Tagged security

The Real Crisis of US Election Security

With the United States midterm elections coming soon, US election systems are already under attack, via false or misleading stories on social media (disinformation attacks). These systems are also vulnerable to more serious subversion attacks, where digital components are targeted and compromised to alter or manipulate the actual casting of ballots and tabulation of results. How did the US reach this crisis point, where this critical infrastructure is now so vulnerable? Is there any way to remedy this threat to the most fundamental building block of a healthy democracy, a secure and reliable voting system?

Read more

Voter registration problems in Maryland signal larger vulnerabilities for upcoming elections

Binary data disappears in a dark hole

Voter registration data lost in Maryland

This Monday, state officials in Maryland acknowledged that problems with their “motor voter” systems are more significant than originally described:

[A]s many as 80,000 voters — nearly quadruple the original estimate — will have to file provisional ballots Tuesday because the state Motor Vehicle Administration failed to transmit updated voter information to the state Board of Elections.

— Up to 80,000 Maryland voters will have to file provisional ballots, state says (Washington Post. 6/25/18)

This announcement, made only hours before the polls opened for Maryland’s Tuesday primary, will mean more than just a minor inconvenience for the tens of thousands of voters affected. Sen. Joan Carter Conway (D-Baltimore City), chairwoman of the Senate Education, Health and Environment Committee, said that this situation will “confuse voters, suppress turnout, and disenfranchise thousands of Marylanders.”

Yet the significance of this programming error is broader still. Sen. Richard S. Madaleno Jr. (D-Montgomery), who is also running for governor of Maryland, called the incorrect registration of thousands of voters a “catastrophic failure.” In his statement, he continued, “The chaos being created by this failure subjects real harm to our most cherished democratic values,”

Is this election season hyperbole? Not at all, says John Sebes, Chief Technology Officer of the OSET Institute (the organization that runs the Trust The Vote project). In his recent article, Maryland Voter Registration Glitch: A Teachable Snafu, Mr. Sebes identifies the wide-ranging problems that will follow from these kind of disruptions at a larger scale:

If a foreign adversary can use cyber-operations to maliciously create a similar situation at large scale, then they can be sure of preventing many voters from casting a ballot.  With that disruption, the adversary can fuel information operations to discredit the election because of the large number of voters obstructed.

— John Sebes, OSET Institute

It is, in fact, the credibility of the entire election itself that is at stake. These kinds of technical problems don’t need to be the result of nefarious interference in the election process. Mr. Sebes continues,

The alleged system failure (hack, glitch, or whatever) doesn’t even need to be true!  If this accidental glitch had occurred a couple of days before the November election, and came on the heels of considerable conversation and media coverage about election hacking, rigging, or tampering then it would be an ideal opportunity for a claimed cyber-attack as the cause, with adversaries owning the disruptive effects and using information operations to the same effect as if it were an actual attack.

—  Maryland Voter Registration Glitch: A Teachable Snafu by John Sebes

Maryland is clearly vulnerable to this kind of attack on the credibility of their electoral process. Already, some are sounding the alarm that these voter registration problems weren’t identified quickly — plus, there’s no way to verify the process itself:

Damon Effingham, acting director of the Maryland chapter of Common Cause, said it was “preposterous” that it took MVA officials four days to figure out the extent of the problem and that there is no system to ensure that its system is working properly.

— Up to 80,000 Maryland voters will have to file provisional ballots, state says (Washington Post. 6/25/18)

What’s the solution?

John Sebes and the Trust The Vote project have spent years developing open source election software and systems to address these issues. But that alone isn’t sufficient. Mr. Sebes identifies the steps that election officials can take now to prevent the kind of problems that Maryland is experiencing this week:

  • “It’s partly a technology effort to re-engineer election systems to be less fragile from errors and less vulnerable to attack.”
  • “How to ensure the correctness and integrity of poll books[?] … that depends on emerging open data standards and the question of certification of poll books.”
  • “Given the great importance of public credibility … election officials must also plan for proactive public communication.”

Mr. Sebes concludes:

The Maryland glitch is not so much about failed integration of disparate data systems, but much more about unintentional catalyzing of opportunities to mount “credibility attacks” on elections and the need for a different kind of preparation.

Read the full article, Maryland Voter Registration Glitch: A Teachable Snafu by John Sebes, on the OSET Institute website.

The OSET Institute runs the TrustTheVote Project, a real alternative to nearly obsolete, proprietary voting technology. TrustTheVote is building an open, adaptable, flexible, full-featured and innovative elections operating system called ElectOS. It supports all aspects of elections administration and voting including creating, marking, casting, and counting ballots, as well as managing all back-office functions. Check out this overview of the TrustTheVote Project to learn more. If you’re involved in the election process, as an election official, or an academic or researcher, join the TrustTheVote Project as a stakeholder to help develop and deploy open, secure, reliable, and credible election technologies. If you’re concerned about the health of our election systems, you can donate or volunteer. If you have any questions about the TrustTheVote Project, contact us today.

Kudos to EAC for Exploring Critical Nature of Election Infrastructure

Kudos to EAC for this week’s public Hearing on election infrastructure as critical infrastructure! After the 2016 election cycle, I think that there is very little disagreement that election infrastructure (EI) is critical, in the sense of: vital, super-important, a matter of national security, etc. But this hearing is a bit of a turning point. I’ll explain why in terms of: discussion before the hearing, then the aftermath, and then I will make my one most important point about action going forward. I’ll close with specific recommend steps forward.

Prior Negativity

Prior to this hearing, I heard and read a lot of negativity about the idea that EI is “critical infrastructure” (CI) in the specific sense of homeland security policy. Yes, late last year, DHS did designate EI as CI, specifically as a sub-sector of the existing CI sector for government systems. And that caused alarm and the negativity I referred to, ranging from honest policy disagreement (what are the public policy ramifications of designation) to par-for-the-course political rhetoric (unprecedented Federal takeover of elections as states’ rights, etc.), and just plain “fake news” (DHS hackers breaking Federal laws to infiltrate state-managed election systems).

The fracas has been painful to me especially, as someone with years of experience in the disparate areas of cyber-security technology (since the ‘80s), critical infrastructure policy and practice (since before 9/11), DHS cyber-security research (nearly since its inception), and election technology (merely the last decade or so).

Turning Point in Dialog

That’s why the dialogue, during the EAC hearing, and the reflections in online discussion since, have been so encouraging. I hear less competing monologues and more dialogue about what EI=CI means, what official designation actually does, and how it can or can’t help us as a community respond to the threat environment. The response includes a truly essential and fundamental shift to creating, delivering, and operating EI as critical national assets like the power grid, local water and other public utilities, air traffic control, financial transaction networks, and so on. Being so uplifted by the change in tenor, I’ll drop a little concept here to blow-up some of this new dialogue:

Official CI designation is irrelevant to the way forward.

The way forward has essential steps that were possible before the official designation, and that remain possible if the designation is rescinded. These steps are urgent. Fussing over official designation is a distraction from the work at hand, and it needs to stop. EAC’s hearing was a good first step. My blog today is my little contribution to dialog about next steps.

Outlining the Way Forward

To those who haven’t been marinating in cyber CI for years, it may be odd to say that this official announcement of criticality is actually a no-op, especially given its news coverage. But thanks to changes in cyber-security law and policy over the years, the essential first steps no longer require official designation. There may be benefits over the longer term, but the immediate tasks can and should be done now, without concern for Federal policy wonkery.

Here is a short and incomplete list of essential tasks, each of which I admit deserves loads more unpacking and explaining to non-CI-dweeb people, than I can possibly do in a blog. But regardless of DHS policy, and definitely in light of the 2016 election disruption experience, the EI community can and should:

  • Start the formation of one or more of the information-sharing communities (like ISAOs or similar) that are bread-and-butter of other CI sectors.
  • If needed, take voluntary action to get DoJ and DHS assistance in the legal side of such formation.
  • Use the information sharing organizations to privately share and discuss what really happened in 2016 to prepare, detect, and respond to attacks on EI.
  • Likewise use the organizations to jointly consider available assistance, and to assess:
    • the range of types of CI related assistance that are available to election officials – both cyber and otherwise;
    • the costs and benefits of using them; and
    • for those participants who have already done or choose to voluntarily use that assistance (from DHS or elsewhere) to, inform all EI/CI operators who choose to participate.
  • Begin to form sector-specific CI guidelines specifically about changes required to operate EI assets as CI.

And all that is just to get started, to enable several further steps, including: informing the election tech market of what needs to respond to; helping the 1000s of local election offices to begin to learn how their responsibilities evolve during the transformation of EI to truly part of CI in practice.

— EJS

The Freeze Factor – Dismantling Federal Assistance to U.S. Elections

“Frozen” is my key word for what happens to the voting system certification process after EAC is dismantled. And in this case, frozen can be really harmful. Indeed, as I will explain, we’ve already seen how harmful.

Last time I wrote in this series on the EAC being dismantled (see the first and second posts), I said that EAC’s certification function is more important than ever. To re-cap:

  • Certification is the standards, requirements, testing, and seal-of-approval process by which local election officials gain access to new election tech.
  • The testing is more important than ever, because of the lessons learned in 2016:

1. The next gen of election technology needs to be not only safe and effective, but also …

2. … must be robust against whole new categories of national security threats, which the voting public only became broadly aware of in late 2016.

Today it’s time to explain just how ugly it could get if the EAC’s certification function gets derailed. Frozen is that starting point, because frozen is exactly where EAC certification has been for over a decade, and as a result, voting system certification is simply not working. That sounds harsh, so let me first explain the critical distinction between standards and process, and then give credit where credit is due for the hardworking EAC folks doing the certification process.

  • Standards comprise the critical part of the voting system certification program. Standards define what a voting system is required to do. They define a test lab’s job for determining whether a voting system meets these requirements.
  • Process the other part of the voting system certification program, composed of the set of activities that the players – mainly a voting system vendor, a test lab, and the EAC – must collectively step through to get to the Federal “seal of approval” that is the starting point for state election officials to make their decisions about voting system to allow in their state.

Years worth of EAC efforts have improved the process a great deal. But by contrast, the standards and requirements have been frozen for over a decade. During that time, here is what we got in the voting systems that passed the then-current and still-current certification program:

Black-box systems that election officials can’t validate, for voting that voters can’t verify, with software that despite passing testing, later turned out to have major security and reliability problems.

That’s what I mean by a certification program that didn’t work, based solely on today’s outcome – election tech that isn’t up to today’s job, as we now understand the job to be, post-2016. We are still stuck with the standards and requirements of the process that did not and does not work. While today’s voting systems vary a bit in terms of verifiability and insecurity, what’s described above is the least common denominator that the current certification program has allowed to get to market.

Wow! Maybe that actually is a good reason to dismantle the EAC – it was supposed to foster voting technology quality, and it didn’t work. Strange as it may sound, that assessment is actually backwards. The root problem is that as a Federal agency, the EAC had been frozen itself. It got thawed relatively recently, and has been taking steps to modernize the voting systems standards and certification. In other words, just when the EAC has thawed out and is starting to re-vitalize voting system standards and certification, it is getting dismantled – that at a time when we just recently understood how vulnerable our election systems are.

To understand the significance of what I am claiming here, I will have be much more specific in my next segment, about the characteristics of the certification that didn’t work, how the fix started over a decade ago, got frozen, and has been thawing. When we understand the transformational value of the thaw, we can better understand what we need in terms of a quality program for voting systems, and how we might get to such a quality program if the EAC is dismantled.

— EJS

Dismantling Federal Assistance to US Elections — Good, Bad, or Ugly?

The U.S. Congress is in the process of dismantling the Federal agency that provides assistance to the local election offices that run all U.S. elections, and to the states that oversee them. That is the U.S. Election Assistance Commission (EAC), a small agency that’s not well understood by a great many people — including several who have been asking me, and other election technology experts, whether dismantling it is wise, and what the effects will be.

I aim to answer all those questions, but in multiple short segments, of which this is first. I want to first lay out some of the issues that people need to decide for themselves whether it is a good or bad idea, or whether there are consequences that could be ugly. Then in other segments, I’ll get to some of the functions of the EAC that will be missed when it is gone, and the consequences of the gaps created by EAC’s exit.

Original Mission: Accomplished?

How you might think about dismantling the EAC is of course largely driven by what you think its function and value is. One of its original functions was part of a critical response to the hanging chad filled election dysfunction of the 2000 election — a good chunk of Federal funding to help states replace flawed voting systems with ones that didn’t depend inconsistent human interpretation of ballots (think of those photos of Florida election officials squinting at punch ballots to see exactly how the chad was hanging). A major function for EAC was to manage the disbursement of funds to states for eligible projects including but not limited voting system replacement.

That’s one reason why it might be good to dismantle EAC with a “mission accomplished” status: those funds are long gone, and the post-2000 voting replacement is finished. But what about EAC’s other election assistance activities? To be sure, states and localities are getting some ongoing support in terms of election management resources, research and data, and a small batch of ongoing grant money to disburse. But is it vital? How much value is really being delivered to EAC beneficiaries in state and local government? Clearly, some in Congress and elsewhere don’t think that the ongoing value is high, and most of the value desired by the original Help America Vote Act (HAVA), that created EAC, has already been delivered.

Mission Evolved

As a result, I think that it’s not a bad idea, and not even ugly, if you consider the value of the EAC in the original context of HAVA and EAC’s original mission. But that was well over a decade ago and a lot has changed. In following segments, I want to highlight some of the functions of the EAC that have evolved over time, and have become very important — indeed visibly very important in the last year. That change over time, the public visibility, means that a couple odd corners of EAC’s original mission might be quite important indeed. And, as EAC is being dismantled, there are important questions about how states and localities might or might not be able to pick up the slack in these important areas.

Here’s a teaser for those changes. Just in the last year, the public at large has learned what election experts have known for a while: the current voting systems (mostly paid for by HAVA) turned out not to be as wonderful as hoped, are wearing out, needing replacement, and were not and are not designed to be robust against manipulation against state sponsored adversaries. In short, we now know that U.S. elections are a target, a national security risk, and they run on antique insecure technology.

What’s EAC’s connection with that? More next time.

— EJS

 

 

From DHS Symposium — The Three Basic Requirements for Voting System Security

In a recent posting, I noted that despite current voting systems’ basic flaws, it is still possible to do more to provide the public with details that can provide peace of mind that close contests’ results are not invalid due to technology related problems. Now I should explain what I meant by basic security flaws, especially since that was the topic of a panel I was part of recently, a group of security and/or election professionals on addressing a DHS meeting on security tech transfer.

We agreed on three basic security and integrity requirements that are not met by any existing product:

  1. Fixed-function: each machine should run only one fixed set of software that passed accredited testing and government certification.
  2. Replace not modify: that fixed software set should be able to be modified, and can updated only by being replaced with another certified system.
  3. Validation: all critical components of these systems are required to support election officials’ ability to validate a machine before each election, to ensure that it remains in exactly the same certified configuration as before.

These critical properties are absent today, because of a basic decision made by vendors years ago, to quickly bring new voting technology to market by basing it on ordinary turn of the century PC technology that was, and remains in today’s market, fundamentally unable to support fixed function systems inherently capable of validation. All voting systems today lack these basic properties, and without them, all other security requirements are largely irrelevant — and compliance with current certification requirements is impossible.

Crazy, eh? Then add to that:

  • the remarks of panelist and voting system security expert Matt Bishop of UC Davis on the many software-level security functional problems encountered in reviews of voting systems, problems found despite the official federal testing and certification process intended to find them; and
  • Virginia’s Election Commissioner Edgardo Cortez’s examples of system-level security issues found in their review of voting system that was subsequently banned for use in VA. A few minds were blown in the audience.

The Consensus and One More Thing

The consensus at this DHS event, for both panel and audience, was that any future voting system that is worth having, should be validated by a future testing and certification process that among other goals, specifically required the architecture-level security requirements that I outlined, and focused on the types issues Cortez and Bishop described – and one more thing that’s important for completely different reasons.

That one more thing: future voting systems need to be designed from scratch for ease of use by election officials, so that they don’t have to take today’s extra-ordinary measures with so much human-level effort and human-error-prone work needed to operate these systems with reasonable security that can be demonstrated in the event of disputes.

So, leaving aside “known unknowns” about recent hacks or lack thereof, we have some really important “known knowns” – there is enormous potential for improvement in a wholesale replacement of voting tech that meets the 3 basic integrity requirements above, can be feasibly examined for the issues that our panelists discussed, and can be easily safely operated by ordinary election officials.

— John Sebes

Accurate Election Results in Michigan and Wisconsin is Not a Partisan Issue

counties

Courtesy, Alex Halderman Medium Article

In the last few days, we’ve been getting several questions that are variations on:

Should there be recounts in Michigan in order to make sure that the election results are accurate?

For the word “accurate” people also use any of:

  • “not hacked”
  • “not subject to voting machine malfunction”
  • “not the result of tampered voting machine”
  • “not poorly operated voting machines” or
  • “not falling apart unreliable voting machines”

The short answer to the question is:

Maybe a recount, but absolutely there should be an audit because audits can do nearly anything a recount can do.

Before explaining that key point, a nod to University of Michigan computer scientists pointing out why we don’t yet have full confidence in the election results in their State’s close presidential election, and possibly other States as well. A good summary is here and and even better explanation is here.

A Basic Democracy Issue, not Partisan

The not-at-all partisan or even political issue is election assurance – giving the public every assurance that the election results are the correct results, despite the fact that bug-prone computers and human error are part of the process. Today, we don’t know what we don’t know, in part because the current voting technology not only fails to meet the three (3) most basic technical security requirements, but really doesn’t support election assurance very well. And we need to solve that! (More on the solution below.)

A recount, however, is a political process and a legal process that’s hard to see as anything other than partisan. A recount can happen when one candidate or party looks for election assurance and does not find it. So it is really up to the legal process to determine whether to do a recount.

While that process plays out let’s focus instead on what’s needed to get the election assurance that we don’t have yet, whether it comes via a recount or from audits — and indeed, what can be done, right now.

Three Basic Steps

Leaving aside a future in which the basic technical security requirements can be met, right now, today, there is a plain pathway to election assurance of the recent election. This path has three basic steps that election officials can take.

  1. Standardized Uniform Election Audit Process
  2. State-Level Review of All Counties’ Audit Records
  3. State Public Release of All Counties Audit Records Once Finalized

The first step is the essential auditing process that should happen in every election in every county. Whether we are talking about the initial count, or a recount, it is essential that humans do the required cross-check of the computers’ work to detect and correct any malfunction, regardless of origin. That cross-check is a ballot-polling audit, where humans manually count a batch of paper ballots that the computers counted, to see if the human results and machine results match. It has to be a truly random sample, and it needs to be statistically significant, but even in the close election, it is far less work than a recount. And it works regardless of how a machine malfunction was caused, whether hacking, manipulation, software bugs, hardware glitches, or anything.

This first step should already have been taken by each county in Michigan, but at this point it is hard to be certain. Though less work than a recount, a routine ballot polling audit is still real work, and made harder by the current voting technology not aiding the process very well. (Did I mention we need to solve that?)

The second step should be a state-level review of all the records of the counties’ audits. The public needs assurance that every county did its audit correctly, and further, documented the process and its findings. If a county can’t produce detailed documentation and findings that pass muster at the State level, then alas the county will need to re-do the audit. The same would apply if the documentation turned up an error in the audit process, or a significant anomaly in a difference between the human count and the machine count.

That second step is not common everywhere, but the third step would be unusual but very beneficial and a model for the future: when a State is satisfied that all counties’ election results have been properly validated by ballot polling audit, the State elections body could publicly release all the records of all the counties’ audit process. Then anyone could independently come to the same conclusion as the State did, but especially election scientists, data scientists, and election tech experts. I know that Michigan has diligent and hardworking State election officials who are capable of doing all this, and indeed do much of it as part of the process toward the State election certification.

This Needs to Be Solved – and We Are

The fundamental objective for any election is public assurance in the result.  And where the election technology is getting in the way of that happening, it needs to be replaced with something better. That’s what we’re working toward at the OSET Institute and through the TrustTheVote Project.

No one wants the next few years to be dogged by uncertainly about whether the right person is in the Oval Office or the Senate. That will be hard for this election because of the failing voting machines that were not designed for high assurance. But America must say never again, so that in two short years and four years from now, we have election infrastructure in place that was designed from ground-up and purpose-built to make it far easier for election officials to deliver election results and election assurance.

There are several matters to address:

  • Meeting the three basic security requirements;
  • Publicly demonstrating the absence of the vulnerabilities in current voting technology;
  • Supporting evidenced-based audits that maximize confidence and minimize election officials’ efforts; and
  • Making it easy to publish detailed data in standard formats, that enable anyone to drill down as far as needed to independently assess whether audits really did the job right.

All that and more!

The good news (in a shameless plug for our digital public works project) is that’s what we’re building in ElectOS. It is the first openly public and freely available set of election technology; an “operating system” of sorts for the next generation of voting systems, in the same way and Android is the basis for much of today’s mobile communication and computing.

— John Sebes

Vote-Flipping in Pennsylvania is Not the Problem, But Recounts?

The reports of “vote flipping” on voting machines in PA are certainly alarming to the voters using the machines, but it’s unfortunate that there are calls to treat it as a law enforcement issue. It’s a known issue with the decade-or-older flakey touch screens, and one that local election officials deal with in most elections. In some cases it may be user error; in others, a result of poor screen calibration. Sometimes the appearances are even more problematic, as with a mis-recorded straight-party vote, which affects every contest on the ballot.

Though voters and poll workers may disagree on what actually happened in these cases, what’s not controversial is the small scale — about 24 out of 24,000 machines statewide; only one voter affected per machine; and in at least some of these cases, the voter admitted that after some work, they got their votes recorded properly.

So concerns about “rigging” of individual machines is misplaced. Even leaving aside the technical fact that these are electro-mechanical issues — not riggable software — it’s a poor choice for rigging to choose a method that’s apparent to the voters, and in such small numbers.

But suppose that the resolution of the PA election depends in-part on refuting claims of rigging? That these machines have real problems. With no paper trail, there is no way to re-check the voters’ choices. A recount is, in one sense, an exercise in re-doing or rerunning the addition of the vote tallies from each machine. But it’s more complicated than that.

In each county with these paperless touch-screen machines, for each machine, the election officials have to maintain records of custody of the machines and their removable data cartridges, with record-keeping procedures sufficient to withstand substantial challenges. It’s not impossible to refute claims of rigging in these circumstances, but it is grindingly detailed work, and with a lot of grist for the mill of legal challenges.

— John Sebes

More on CyberScoop Coverage of Voting Machine Vulnerabilities

CyberScoop‘s Chris Bing wrote a good summary of the response to Cylance’s poorly timed announcement of old news on voting machine vulnerabilities: Security Firm Stokes Election Hacking Fears.

I have a couple of details to add, but first let me re-iterate that the system in question does have vulnerabilities which have been well known for years, and reference exploits are old news. Sure, Cylance techs did write some code to create a new variant on previous exploits, but as Princeton election security expert Andrew Appel noted, the particular exploit was detectable and correctable, unlike some other hacks.

Regardless of whether Cylance violated the unwritten code of reporting on new vulnerabilities only, and regardless of good intentions vs. fear-mongering effects, the basic premise is wrong.

You can’t expect election officials to modify critical voting systems in response to a blog. In fact, election officials should not be modifying software at all, and should modify hardware only for breakage replacement.

Perhaps the folks at Cylance didn’t know that there are very special and very specific rules for modifying voting systems. Here  are 5 details about how it really works:

  • The hardware and software of voting systems is highly regulated, and modifications can only be done following regulatory review.
  • Even if this were a new vulnerability, and even if there were what some would claim is an easy fix, it would still require the vendor to act, not the election officials. Vendors would have to make the fix, and re-do their testing, then re-engage for testing by an accredited test lab (at the vendor’s expense), and then go back to government certification of the test lab’s finding.
  • Election officials are barred from “patching” or any kind of unsupervised modification. This makes a lot of sense, if you think about it: someone representing the vendor wants to modify these systems, while each of 10,000+ local election bodies is supposed to ensure only the legitimate changes happen? That’s not feasible, even if were legal.
  • Local election officials are required to do pre-election testing for machines’ “logic and accuracy,” and they must not use machines that have not passed such testing, which in some localities must also be signed off by an elections board. Making even a legitimate certified change to a system 4 days before an election would invalidate it for use on election day. Consider early voting! It is really many weeks since modifications of any kind were allowed.
  • So there is no way that a disclosure like this, with this timing, could ever be viewed as responsible by anyone who understands how voting tech is regulated and operated. I expect that it didn’t occur to the Cylance folks that there might be special rules about voting systems that would make disclosures 4 days before, or even 4 weeks before, completely impractical for any benefit. But regardless of a possible upside, it ought to have been clear that there is considerable downside for fear-mongering the integrity of an election a mere days before election day– especially this one.

And that would still be the case if this were a new finding.  Which it isn’t.

Making a new variant exploit on a vulnerability well known for some time is just grandstanding, and most responsible security folks steer clear of that to maintain their reputation.  I can’t fathom why Cylance in this case behaved so at variance with the unwritten code of ethical vulnerability research. I hope it was just impulsive behavior based on a genuine concern about the integrity of our elections.  The alternative would be most unfortunate.

— John Sebes, CTO

Clarifications to PBS Newshour “Here’s How Hackers Could Mess With Electronic Voting”

PBS Newshour reporting on election cyber risks offers a good roundup of a handful of notable cyber-risks, but also contains some basic misunderstanding of how election operations actually work. While appreciating the reporting as a whole, here is my list of some mistakes.

  • Tied for first in misleading points is the claim that “Some experts believe this tactic may have been partially responsible for the voting irregularities witnessed in Florida during the 2000 election.” The tactic in question is actually a demonstration hack developed by Harri Hursti. Lots of people have lots of theories about Florida 2000, but I don’t know any election tech expert who believes that there is any evidence of this hack having actually been used to effect Florida’s deciding vote Bush/Gore.
  • No, the FBI did not issue “an alert stating foreign hackers had infiltrated state election systems but there was an FBI advisory on attacks on state-operated voter registration systems. The “Targeting Activity Against State Board of Election Systems” was about data exfiltration, not takeover of the systems themselves. Attack yes, infiltration no; registration systems, yes, “state election systems,” no.
  • Yes, the DDoS attack on Dyn has raised awareness of how vulnerable so many systems are to these types of temporary take downs. But “flooding multiple polling stations” isn’t relevant because most polling places are not connected to the Internet, and a network outage wouldn’t affect voting operations.
  • The same is true of “computer where regional votes are tabulated could delay election reporting” because these computers – “election management systems” or “tabulation managers” for 2 common terms for them – are not connected to the Internet. In fact in many states that would be illegal.
  • The part about the Dark Web being used to sell pilfered voter records sounds scary, but the reality is more mundane. Every state has methods for public access to an extract of the voter database; these are essential tools for parties and campaigns, and there is an active niche market for information services on top of this base data. If some enterprising Dark Web denizen can sell $300 copies of public data sets that cost $100 or less to obtain, that only tells us that gullible buyers exist on the Dark Web, too.
  • But it is true that voter records can be abused to impede voters. However, calling “voters to change the location of their polling stations” is the least efficient way to abuse this information. Political operations have been doing “caging” attacks for years, for example, and online automation of these attacks is real concern.
  • Max Kilger is right about “You have to look at attacks at the intermediate stages,“ but not so much “where there are computers tabulating results from around a state or a county.” It’s purely a county or other local level responsibility to aggregate vote tallies from early voting, polling places, and centrally counted ballots. This is supposed to be entirely offline, so attacks need to be physical. Sure, states do collect up results data from counties, and certify election results, but the source data lives in the localities. I’d like to think we’d notice if a state’s vote totals for some reason did not equal the sum of the numbers published by each locality.
  • Not related to elections were a couple of misleading comments about critical infrastructure. Yes, the energeticBear/dragonfly attack successfully targeted energy and power distribution operators’ corporate systems. But “infiltrated power grid” – no. Takeover of the actual grid’s industrial control systems (ICS) is now considered a cyber act of war.  Hasn’t happened.
  • Lastly, and also tied for first, is a very unlikely speculation of a dragonfly-like attack on voting machine vendors. Yes, any vendor’s corporate operations can be infiltrated with the intent to tamper the vendor’s products in the pre-manufacturing stage. Voting system vendors are not immune to those attacks, but the products in use today are. Manufactured a decade or more ago, many of the attackers were probably in middle school at the time. And the ability to set a logic bomb used only in a specific election years afterwards is certainly a capability that today’s nation state cyber-operations have – but 10 years ago I have to doubt.

So, that’s 9 points that I take exception to, but let me close to acknowledge that overall, the PBS report covered as lot of ground for a wide range of threats.

— John Sebes, CTO