By Gregory Miller

Yet Another Report About Voter Fears & Voting System Integrity

Today, we learned of yet another blog post and a White Paper about voter “concerns” and sentiments regarding the trustworthiness of our existing election infrastructure.  This was led by a bit of a sensational headline:

“Democracy at Risk: More Than 15 Million Voters May Stay Home on Election Day Over Cyber-Security Doubts”

The sum and substance of their article is that the State of PA is the most vulnerable for an election hack.  Or as one respected Media outlet asked of us today, “Would you agree that Pennsylvania — given any number of aspects, incbwp_covercluding non-paper ballots —  is among the most vulnerable states to cyber-focused attacks?
No.  Not so much.  Not even close, actually.
FACT: “PA is no more vulnerable to cyber-focused attacks than any other state relying heavily if not completely on digital voting machinery, namely DREs,” says John Sebes, CTO at the OSET Institute.  Notwithstanding reports such as the CarbonBlack white paper, PA’s voting machines share the same technical security vulnerabilities as in other states, no more and no less.”
Let’s put a fine point on this:  If one believes there are State actors seeking to alter an election result by exploiting voting machine vulnerabilities — despite the fact there are lower-cost higher-impact attack opportunities on U.S. elections in general, including some already underway — then PA might be a more attractive target.  In other words, PA is not more vulnerable but potentially more attractive insofar as attempts on voting machines.  While we’re at it, a few more points worth making:
  • Its really not just about PA.  Actually, FL, and VA, are also among potential swing states that have paperless voting machine vulnerabilities, and have potential Federal election margins that might be narrow enough for an undetected exploit to have a chance of being effective.
  • Although elections are at some risk from State sponsored adversaries, concern over possible “voting machine hacks” should not be the major concern of voters, and certainly not a reason to not vote.
  • The best way to make sure your ballot isn’t counted correctly, is to not cast one in the first place.
  • Voters with concerns over paperless DREs should consider their alternatives for voting on paper ballots in absentee, by-mail, early, and election-day voting.
Honestly, we’re not impressed with the nearly sensational approach Ben Johnson’s  blog post presents.  And while the paper makes some interesting observations (and is a slick presentation to be sure), we don’t believe CarbonBlack is a subject matter expert in elections technology and infrastructure.  But if they are, then they’re not being particularly intellectually honest in their assessment by singling out PA for convenience of making their point.
We take Ben’s point about the potential for people to stay at home; we’ve seen some similar numbers from equally unscientific polls regarding voter sentiment we’ve been involved with, but chose not to publish.  We’re working with some folks deeply experienced at polling, who believe more thorough polling would be required to vet this potential.  However, we agree that there does seem to be a rising sentiment.
This is one of the reasons election integrity professionals are walking a fine line publicly discussing it.
All that observed, the most important value in CarbonBlack’s blog post or any discussion about voter fears should be a wake-up call that more messaging is required to inform voters of the importance to get out and vote (and disregard the hype about rigging, legitimacy, or hacking concerns.)  That is, lest we experience a BREXIT of our own.
We note Mr. Johnson obtained his Masters in CS from Johns Hopkins in 2006, and he has some impressive credentials with some good experience (e.g., computer scientist for certain 3-letter Agencies).  We’d welcome a professional like Ben into the election integrity community.  For starters, our CTO has a professional colleague who is a Professor at Johns Hopkins, and truly one of the top election technology integrity experts in the nation if not globally.  Actually, we’d be surprised if Ben doesn’t know this Professor already.  Maybe we should (re)connect them.  Then perhaps, once embedded in the election integrity community, Ben’s writing will be a bit more conditioned on some internal realities.  For sure, we’d welcome CarbonBlack acquiring the domain expertise to contribute to the integrity and security mandates of this critical democracy infrastructure.  We’re just not sure this blog post or the accompanying White Paper serves the best interest of election integrity goals, where intellectual honesty, a lack of hyperbole, and straight talk are essential.
But then, if media coverage is the goal and publishing bait too delicious for the Media to pass on, then there is one more note of clarity deserving here.  CarbonBlack has just quietly filed for an IPO (Initial Public Offering), so brand awareness raising activity like this White Paper is normal.
Think about it from their PoV: “Let’s leverage all the “FUD” about this year’s election integrity and tie it together with our need for lots of media coverage to support our impending IPO road show.”  Sorry, a bit self-serving IOHO.  Apologies if this reads strongly, but add grains of salt accordingly.
BTW: we offered to chat with CarbonBlack about their paper.  Had that happened, we might have been able to help boost their credibility without this work looking so self-serving.  There response to us on Twitter?  “Sure, send eMail to [email protected].”  Really? Directing us to your Media Relations team?  That flagged us to look into CarbonBlack a bit more, and that’s when we discovered the IPO filing news breaking today.
Look, even we are feeling trepidation about recent interviews and demos we’ve put together with NBC Nightly News, due to air soon.  Its such a fine line between scaring off the vote, and yet having a vital conversation about how election integrity can be increased, while costs are decreased, and usability is improved.  To wit, we recently launched this video to start that delicate conversation, striking the right chord.
And no, we don’t single out any jurisdiction, let alone PA, a State doing the best it can (and a good job at that) to be as ready as possible.
Back to work here.

Announcing: Our Story in a New 2-Minute Video

wetheteamIts amazing what can happen when you bring in real talent.  Last year we brought in a new team member in social media, who proved her capabilities so fast that we promoted her to Director of Citizen Outreach.  We’ve known for over a year that the time was drawing near to figure out how to tell the TrustTheVote Project story to the public.  Specifically, sharing our mission with those other than elections professionals and government.  Meegan Gregg did it.  And it appears (to use a baseball term) to be a “Walk-off Home Run” or maybe a “drop the mic” result.

Today we’re launching our story, in a 2-minute video developed by a team led by Meegan.  It involved an enormously generous grant from XPLANE, the visual story-telling firm, and implemented by the talented production work of several supporting firms including, PingPongPop and Marmoset for voice-over and music; TalkBack for sound & video integration, and RoboToro for web engineering.

So, what’s the point; why the video, and why now?

Candidly, we need to engage the public’s interest and support for our Project.  Our operation needs the support of the people, because the TrustTheVote Project is by the people and for the people.  We’re building a 21st century “democracy operating system,” ElectOS to increase integrity, lower cost, improve voter experience, and maybe help turn-out.

The video is the best way to tell a story of a complex Silicon Valley project underway by some of the same folks who helped bring you products from Apple and the web browser from Netscape.  It connects citizens to a real and pressing problem that is consuming lots of media attention right now in this election cycle: our crumbling voting systems infrastructure.

Now, there is no need to panic: what’s in production now will make it through this election—despite one candidate suggesting there will be “rigging.”  But 43 States have to replace their machinery by 2020, which will be here before we know it.  And their choice is to replace their existing stuff with more of the same.  And that stuff is mostly built on 90’s personal computers.

But the time to address this problem and engage the public is now because this election cycle is upon us, and while we’ll make it through (although we fear there will be challenges and recounts), we the people can improve our own voting experience, increase confidence in elections and their outcomes, and trust the vote. Our civic duty and civil right to free and fair elections is the single most important liberty we have as American citizens.  This video explains how we, the people can with your support ensure that liberty is preserved in a time where election technology has become an under-funded disregarded backwater of government I.T.

So please have a look at our new story and tell us what you think!

A Response to POLITICO: Election Infrastructure as Critical Infrastructure

Below is a letter prepared by co-founders Gregory Miller and John Sebes sent to Tim Starks and Cory Bennett of POLITICO, who cover cyber-security issues.  A formatted version is here.  The signal-to-noise ratio on this subject is rapidly decreasing.  There seems to be some fundamental misunderstandings of the challenges local election officials (LEOs) face; the process by which the equipment is qualified for deployment (albeit decrepit archaic technology by today’s standards); what the vulnerabilities are (and are not); and why a designation of “critical infrastructure” is an important consideration.  We attempt to address some of those points in this response to Tim’s otherwise really good coverage.

Tim Starks
[email protected]
Morning Cybersecurity Column
1000 Wilson Blvd, 8th Floor,
Arlington, VA, 22209

RE:      11.August Article on Whether to Designate Election Infrastructure as Critical Infrastructure

Greetings Tim

I am a co-founder of the OSET Foundation, a 501.c.3 nonprofit election technology research institute in the Silicon Valley.  I’m writing in response to your article this week in Morning Cybersecurity:

Maybe classifying the election system as part of the nation’s “critical infrastructure” isn’t so wise.

We’ve been on a public benefit mission to innovate electoral technology since 2006.  We’re a group of tech-sector social entrepreneurs bringing years of experience from our former employers like Apple, Facebook, Mozilla, Netscape, and elsewhere to bear on innovating America’s “critical democracy infrastructure” —a term we coined nearly a decade ago.

We’re working with elections officials across the country to develop a publicly owned democracy operating system called ElectOS™ in order to update and upgrade America’s voting systems with innovations that will increase integrity and improve participation for 1/3rd the cost of today’s aging systems.  ElectOS will innovate voting machinery the way Android® has innovated smart phones and mobile devices.  Both are freely available (oropen source”), and like Android, we believe ElectOS will one day enjoy a flourishing commercial market to sustain its continued innovation, deployment, and support.

We’ve been studying the challenges of election administration infrastructure for a decade.  So, we read with great interest your article regarding another viewpoint about making a critical infrastructure designation for our nation’s deteriorating, obsolete, and vulnerable voting infrastructure.  There are elements of your article we agree with (and more specifically comments of Cris Thomas), and there are points that we disagree with because they reveal some misunderstanding of the realities of election administration and the processes of managing the machinery today.  Thus, we were compelled to write you and share these clarifications.

We hope our comments are helpful going forward as you continue to cover this important topic, especially in light of the current election season and the delicate issues being raised by at least one candidate and other media.  Good on you for covering this. Below please find our (hopefully helpful) contributions to your effort.  Relevant portions of your article appear indented in blue.

In recent days, a growing chorus of experts and policy makers have backed a proposal to give elections the same level of federal security protections that the government already grants other so-called critical infrastructure, such as the power grid or financial industry.

First, we believe it’s important to be very clear on what elections infrastructure are we talking about?  We should be discussing voting technology operated by Local Election Officials (“LEOs”), and not web sites and eMail servers run by political NGOs.

Sure, the recent attacks on NGOs are a wake-up call for a variety of potential attacks on real Election Infrastructure (“EI”) and peripheral targets.  But the Critical Infrastructure (“CI”) designation should be for core EI; that is, voting machines and the election administration software and systems that manage voting machinery.

But an old school hacker who was part of the L0pht collective says such a change might do more harm than good.  “Classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level,” Cris Thomas, aka “Space Rogue,” tells MC [MC = “POLITICO Morning Cybersecurity”].

Critical Election Infrastructure (“CEI”) is not very different than other locally managed CI.  Not all CI is big corporate IT like financial transaction processing systems, or government-operated systems like the ATC, or quasi-public technology like the power grid operated by a variety organizations, but subject to many government regulations.  By contrast, we already have CI that is local, including local government operated.  For example, there are small local water utilities and municipal water treatment organizations.  Local first responders’ infrastructure is CI as well.  So, there is plenty of precedent for giving a CI designation to locally managed assets.

Because elections, even national elections, have been historically treated as a local event; having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years.

CEI designation will not cause a fundamental change in the current situation where U.S. elections are a local matter.  Mr. Thomas is mistaken on this one point.  Local election organizations will have the same responsibilities, plus some new ones for managing CI.  But a county election administrator will still manage elections the day after or even the year after a critical infrastructure designation.  That cannot, should not, and will not change.

Thomas, now a strategist at Tenable Network Security, says the idea misses the point: We need to remain focused on the security concerns of the current system, which fall into two areas. First, many manufacturers are not testing the systems well enough before selling them to municipalities, often using off-the-shelf hardware and software with minimal security and using things like default, hard-coded passwords.

Of course, the existing voting machines have technical security issues—and at the risk of reading like we’re overly defending vendors, what computing system has none?  And of course, it’s also true that a CI designation won’t change these products’ default security posture.

at the same time, the local government certification agencies seldom have the time, resources and knowledge to properly test these computers for vulnerabilities, …

The same is true regarding certification process, although Mr. Thomas is mistaken about that process itself.  There are notlocal certification agencies,” but rather Federal and State organizations that certify the systems local (county) election jurisdictions are authorized to use. Nevertheless a CI designation will not increase the rigor of the certification process, and it won’t increase the capability of LEOs to do technical scrutiny of their own.

and often just accept a manufacturer’s claims of security.

We must also take exception on Mr. Thomas’s last comment.  The idea of certification sometimes amounts to “just accepting vendor security claims” —cannot be, and is not the case.  Although the current certification process isn’t as strong as we’d like, and though nearly all stakeholders want improvement, there are already clear requirements for vendors to demonstrate compliance with security related requirements.  On the other hand, misleading vendor claims about security can sway LEOs when selecting a certified system (and the choices are down to three vendors).

[T]he result is a system that our entire democracy depends on, which is run with minimal, easily bypassed security.

Sure, but its a mistake to focus solely on technical security problems of voting machines, particularly since these systems are not going to be replaced with better technology immediately upon a CI designation.  In the near term, the impact of CEI will be more on people and process, and less on technology itself.  LEOs will need help to build organizational capacity and expertise to manage physical assets as critical infrastructure, with physical security, personnel security, increased operational security processes, and the ability to demonstrate that a variety of kinds of people and process controls are actually being followed rather than merely mandated.

So, improvements in the human aspects and processes are the immediate value of a Critical Election Infrastructure designation.  Such a designation would need to clearly state that our local election officials (LEOs) are custodians of not just critical infrastructure, but infrastructure that is critical to our national security.

That’s never been a responsibility for LEOs, and many LEOs will be dismayed that they will be called upon to operate in ways that they never imagined would be important.  It will require long-term capacity building.  In the short term, there are many improvements in people and process that are possible, although unlikely unless there is a high sense of urgency and importance.  The designation of election infrastructure and critical infrastructure, however, can help create and maintain that urgency.

A better approach, Thomas says, is to increase funding for the National Voluntary Laboratory Accreditation Program run by NIST and the U.S. Election Assistance Commission.

We agree in principle, but this is not mutually exclusive with Critical Infrastructure.  Clearly, there is room for improvement, and NIST and EAC have important roles.  With Critical Election Infrastructure, their roles would need to enlarge, but reasonably so.

We also agree that more funding for these organizations’ election integrity efforts are necessary, but doing so is not an either / or decision in consideration of other aspects of CEI.  If Election Infrastructure is truly “critical” then several things must occur, including, but not limited to the additional support for NIST and EAC that Mr. Thomas is encouraging.

Here are three examples of improvement that a Critical Election Infrastructure designation would enable —though additional funding and expertise would be required.

  1. Do not connect anything relating to ballots, counting, voter check-in, etc. to the Internet, ever—and in many cases no local wireless networking should be allowed.  With CEI, using an Internet connection is no longer a convenience or shortcut in the grey area of safety—it’s a possible vulnerability with national security implications.
  2. Physically secure the election back-office systems.  The typical election management system (EMS) is a nearly decade old Microsoft Windows based application running on Personal Computers no longer manufactured, that are as easy to break into (“black hack”) as any ordinary PC.  Yet, they are the brains of the voting system, and “program” the voting machines for each election.  So put them in locked rooms, with physical access controls to ensure that only authorized people every touch them, and never one person alone.
  3. Perform physical chain of custody really well (i.e., for machines, paper ballots, poll books, precinct operations logs, —everything), with measurable compliance, and transparency on those measurements.  It’s just not reasonable to expect LEO Operations to do excellent physical chain of custody routinely everywhere, if these physical assets are not classed as CI.  They’re not funded or trained to operate physical security at a CI level.  So, there is plenty of room for improvement here, including new responsibility, resources, training, and accountability.  All of this may be low hanging fruit for improvement (not perfection) in the near term, but only if the mandate of CEI is made.

We hope this is helpful.  We’re glad to discuss issues of election integrity, security, and innovation whenever you want.  The co-founders have been in the technology sector for three decades.  Both have worked on critical infrastructure initiatives for the government.  The OSET CTO, John Sebes has been in digital security for over 30-years and is deeply experienced with the policy, protocols, and tools of systems and facilities security.  Our Advisory Board includes former US CTO Aneesh Chopra, digital security expert and CSO of, Dr. Taher Elgamal, global expert on elections systems integrity, Dr. Joe Kiniry, DHS Cyber-Security Directorate Dr. Douglas Maughan, and several former state election officials.


Gregory A. Miller
Co-Founder & Chief Development Officer

Showtime: OSET/TrustTheVote Project Appearing at DNC Convention Strategic Forum Event

(This is a x-post from Ms. Voting Matters’ announcement on the OSET Institute’s corporate site.)

We are totally excited about an amazing opportunity tomorrow, Tuesday July 26th, to appear at an event as part of the Democrat National Convention.

The only thing that would make this truly complete is if the Republican National Convention had also invited us (we asked, and although we’re pleased to be working with several in the RNC infrastructure, making something happen was not possible.)

But the New Democrat Network (NDN) and the New Policy Institute did reach out to us and invited us to their premier Strategy Forum now being held at its 4th Democrat National Convention.  So, we’re focused on presenting to an audience estimated to exceed 1,000 per latest projections based on RSVPs as of yesterday (over 900).  This is truly an amazing opportunity for us to spread the story of our work and we’re deeply appreciative of the NDN’s invitation.

The event, “Looking Ahead: Talks on the Future of America and American Politics” is bringing together a collection of amazing thought-leaders on the future and innovation of democracy including experts such as Ari Berman, Alec Ross, Joel Gamble, Jose Antonio Vargas, and others.

The title of our presentation is: “Modernizing Our Election Technology Can Make Our Democracy Better.”

This will not be telecast, although we’re still waiting word about a webcast, video stream, or recording of the sessions.  We’ll update this as soon as we know.

However, part of our presentation will be the launch of a new 2 minute video vignette about the looming problem of obsolete voting machinery and our approach to help bring about innovation which will increase integrity, lower costs, improve participation, and rejuvenate a flagging industry with new technology to innovate the business of delivering finished voting systems. That video will be available on YouTube tomorrow afternoon, and we will add a comment to this post and update it accordingly.

OSET’s Director Citizen Outreach, Meegan Gregg, and the Foundation’s Co-Founder, Gregory Miller will deliver this “Ted-Talk” -like presentation at 12:20pm EDT at the Convention Center in Philadelphia.  It should be a great time and a huge (oops) opportunity.

Another Laudable Online Voting Architecture Concept But…

Recently, we were asked about a concept authored by a former technology executive at Citrix (yes, those folks) back in 2012 regarding a potential end to end secure voting system.  But that was actually part of a larger question: whether and to what extent digital security must now live beneath the operating system software layer rather than on top of it.  The author’s ideas for an online voting system are laudable and his credentials are credible. His follow-on article last year (2015) is interesting, and more to the point of hardware-level security alluded to in the first article.  I offer a couple of comments below including some points by our CTO on this approach because it is something baked into ElectOS.

First, we agree that a hardware root of trust is an essential ingredient for any trustworthy computing device running mission critical software.  The author, Ahmed Sallam (now CEO at DeepSAFE Technology) rightly points that out, but we doubt that Citrix has an existing product that can safely run an Internet Voting client.  We’d love to be proven wrong on that, but it does not change the fact that the core problem is one of successfully combining many ingredients.  This is one of the well known ingredients.

There is, from my perspective a well-developed and detailed technical white paper providing a worked example of a hardware root of trust from Apple for its iOS mobile operating system.  This hardware rooted security layer has allowed Apple to develop Apple Pay and their biometric authentication management system (you can see a very good overview video here (may require Safari Browser to watch) of how it works).  For those wishing to dive deeper, here is the NIST Draft Guidelines for Hardware Rooted Security in Mobile Devices.

At a deeper level of detail, our CTO (John Sebes) agrees with the technical architecture for the server side, but he believes that for the client side, Ahmed’s approach is a bit of overkill.  As John observes, “If I understand it right, the Sallam model seeks to allow trusted and un-trusted code to run on a device, with a full operating system and all.”

So, the client architecture that John and the TrustTheVote Project have been advocating from the beginning, starts with a consumer device that has a hardware root of trust and a hypervisor that can validate a boot image as coming from a trustworthy source. John reports that we nearly have that today.  And it has to have the ability to do both:

  • a normal local boot into a full service mobile device OS to work as a phone browser, etc.; and
  • a boot from an external physical device with the boot image for something else.

One such “something else” will probably be a banking App, but the one we’re interested in is a Voting (ballot casting) App — with a single purpose: it runs only that one App and the SW stack under it, immune to malware, etc.  That’s not even that hard, but there are interesting PKI (Public Key Infrastructure) issues for ensuring that a given voting App is the real {authentic | authorized} voting App, and performing strong authentication of the user-voter, etc.

Now for the “But…” part of this.  Fundamentally, we agree with Ahmed’s vision and concept; however, Citrix will be a potential player in the iVoting technology arena if and only if it is a major player in the mobile computing technology computing ecosystem.  From what we can tell, Citrix is moving in that direction.

So to summarize, at the end of the day,

  1. Do we believe Citrix has a solution for iVoting? No.
  2. Do we believe the author of both articles referenced here, Ahmed Sallam (now since departed from Citrix and CEO of DeepSAFE) has a credible vision and concept for online voting? Yes.
  3. Do we believe that concept is complete and in terms of what we understand about the totality of the problem? No.
  4. Will the hardware root of trust (hardware layer security below the operating system), such as the elegant model embodied in iOS and articulated by the NIST Guidelines be a key ingredient going forward? Yes.
  5. Are we (anyone) there yet for a voting App/system? No.