data in standard formats, that enable anyone to drill down as far as needed to independently assess whether audits really did the job right.
All that and more!
The good news (in a shameless plug for our digital public works project) is that’s what we’re building in ElectOS. It is the first openly public and freely available set of election technology; an “operating system” of sorts for the next generation of voting systems, in the same way and Android is the basis for much of today’s mobile communication and computing.
— John Sebes