Recounts, Russian Hackers, and Misunderstood Claims

There’s a lot of news media about the Green Party’s push for recounts. Some is accurate, some is wildly alarmist, but most of what I’ve read misses a really key point that you need to understand, in order to make up your own mind about these issues, especially claims of Russian hacking.

For example, University of Michigan’s Dr. Alex Halderman is advising the Green Party, and is considerably quoted recently about the possible attacks that could be made on election technology, especially on the “brains” of a voting system, the Election Management System (EMS) that “programs” all the voting machines, and collates their tallies, yet is really just some fairly basic desktop application software running on ancient MS Windows. Though sometimes complex to explain, Halderman and others are doing a good job explaining what is possible in terms of election-result-altering attacks.

In response to these explanations, several news articles note that DHS, DNI, and other government bodies take the view that it would be “extremely difficult” for nation state actors to carry out exploits of these vulnerabilities. I don’t doubt that DHS cyber-security experts would rank exploits of this kind (both effective and also successful in hiding themselves), as on the high end of the technical difficulty chart, out there with hacking Iranian uranium enrichment centrifuges.

Here’s the Problem: “extremely difficult” has nothing to do with how likely it is that critical election systems might or might not have been penetrated.

It is a completely different issue to compare the intrinsic difficulty level with the capabilities of specific attackers. We know full well that attacks of this kind, while high on technical difficulty, are totally feasible for a few nation state adversaries. It’s like noting that a particular class of technical Platform Diving has a high intrinsic difficulty level beyond the reach of most world class divers, but also noting that the Chinese team has multiple divers who are capable of performing those dives.

You can’t just say “extremely difficult” and completely fail to check whether one of those well known capable divers actually succeeded in an attempt — especially during a high stakes competition. And I think that all parties would agree that a U.S. Presidential election is pretty high stakes. So …

  • 10 out of 10 points for security experts explaining what’s possible.
  • 10 out of 10 points for DHS and others for assessing the possibilities as being extremely difficult to do.
  • 10 out of 10 points for several news organizations reporting on these complex and scary issues; and
  • 0 out of 10 points for news and media organizations concluding that because some attacks are difficult, they probably didn’t happen.

Personally, I don’t have any reason to believe such attacks occurred, but I’d hate to deter anybody from looking into it, as a result of confusing level of difficulty with level of probability.

— John Sebes

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

SITEWIDE SEARCH