News Feed

Blockchains for Elections, in Maine: “Don’t Be Hasty”

Many have noted with interest some draft legislation in Maine that mandates the exploration of how to use blockchain technology to further election transparency.  My comment is, to quote one well known sage, “Don’t Be Hasty”. First, though, let me say that I am very much in favor of any state resolving to study the use of innovative tech elections, even one as widely misunderstood as blockchains. This bill is no exception: study is a great idea.

However, there is already elsewhere a considerable amount of haste in the elections world, with many enthusiasts and over a dozen startups thinking that since blockchains have revolutionized anonymous financial transactions — especially via BitCoin — elections can benefit too. But actually not a lot, at least in terms of voting. As one of my colleagues who is an expert on both elections and advanced cryptography says, “Blockchain voting is just a bad idea – even for people who like online voting.” It will take some time and serious R&D to wrestle to the ground whether and how blockchains can be one of (my count) about half a dozen innovative ingredients that might make online voting worth trying.

However, in the meantime, there are plenty of immediate term good uses of blockchain technology for election transparency, including two of my favorites that could be put into place fairly quickly in Maine, if the study finds it worthwhile.

  1. In one case, each transaction is a change to the voter rolls: adding or deleting a voter, or updating a voter’s name or location or eligibility. Publication — with provenance — would provide the transparency needed to find the truth or lack thereof of claims of “voter roll purging” that crop up in every election.
  2. In the other case, each transaction is either that of a voter checking in to vote in person — via a poll book paper or digital — or having their absentee ballot received, counted, or rejected. I hope the transparency value is evident in the public knowing in detail who did and didn’t vote in a given election.

In each case, there is a public interest in knowing the entirety of a set of transactions that have an impact on every election, and in being able to know that claimed log of transaction records is the legitimate log. Without that assurance of “data provenance” there are real risks of disinformation and confusion, to the detriment of confidence in elections, and confusion rather than transparency. Publication of these types transaction data, with the use of blockchains, can provide the provenance that’s needed for both confidence and transparency. Figuring out the details will require study — Don’t Be Hasty — but it would be a big step in election transparency. Go Maine!

— EJS

Cancellation of Federal Assistance to US Elections — The Good, The Bad, and The Geeky

Recently I wrote about Congress dismantling the only Federal agency that helps states and their local election officials ensure that the elections that they conduct are verifiable, accurate, and secure — and transparently so, to strengthen public trust in election results. Put that way, it may sound like dismantling the U.S. Election Assistance Commission (EAC) is both a bad idea, and also poorly timed after a highly contentious election in which election security, accuracy, and integrity were disparaged or doubted vocally and vigorously.

As I explained previously, there might be a sensible case for shutdown with a hearty “mission accomplished”  — but only with a narrow view of original mission of the EAC. I also explained that since its creation, EAC’s evolving role has come to include duties that are uniquely imperative at this point in U.S. election history. What I want to explain today is that evolved role, and why it is so important now.

Suppose that you are a county election official in the process of buying a new voting system. How do you know that what you’re buying is a legit system that does everything it should do, and reliably? It’s a bit like a county hospital administrator considering adding new medications to their formulary — how do you know that they are safe and effective? In the case of medications, the FDA runs a regulatory testing program and approves medications as safe and effective for particular purposes.

In the case of voting systems, the EAC (with support from NIST) has an analogous role: defining the requirements for voting systems, accrediting test labs, defining requirements for how labs should test products, reviewing test labs’ work, and certifying those products that pass muster. This function is voluntary for states, who can choose whether and how to build their certification program on the basis of federal certification. The process is not exactly voluntary for vendors, but since they understandably want to have products that can work in every state, they build products to meet the requirements and pass Federal certification. The result is that each locality’s election office has a state-managed approved product list that typically includes only products that are Federally certified.

Thus far the story is pretty geeky. Nobody gets passionate about standards, test labs, and the like. It’s clear that the goals are sound and the intentions are good. But does that mean that eliminating the EAC’s role in certification is bad? Not necessarily, because there is a wide range of opinion on EAC’s effectiveness in running certification process. However, recent changes have shown how the stakes are much higher, and the role of requirements, standards, testing, and certification are more important than ever. The details about those changes will be in the next installment, but here is the gist: we are in the middle of a nationwide replacement of aging voting machines and related election tech, and in an escalating threat environment for global adversaries targeting U.S. elections. More of the same-old-same-old isn’t nearly good enough. But how would election officials gain confidence in new election tech that’s not only safe and effective, but robust against whole new categories of threat?

— EJS

The Myth of Technologist Suppression of Internet Voting

I’ve got to debunk a really troubling rumor. It’s about Internet voting, or more specifically, about those who oppose it. Longtime readers will recall that Internet voting is not one of the favorite topics here, not because it isn’t interesting, but because there are so many more nearer-term low-effort ways to use tech to improve U.S. elections. However, I’ve heard this troubling story enough times that I have to debunk it today, and return to more important topics next time.

Here’s the gist of it: there is a posse of respectable computer scientists, election tech geeks, and allies who are:

  • Un-alterably opposed to Internet voting, for ever, and
  • Lying about i-voting’s feasibility in order to prevent its use as a panacea for increased participation and general wonderfulness, because they have a hidden agenda to preserve today’s low-participation elections.

I have to say, simply: no. I’ve been in this pond for long enough to know just about every techie, scientist, academic, or other researcher who understands both U.S. elections and modern technology. We all have varying degrees of misgivings about current i-voting methods, but I am confident that every one of these people stands with me on these 4 points.

  1. We oppose the increased use of i-voting as currently practiced.
  2. We very much favor use of the Internet for election activities of many kinds, potentially nearly everything except returning ballots; many of us have been working on such improvements for years.
  3. We strongly believe and support the power of invention and R&D to overcome the tech gaps in current i-voting, despite believing that some of the remaining issues are really* hard problems.
  4. We strongly believe that i-voting will eventually be broadly used, simply because of demand.

We all share a concern that if there is no R&D on these hard problems, then eventually today’s highly vulnerable forms of i-voting will be used widely, to the detriment of our democracy, and to the advantage of our nation-state adversaries who are already conducting cyber-operations against U.S. elections.

I believe that we need a two pronged approach: to support to the R&D that’s needed, but in the mean time to enable much needed modernization of our existing clunky decaying elections infrastructure, to lay the rails for future new Internet voting methods to be adopted.

Returning to the kooky story … but what about all those Luddite nay-sayers who say i-voting is impossible and that the time for i-voting is “never”? There are none, at least among tech professionals and/or election experts. There is some harsh rhetoric that’s often quoted, but it is against the current i-voting methods, which are indeed a serious problem.

But for the future, the main difference among us is about the little asterisk that I inserted in point 3 above — it means any number of “really” before “hard.” I’m grateful to colleague Joe Kiniry of Galois and of Free&Fair, for noting that our differences are really “just the number of ‘really’ we put before the word ‘hard’.”

— EJS

PS: A footnote about i-voting Luddites and election tech Luddites more broadly. There are indeed some vocal folks who are against the use of technology in elections, for example, those that advocate for a return to hand-counted paper ballots, with no computers used for ballot casting or counting. They do indeed say “never” when it comes to using the Internet for voting, and indeed e-voting as well. But that’s because of personal beliefs and policy decisions, not because of a professionally informed judgment that hard problems in computer science can never be solved. In fact, these anti-tech people are the other end of the spectrum from the folks who so strongly favor i-voting at any cost that they caricature nay-sayers of any kind; both folks use out of context quotes about current i-voting drawbacks as way to shift a conversation to the proposition of “Internet voting, no way, not ever” from the more important but nuanced questions of: Internet voting, not whether, but how?

Dismantling Federal Assistance to US Elections — Good, Bad, or Ugly?

The U.S. Congress is in the process of dismantling the Federal agency that provides assistance to the local election offices that run all U.S. elections, and to the states that oversee them. That is the U.S. Election Assistance Commission (EAC), a small agency that’s not well understood by a great many people — including several who have been asking me, and other election technology experts, whether dismantling it is wise, and what the effects will be.

I aim to answer all those questions, but in multiple short segments, of which this is first. I want to first lay out some of the issues that people need to decide for themselves whether it is a good or bad idea, or whether there are consequences that could be ugly. Then in other segments, I’ll get to some of the functions of the EAC that will be missed when it is gone, and the consequences of the gaps created by EAC’s exit.

Original Mission: Accomplished?

How you might think about dismantling the EAC is of course largely driven by what you think its function and value is. One of its original functions was part of a critical response to the hanging chad filled election dysfunction of the 2000 election — a good chunk of Federal funding to help states replace flawed voting systems with ones that didn’t depend inconsistent human interpretation of ballots (think of those photos of Florida election officials squinting at punch ballots to see exactly how the chad was hanging). A major function for EAC was to manage the disbursement of funds to states for eligible projects including but not limited voting system replacement.

That’s one reason why it might be good to dismantle EAC with a “mission accomplished” status: those funds are long gone, and the post-2000 voting replacement is finished. But what about EAC’s other election assistance activities? To be sure, states and localities are getting some ongoing support in terms of election management resources, research and data, and a small batch of ongoing grant money to disburse. But is it vital? How much value is really being delivered to EAC beneficiaries in state and local government? Clearly, some in Congress and elsewhere don’t think that the ongoing value is high, and most of the value desired by the original Help America Vote Act (HAVA), that created EAC, has already been delivered.

Mission Evolved

As a result, I think that it’s not a bad idea, and not even ugly, if you consider the value of the EAC in the original context of HAVA and EAC’s original mission. But that was well over a decade ago and a lot has changed. In following segments, I want to highlight some of the functions of the EAC that have evolved over time, and have become very important — indeed visibly very important in the last year. That change over time, the public visibility, means that a couple odd corners of EAC’s original mission might be quite important indeed. And, as EAC is being dismantled, there are important questions about how states and localities might or might not be able to pick up the slack in these important areas.

Here’s a teaser for those changes. Just in the last year, the public at large has learned what election experts have known for a while: the current voting systems (mostly paid for by HAVA) turned out not to be as wonderful as hoped, are wearing out, needing replacement, and were not and are not designed to be robust against manipulation against state sponsored adversaries. In short, we now know that U.S. elections are a target, a national security risk, and they run on antique insecure technology.

What’s EAC’s connection with that? More next time.

— EJS

 

 

From DHS Symposium — The Three Basic Requirements for Voting System Security

In a recent posting, I noted that despite current voting systems’ basic flaws, it is still possible to do more to provide the public with details that can provide peace of mind that close contests’ results are not invalid due to technology related problems. Now I should explain what I meant by basic security flaws, especially since that was the topic of a panel I was part of recently, a group of security and/or election professionals on addressing a DHS meeting on security tech transfer.

We agreed on three basic security and integrity requirements that are not met by any existing product:

  1. Fixed-function: each machine should run only one fixed set of software that passed accredited testing and government certification.
  2. Replace not modify: that fixed software set should be able to be modified, and can updated only by being replaced with another certified system.
  3. Validation: all critical components of these systems are required to support election officials’ ability to validate a machine before each election, to ensure that it remains in exactly the same certified configuration as before.

These critical properties are absent today, because of a basic decision made by vendors years ago, to quickly bring new voting technology to market by basing it on ordinary turn of the century PC technology that was, and remains in today’s market, fundamentally unable to support fixed function systems inherently capable of validation. All voting systems today lack these basic properties, and without them, all other security requirements are largely irrelevant — and compliance with current certification requirements is impossible.

Crazy, eh? Then add to that:

  • the remarks of panelist and voting system security expert Matt Bishop of UC Davis on the many software-level security functional problems encountered in reviews of voting systems, problems found despite the official federal testing and certification process intended to find them; and
  • Virginia’s Election Commissioner Edgardo Cortez’s examples of system-level security issues found in their review of voting system that was subsequently banned for use in VA. A few minds were blown in the audience.

The Consensus and One More Thing

The consensus at this DHS event, for both panel and audience, was that any future voting system that is worth having, should be validated by a future testing and certification process that among other goals, specifically required the architecture-level security requirements that I outlined, and focused on the types issues Cortez and Bishop described – and one more thing that’s important for completely different reasons.

That one more thing: future voting systems need to be designed from scratch for ease of use by election officials, so that they don’t have to take today’s extra-ordinary measures with so much human-level effort and human-error-prone work needed to operate these systems with reasonable security that can be demonstrated in the event of disputes.

So, leaving aside “known unknowns” about recent hacks or lack thereof, we have some really important “known knowns” – there is enormous potential for improvement in a wholesale replacement of voting tech that meets the 3 basic integrity requirements above, can be feasibly examined for the issues that our panelists discussed, and can be easily safely operated by ordinary election officials.

— John Sebes

Recounts, Russian Hackers, and Misunderstood Claims

There’s a lot of news media about the Green Party’s push for recounts. Some is accurate, some is wildly alarmist, but most of what I’ve read misses a really key point that you need to understand, in order to make up your own mind about these issues, especially claims of Russian hacking.

For example, University of Michigan’s Dr. Alex Halderman is advising the Green Party, and is considerably quoted recently about the possible attacks that could be made on election technology, especially on the “brains” of a voting system, the Election Management System (EMS) that “programs” all the voting machines, and collates their tallies, yet is really just some fairly basic desktop application software running on ancient MS Windows. Though sometimes complex to explain, Halderman and others are doing a good job explaining what is possible in terms of election-result-altering attacks.

In response to these explanations, several news articles note that DHS, DNI, and other government bodies take the view that it would be “extremely difficult” for nation state actors to carry out exploits of these vulnerabilities. I don’t doubt that DHS cyber-security experts would rank exploits of this kind (both effective and also successful in hiding themselves), as on the high end of the technical difficulty chart, out there with hacking Iranian uranium enrichment centrifuges.

Here’s the Problem: “extremely difficult” has nothing to do with how likely it is that critical election systems might or might not have been penetrated.

It is a completely different issue to compare the intrinsic difficulty level with the capabilities of specific attackers. We know full well that attacks of this kind, while high on technical difficulty, are totally feasible for a few nation state adversaries. It’s like noting that a particular class of technical Platform Diving has a high intrinsic difficulty level beyond the reach of most world class divers, but also noting that the Chinese team has multiple divers who are capable of performing those dives.

You can’t just say “extremely difficult” and completely fail to check whether one of those well known capable divers actually succeeded in an attempt — especially during a high stakes competition. And I think that all parties would agree that a U.S. Presidential election is pretty high stakes. So …

  • 10 out of 10 points for security experts explaining what’s possible.
  • 10 out of 10 points for DHS and others for assessing the possibilities as being extremely difficult to do.
  • 10 out of 10 points for several news organizations reporting on these complex and scary issues; and
  • 0 out of 10 points for news and media organizations concluding that because some attacks are difficult, they probably didn’t happen.

Personally, I don’t have any reason to believe such attacks occurred, but I’d hate to deter anybody from looking into it, as a result of confusing level of difficulty with level of probability.

— John Sebes

Accurate Election Results in Michigan and Wisconsin is Not a Partisan Issue

counties

Courtesy, Alex Halderman Medium Article

In the last few days, we’ve been getting several questions that are variations on:

Should there be recounts in Michigan in order to make sure that the election results are accurate?

For the word “accurate” people also use any of:

  • “not hacked”
  • “not subject to voting machine malfunction”
  • “not the result of tampered voting machine”
  • “not poorly operated voting machines” or
  • “not falling apart unreliable voting machines”

The short answer to the question is:

Maybe a recount, but absolutely there should be an audit because audits can do nearly anything a recount can do.

Before explaining that key point, a nod to University of Michigan computer scientists pointing out why we don’t yet have full confidence in the election results in their State’s close presidential election, and possibly other States as well. A good summary is here and and even better explanation is here.

A Basic Democracy Issue, not Partisan

The not-at-all partisan or even political issue is election assurance – giving the public every assurance that the election results are the correct results, despite the fact that bug-prone computers and human error are part of the process. Today, we don’t know what we don’t know, in part because the current voting technology not only fails to meet the three (3) most basic technical security requirements, but really doesn’t support election assurance very well. And we need to solve that! (More on the solution below.)

A recount, however, is a political process and a legal process that’s hard to see as anything other than partisan. A recount can happen when one candidate or party looks for election assurance and does not find it. So it is really up to the legal process to determine whether to do a recount.

While that process plays out let’s focus instead on what’s needed to get the election assurance that we don’t have yet, whether it comes via a recount or from audits — and indeed, what can be done, right now.

Three Basic Steps

Leaving aside a future in which the basic technical security requirements can be met, right now, today, there is a plain pathway to election assurance of the recent election. This path has three basic steps that election officials can take.

  1. Standardized Uniform Election Audit Process
  2. State-Level Review of All Counties’ Audit Records
  3. State Public Release of All Counties Audit Records Once Finalized

The first step is the essential auditing process that should happen in every election in every county. Whether we are talking about the initial count, or a recount, it is essential that humans do the required cross-check of the computers’ work to detect and correct any malfunction, regardless of origin. That cross-check is a ballot-polling audit, where humans manually count a batch of paper ballots that the computers counted, to see if the human results and machine results match. It has to be a truly random sample, and it needs to be statistically significant, but even in the close election, it is far less work than a recount. And it works regardless of how a machine malfunction was caused, whether hacking, manipulation, software bugs, hardware glitches, or anything.

This first step should already have been taken by each county in Michigan, but at this point it is hard to be certain. Though less work than a recount, a routine ballot polling audit is still real work, and made harder by the current voting technology not aiding the process very well. (Did I mention we need to solve that?)

The second step should be a state-level review of all the records of the counties’ audits. The public needs assurance that every county did its audit correctly, and further, documented the process and its findings. If a county can’t produce detailed documentation and findings that pass muster at the State level, then alas the county will need to re-do the audit. The same would apply if the documentation turned up an error in the audit process, or a significant anomaly in a difference between the human count and the machine count.

That second step is not common everywhere, but the third step would be unusual but very beneficial and a model for the future: when a State is satisfied that all counties’ election results have been properly validated by ballot polling audit, the State elections body could publicly release all the records of all the counties’ audit process. Then anyone could independently come to the same conclusion as the State did, but especially election scientists, data scientists, and election tech experts. I know that Michigan has diligent and hardworking State election officials who are capable of doing all this, and indeed do much of it as part of the process toward the State election certification.

This Needs to Be Solved – and We Are

The fundamental objective for any election is public assurance in the result.  And where the election technology is getting in the way of that happening, it needs to be replaced with something better. That’s what we’re working toward at the OSET Institute and through the TrustTheVote Project.

No one wants the next few years to be dogged by uncertainly about whether the right person is in the Oval Office or the Senate. That will be hard for this election because of the failing voting machines that were not designed for high assurance. But America must say never again, so that in two short years and four years from now, we have election infrastructure in place that was designed from ground-up and purpose-built to make it far easier for election officials to deliver election results and election assurance.

There are several matters to address:

  • Meeting the three basic security requirements;
  • Publicly demonstrating the absence of the vulnerabilities in current voting technology;
  • Supporting evidenced-based audits that maximize confidence and minimize election officials’ efforts; and
  • Making it easy to publish detailed data in standard formats, that enable anyone to drill down as far as needed to independently assess whether audits really did the job right.

All that and more!

The good news (in a shameless plug for our digital public works project) is that’s what we’re building in ElectOS. It is the first openly public and freely available set of election technology; an “operating system” of sorts for the next generation of voting systems, in the same way and Android is the basis for much of today’s mobile communication and computing.

— John Sebes

Vote-Flipping in Pennsylvania is Not the Problem, But Recounts?

The reports of “vote flipping” on voting machines in PA are certainly alarming to the voters using the machines, but it’s unfortunate that there are calls to treat it as a law enforcement issue. It’s a known issue with the decade-or-older flakey touch screens, and one that local election officials deal with in most elections. In some cases it may be user error; in others, a result of poor screen calibration. Sometimes the appearances are even more problematic, as with a mis-recorded straight-party vote, which affects every contest on the ballot.

Though voters and poll workers may disagree on what actually happened in these cases, what’s not controversial is the small scale — about 24 out of 24,000 machines statewide; only one voter affected per machine; and in at least some of these cases, the voter admitted that after some work, they got their votes recorded properly.

So concerns about “rigging” of individual machines is misplaced. Even leaving aside the technical fact that these are electro-mechanical issues — not riggable software — it’s a poor choice for rigging to choose a method that’s apparent to the voters, and in such small numbers.

But suppose that the resolution of the PA election depends in-part on refuting claims of rigging? That these machines have real problems. With no paper trail, there is no way to re-check the voters’ choices. A recount is, in one sense, an exercise in re-doing or rerunning the addition of the vote tallies from each machine. But it’s more complicated than that.

In each county with these paperless touch-screen machines, for each machine, the election officials have to maintain records of custody of the machines and their removable data cartridges, with record-keeping procedures sufficient to withstand substantial challenges. It’s not impossible to refute claims of rigging in these circumstances, but it is grindingly detailed work, and with a lot of grist for the mill of legal challenges.

— John Sebes

More on CyberScoop Coverage of Voting Machine Vulnerabilities

CyberScoop‘s Chris Bing wrote a good summary of the response to Cylance’s poorly timed announcement of old news on voting machine vulnerabilities: Security Firm Stokes Election Hacking Fears.

I have a couple of details to add, but first let me re-iterate that the system in question does have vulnerabilities which have been well known for years, and reference exploits are old news. Sure, Cylance techs did write some code to create a new variant on previous exploits, but as Princeton election security expert Andrew Appel noted, the particular exploit was detectable and correctable, unlike some other hacks.

Regardless of whether Cylance violated the unwritten code of reporting on new vulnerabilities only, and regardless of good intentions vs. fear-mongering effects, the basic premise is wrong.

You can’t expect election officials to modify critical voting systems in response to a blog. In fact, election officials should not be modifying software at all, and should modify hardware only for breakage replacement.

Perhaps the folks at Cylance didn’t know that there are very special and very specific rules for modifying voting systems. Here  are 5 details about how it really works:

  • The hardware and software of voting systems is highly regulated, and modifications can only be done following regulatory review.
  • Even if this were a new vulnerability, and even if there were what some would claim is an easy fix, it would still require the vendor to act, not the election officials. Vendors would have to make the fix, and re-do their testing, then re-engage for testing by an accredited test lab (at the vendor’s expense), and then go back to government certification of the test lab’s finding.
  • Election officials are barred from “patching” or any kind of unsupervised modification. This makes a lot of sense, if you think about it: someone representing the vendor wants to modify these systems, while each of 10,000+ local election bodies is supposed to ensure only the legitimate changes happen? That’s not feasible, even if were legal.
  • Local election officials are required to do pre-election testing for machines’ “logic and accuracy,” and they must not use machines that have not passed such testing, which in some localities must also be signed off by an elections board. Making even a legitimate certified change to a system 4 days before an election would invalidate it for use on election day. Consider early voting! It is really many weeks since modifications of any kind were allowed.
  • So there is no way that a disclosure like this, with this timing, could ever be viewed as responsible by anyone who understands how voting tech is regulated and operated. I expect that it didn’t occur to the Cylance folks that there might be special rules about voting systems that would make disclosures 4 days before, or even 4 weeks before, completely impractical for any benefit. But regardless of a possible upside, it ought to have been clear that there is considerable downside for fear-mongering the integrity of an election a mere days before election day– especially this one.

And that would still be the case if this were a new finding.  Which it isn’t.

Making a new variant exploit on a vulnerability well known for some time is just grandstanding, and most responsible security folks steer clear of that to maintain their reputation.  I can’t fathom why Cylance in this case behaved so at variance with the unwritten code of ethical vulnerability research. I hope it was just impulsive behavior based on a genuine concern about the integrity of our elections.  The alternative would be most unfortunate.

— John Sebes, CTO

Clarifications to PBS Newshour “Here’s How Hackers Could Mess With Electronic Voting”

PBS Newshour reporting on election cyber risks offers a good roundup of a handful of notable cyber-risks, but also contains some basic misunderstanding of how election operations actually work. While appreciating the reporting as a whole, here is my list of some mistakes.

  • Tied for first in misleading points is the claim that “Some experts believe this tactic may have been partially responsible for the voting irregularities witnessed in Florida during the 2000 election.” The tactic in question is actually a demonstration hack developed by Harri Hursti. Lots of people have lots of theories about Florida 2000, but I don’t know any election tech expert who believes that there is any evidence of this hack having actually been used to effect Florida’s deciding vote Bush/Gore.
  • No, the FBI did not issue “an alert stating foreign hackers had infiltrated state election systems but there was an FBI advisory on attacks on state-operated voter registration systems. The “Targeting Activity Against State Board of Election Systems” was about data exfiltration, not takeover of the systems themselves. Attack yes, infiltration no; registration systems, yes, “state election systems,” no.
  • Yes, the DDoS attack on Dyn has raised awareness of how vulnerable so many systems are to these types of temporary take downs. But “flooding multiple polling stations” isn’t relevant because most polling places are not connected to the Internet, and a network outage wouldn’t affect voting operations.
  • The same is true of “computer where regional votes are tabulated could delay election reporting” because these computers – “election management systems” or “tabulation managers” for 2 common terms for them – are not connected to the Internet. In fact in many states that would be illegal.
  • The part about the Dark Web being used to sell pilfered voter records sounds scary, but the reality is more mundane. Every state has methods for public access to an extract of the voter database; these are essential tools for parties and campaigns, and there is an active niche market for information services on top of this base data. If some enterprising Dark Web denizen can sell $300 copies of public data sets that cost $100 or less to obtain, that only tells us that gullible buyers exist on the Dark Web, too.
  • But it is true that voter records can be abused to impede voters. However, calling “voters to change the location of their polling stations” is the least efficient way to abuse this information. Political operations have been doing “caging” attacks for years, for example, and online automation of these attacks is real concern.
  • Max Kilger is right about “You have to look at attacks at the intermediate stages,“ but not so much “where there are computers tabulating results from around a state or a county.” It’s purely a county or other local level responsibility to aggregate vote tallies from early voting, polling places, and centrally counted ballots. This is supposed to be entirely offline, so attacks need to be physical. Sure, states do collect up results data from counties, and certify election results, but the source data lives in the localities. I’d like to think we’d notice if a state’s vote totals for some reason did not equal the sum of the numbers published by each locality.
  • Not related to elections were a couple of misleading comments about critical infrastructure. Yes, the energeticBear/dragonfly attack successfully targeted energy and power distribution operators’ corporate systems. But “infiltrated power grid” – no. Takeover of the actual grid’s industrial control systems (ICS) is now considered a cyber act of war.  Hasn’t happened.
  • Lastly, and also tied for first, is a very unlikely speculation of a dragonfly-like attack on voting machine vendors. Yes, any vendor’s corporate operations can be infiltrated with the intent to tamper the vendor’s products in the pre-manufacturing stage. Voting system vendors are not immune to those attacks, but the products in use today are. Manufactured a decade or more ago, many of the attackers were probably in middle school at the time. And the ability to set a logic bomb used only in a specific election years afterwards is certainly a capability that today’s nation state cyber-operations have – but 10 years ago I have to doubt.

So, that’s 9 points that I take exception to, but let me close to acknowledge that overall, the PBS report covered as lot of ground for a wide range of threats.

— John Sebes, CTO