News Feed

From DHS Symposium — The Three Basic Requirements for Voting System Security

In a recent posting, I noted that despite current voting systems’ basic flaws, it is still possible to do more to provide the public with details that can provide peace of mind that close contests’ results are not invalid due to technology related problems. Now I should explain what I meant by basic security flaws, especially since that was the topic of a panel I was part of recently, a group of security and/or election professionals on addressing a DHS meeting on security tech transfer.

We agreed on three basic security and integrity requirements that are not met by any existing product:

  1. Fixed-function: each machine should run only one fixed set of software that passed accredited testing and government certification.
  2. Replace not modify: that fixed software set should be able to be modified, and can updated only by being replaced with another certified system.
  3. Validation: all critical components of these systems are required to support election officials’ ability to validate a machine before each election, to ensure that it remains in exactly the same certified configuration as before.

These critical properties are absent today, because of a basic decision made by vendors years ago, to quickly bring new voting technology to market by basing it on ordinary turn of the century PC technology that was, and remains in today’s market, fundamentally unable to support fixed function systems inherently capable of validation. All voting systems today lack these basic properties, and without them, all other security requirements are largely irrelevant — and compliance with current certification requirements is impossible.

Crazy, eh? Then add to that:

  • the remarks of panelist and voting system security expert Matt Bishop of UC Davis on the many software-level security functional problems encountered in reviews of voting systems, problems found despite the official federal testing and certification process intended to find them; and
  • Virginia’s Election Commissioner Edgardo Cortez’s examples of system-level security issues found in their review of voting system that was subsequently banned for use in VA. A few minds were blown in the audience.

The Consensus and One More Thing

The consensus at this DHS event, for both panel and audience, was that any future voting system that is worth having, should be validated by a future testing and certification process that among other goals, specifically required the architecture-level security requirements that I outlined, and focused on the types issues Cortez and Bishop described – and one more thing that’s important for completely different reasons.

That one more thing: future voting systems need to be designed from scratch for ease of use by election officials, so that they don’t have to take today’s extra-ordinary measures with so much human-level effort and human-error-prone work needed to operate these systems with reasonable security that can be demonstrated in the event of disputes.

So, leaving aside “known unknowns” about recent hacks or lack thereof, we have some really important “known knowns” – there is enormous potential for improvement in a wholesale replacement of voting tech that meets the 3 basic integrity requirements above, can be feasibly examined for the issues that our panelists discussed, and can be easily safely operated by ordinary election officials.

— John Sebes

Recounts, Russian Hackers, and Misunderstood Claims

There’s a lot of news media about the Green Party’s push for recounts. Some is accurate, some is wildly alarmist, but most of what I’ve read misses a really key point that you need to understand, in order to make up your own mind about these issues, especially claims of Russian hacking.

For example, University of Michigan’s Dr. Alex Halderman is advising the Green Party, and is considerably quoted recently about the possible attacks that could be made on election technology, especially on the “brains” of a voting system, the Election Management System (EMS) that “programs” all the voting machines, and collates their tallies, yet is really just some fairly basic desktop application software running on ancient MS Windows. Though sometimes complex to explain, Halderman and others are doing a good job explaining what is possible in terms of election-result-altering attacks.

In response to these explanations, several news articles note that DHS, DNI, and other government bodies take the view that it would be “extremely difficult” for nation state actors to carry out exploits of these vulnerabilities. I don’t doubt that DHS cyber-security experts would rank exploits of this kind (both effective and also successful in hiding themselves), as on the high end of the technical difficulty chart, out there with hacking Iranian uranium enrichment centrifuges.

Here’s the Problem: “extremely difficult” has nothing to do with how likely it is that critical election systems might or might not have been penetrated.

It is a completely different issue to compare the intrinsic difficulty level with the capabilities of specific attackers. We know full well that attacks of this kind, while high on technical difficulty, are totally feasible for a few nation state adversaries. It’s like noting that a particular class of technical Platform Diving has a high intrinsic difficulty level beyond the reach of most world class divers, but also noting that the Chinese team has multiple divers who are capable of performing those dives.

You can’t just say “extremely difficult” and completely fail to check whether one of those well known capable divers actually succeeded in an attempt — especially during a high stakes competition. And I think that all parties would agree that a U.S. Presidential election is pretty high stakes. So …

  • 10 out of 10 points for security experts explaining what’s possible.
  • 10 out of 10 points for DHS and others for assessing the possibilities as being extremely difficult to do.
  • 10 out of 10 points for several news organizations reporting on these complex and scary issues; and
  • 0 out of 10 points for news and media organizations concluding that because some attacks are difficult, they probably didn’t happen.

Personally, I don’t have any reason to believe such attacks occurred, but I’d hate to deter anybody from looking into it, as a result of confusing level of difficulty with level of probability.

— John Sebes

Accurate Election Results in Michigan and Wisconsin is Not a Partisan Issue

counties

Courtesy, Alex Halderman Medium Article

In the last few days, we’ve been getting several questions that are variations on:

Should there be recounts in Michigan in order to make sure that the election results are accurate?

For the word “accurate” people also use any of:

  • “not hacked”
  • “not subject to voting machine malfunction”
  • “not the result of tampered voting machine”
  • “not poorly operated voting machines” or
  • “not falling apart unreliable voting machines”

The short answer to the question is:

Maybe a recount, but absolutely there should be an audit because audits can do nearly anything a recount can do.

Before explaining that key point, a nod to University of Michigan computer scientists pointing out why we don’t yet have full confidence in the election results in their State’s close presidential election, and possibly other States as well. A good summary is here and and even better explanation is here.

A Basic Democracy Issue, not Partisan

The not-at-all partisan or even political issue is election assurance – giving the public every assurance that the election results are the correct results, despite the fact that bug-prone computers and human error are part of the process. Today, we don’t know what we don’t know, in part because the current voting technology not only fails to meet the three (3) most basic technical security requirements, but really doesn’t support election assurance very well. And we need to solve that! (More on the solution below.)

A recount, however, is a political process and a legal process that’s hard to see as anything other than partisan. A recount can happen when one candidate or party looks for election assurance and does not find it. So it is really up to the legal process to determine whether to do a recount.

While that process plays out let’s focus instead on what’s needed to get the election assurance that we don’t have yet, whether it comes via a recount or from audits — and indeed, what can be done, right now.

Three Basic Steps

Leaving aside a future in which the basic technical security requirements can be met, right now, today, there is a plain pathway to election assurance of the recent election. This path has three basic steps that election officials can take.

  1. Standardized Uniform Election Audit Process
  2. State-Level Review of All Counties’ Audit Records
  3. State Public Release of All Counties Audit Records Once Finalized

The first step is the essential auditing process that should happen in every election in every county. Whether we are talking about the initial count, or a recount, it is essential that humans do the required cross-check of the computers’ work to detect and correct any malfunction, regardless of origin. That cross-check is a ballot-polling audit, where humans manually count a batch of paper ballots that the computers counted, to see if the human results and machine results match. It has to be a truly random sample, and it needs to be statistically significant, but even in the close election, it is far less work than a recount. And it works regardless of how a machine malfunction was caused, whether hacking, manipulation, software bugs, hardware glitches, or anything.

This first step should already have been taken by each county in Michigan, but at this point it is hard to be certain. Though less work than a recount, a routine ballot polling audit is still real work, and made harder by the current voting technology not aiding the process very well. (Did I mention we need to solve that?)

The second step should be a state-level review of all the records of the counties’ audits. The public needs assurance that every county did its audit correctly, and further, documented the process and its findings. If a county can’t produce detailed documentation and findings that pass muster at the State level, then alas the county will need to re-do the audit. The same would apply if the documentation turned up an error in the audit process, or a significant anomaly in a difference between the human count and the machine count.

That second step is not common everywhere, but the third step would be unusual but very beneficial and a model for the future: when a State is satisfied that all counties’ election results have been properly validated by ballot polling audit, the State elections body could publicly release all the records of all the counties’ audit process. Then anyone could independently come to the same conclusion as the State did, but especially election scientists, data scientists, and election tech experts. I know that Michigan has diligent and hardworking State election officials who are capable of doing all this, and indeed do much of it as part of the process toward the State election certification.

This Needs to Be Solved – and We Are

The fundamental objective for any election is public assurance in the result.  And where the election technology is getting in the way of that happening, it needs to be replaced with something better. That’s what we’re working toward at the OSET Institute and through the TrustTheVote Project.

No one wants the next few years to be dogged by uncertainly about whether the right person is in the Oval Office or the Senate. That will be hard for this election because of the failing voting machines that were not designed for high assurance. But America must say never again, so that in two short years and four years from now, we have election infrastructure in place that was designed from ground-up and purpose-built to make it far easier for election officials to deliver election results and election assurance.

There are several matters to address:

  • Meeting the three basic security requirements;
  • Publicly demonstrating the absence of the vulnerabilities in current voting technology;
  • Supporting evidenced-based audits that maximize confidence and minimize election officials’ efforts; and
  • Making it easy to publish detailed data in standard formats, that enable anyone to drill down as far as needed to independently assess whether audits really did the job right.

All that and more!

The good news (in a shameless plug for our digital public works project) is that’s what we’re building in ElectOS. It is the first openly public and freely available set of election technology; an “operating system” of sorts for the next generation of voting systems, in the same way and Android is the basis for much of today’s mobile communication and computing.

— John Sebes

Vote-Flipping in Pennsylvania is Not the Problem, But Recounts?

The reports of “vote flipping” on voting machines in PA are certainly alarming to the voters using the machines, but it’s unfortunate that there are calls to treat it as a law enforcement issue. It’s a known issue with the decade-or-older flakey touch screens, and one that local election officials deal with in most elections. In some cases it may be user error; in others, a result of poor screen calibration. Sometimes the appearances are even more problematic, as with a mis-recorded straight-party vote, which affects every contest on the ballot.

Though voters and poll workers may disagree on what actually happened in these cases, what’s not controversial is the small scale — about 24 out of 24,000 machines statewide; only one voter affected per machine; and in at least some of these cases, the voter admitted that after some work, they got their votes recorded properly.

So concerns about “rigging” of individual machines is misplaced. Even leaving aside the technical fact that these are electro-mechanical issues — not riggable software — it’s a poor choice for rigging to choose a method that’s apparent to the voters, and in such small numbers.

But suppose that the resolution of the PA election depends in-part on refuting claims of rigging? That these machines have real problems. With no paper trail, there is no way to re-check the voters’ choices. A recount is, in one sense, an exercise in re-doing or rerunning the addition of the vote tallies from each machine. But it’s more complicated than that.

In each county with these paperless touch-screen machines, for each machine, the election officials have to maintain records of custody of the machines and their removable data cartridges, with record-keeping procedures sufficient to withstand substantial challenges. It’s not impossible to refute claims of rigging in these circumstances, but it is grindingly detailed work, and with a lot of grist for the mill of legal challenges.

— John Sebes

More on CyberScoop Coverage of Voting Machine Vulnerabilities

CyberScoop‘s Chris Bing wrote a good summary of the response to Cylance’s poorly timed announcement of old news on voting machine vulnerabilities: Security Firm Stokes Election Hacking Fears.

I have a couple of details to add, but first let me re-iterate that the system in question does have vulnerabilities which have been well known for years, and reference exploits are old news. Sure, Cylance techs did write some code to create a new variant on previous exploits, but as Princeton election security expert Andrew Appel noted, the particular exploit was detectable and correctable, unlike some other hacks.

Regardless of whether Cylance violated the unwritten code of reporting on new vulnerabilities only, and regardless of good intentions vs. fear-mongering effects, the basic premise is wrong.

You can’t expect election officials to modify critical voting systems in response to a blog. In fact, election officials should not be modifying software at all, and should modify hardware only for breakage replacement.

Perhaps the folks at Cylance didn’t know that there are very special and very specific rules for modifying voting systems. Here  are 5 details about how it really works:

  • The hardware and software of voting systems is highly regulated, and modifications can only be done following regulatory review.
  • Even if this were a new vulnerability, and even if there were what some would claim is an easy fix, it would still require the vendor to act, not the election officials. Vendors would have to make the fix, and re-do their testing, then re-engage for testing by an accredited test lab (at the vendor’s expense), and then go back to government certification of the test lab’s finding.
  • Election officials are barred from “patching” or any kind of unsupervised modification. This makes a lot of sense, if you think about it: someone representing the vendor wants to modify these systems, while each of 10,000+ local election bodies is supposed to ensure only the legitimate changes happen? That’s not feasible, even if were legal.
  • Local election officials are required to do pre-election testing for machines’ “logic and accuracy,” and they must not use machines that have not passed such testing, which in some localities must also be signed off by an elections board. Making even a legitimate certified change to a system 4 days before an election would invalidate it for use on election day. Consider early voting! It is really many weeks since modifications of any kind were allowed.
  • So there is no way that a disclosure like this, with this timing, could ever be viewed as responsible by anyone who understands how voting tech is regulated and operated. I expect that it didn’t occur to the Cylance folks that there might be special rules about voting systems that would make disclosures 4 days before, or even 4 weeks before, completely impractical for any benefit. But regardless of a possible upside, it ought to have been clear that there is considerable downside for fear-mongering the integrity of an election a mere days before election day– especially this one.

And that would still be the case if this were a new finding.  Which it isn’t.

Making a new variant exploit on a vulnerability well known for some time is just grandstanding, and most responsible security folks steer clear of that to maintain their reputation.  I can’t fathom why Cylance in this case behaved so at variance with the unwritten code of ethical vulnerability research. I hope it was just impulsive behavior based on a genuine concern about the integrity of our elections.  The alternative would be most unfortunate.

— John Sebes, CTO

Clarifications to PBS Newshour “Here’s How Hackers Could Mess With Electronic Voting”

PBS Newshour reporting on election cyber risks offers a good roundup of a handful of notable cyber-risks, but also contains some basic misunderstanding of how election operations actually work. While appreciating the reporting as a whole, here is my list of some mistakes.

  • Tied for first in misleading points is the claim that “Some experts believe this tactic may have been partially responsible for the voting irregularities witnessed in Florida during the 2000 election.” The tactic in question is actually a demonstration hack developed by Harri Hursti. Lots of people have lots of theories about Florida 2000, but I don’t know any election tech expert who believes that there is any evidence of this hack having actually been used to effect Florida’s deciding vote Bush/Gore.
  • No, the FBI did not issue “an alert stating foreign hackers had infiltrated state election systems but there was an FBI advisory on attacks on state-operated voter registration systems. The “Targeting Activity Against State Board of Election Systems” was about data exfiltration, not takeover of the systems themselves. Attack yes, infiltration no; registration systems, yes, “state election systems,” no.
  • Yes, the DDoS attack on Dyn has raised awareness of how vulnerable so many systems are to these types of temporary take downs. But “flooding multiple polling stations” isn’t relevant because most polling places are not connected to the Internet, and a network outage wouldn’t affect voting operations.
  • The same is true of “computer where regional votes are tabulated could delay election reporting” because these computers – “election management systems” or “tabulation managers” for 2 common terms for them – are not connected to the Internet. In fact in many states that would be illegal.
  • The part about the Dark Web being used to sell pilfered voter records sounds scary, but the reality is more mundane. Every state has methods for public access to an extract of the voter database; these are essential tools for parties and campaigns, and there is an active niche market for information services on top of this base data. If some enterprising Dark Web denizen can sell $300 copies of public data sets that cost $100 or less to obtain, that only tells us that gullible buyers exist on the Dark Web, too.
  • But it is true that voter records can be abused to impede voters. However, calling “voters to change the location of their polling stations” is the least efficient way to abuse this information. Political operations have been doing “caging” attacks for years, for example, and online automation of these attacks is real concern.
  • Max Kilger is right about “You have to look at attacks at the intermediate stages,“ but not so much “where there are computers tabulating results from around a state or a county.” It’s purely a county or other local level responsibility to aggregate vote tallies from early voting, polling places, and centrally counted ballots. This is supposed to be entirely offline, so attacks need to be physical. Sure, states do collect up results data from counties, and certify election results, but the source data lives in the localities. I’d like to think we’d notice if a state’s vote totals for some reason did not equal the sum of the numbers published by each locality.
  • Not related to elections were a couple of misleading comments about critical infrastructure. Yes, the energeticBear/dragonfly attack successfully targeted energy and power distribution operators’ corporate systems. But “infiltrated power grid” – no. Takeover of the actual grid’s industrial control systems (ICS) is now considered a cyber act of war.  Hasn’t happened.
  • Lastly, and also tied for first, is a very unlikely speculation of a dragonfly-like attack on voting machine vendors. Yes, any vendor’s corporate operations can be infiltrated with the intent to tamper the vendor’s products in the pre-manufacturing stage. Voting system vendors are not immune to those attacks, but the products in use today are. Manufactured a decade or more ago, many of the attackers were probably in middle school at the time. And the ability to set a logic bomb used only in a specific election years afterwards is certainly a capability that today’s nation state cyber-operations have – but 10 years ago I have to doubt.

So, that’s 9 points that I take exception to, but let me close to acknowledge that overall, the PBS report covered as lot of ground for a wide range of threats.

— John Sebes, CTO

The Real “Safeguards” on Voting Machines – and the Real Threat

 

My goodness, the doom and gloom about paperless voting machines seems palpable recently. Amidst concerns about election “rigging”, I hear worries that the lack of a “paper backup” for some DRE voting machines might create fundamental issues for election verification. Goodness knows I am not a fan paperless voting of any kind, nor of the current generation of DREs generally. But the current media blitz of fear, uncertainty, and doubt (FUD) is getting disconnected from the facts. If this post of “back to the facts” sounds like venting, well, maybe it is just a bit.

Here’s one bit of flotsam in the news stream that floated by recently, and struck me as odd – dinging paperless DREs as lacking a basic “safeguard” of a paper backup. Well, not exactly. It’s not that paperless DREs lack a safeguard; there are plenty of those, too many. What they lack is fundamental feature – an actual ballot from each voter. By now, finally, most people realize it was a Really Bad Idea to have voting machines that threw away the ballot that recorded each voter’s intent. We tossed out the ballot baby with the hanging chads bathwater.

It’s kind of like saying that a “brakeless racing bike” is missing the safeguard of a way to stop, when in fact a pair of brakes is a fundamental requirement for a racing bike. You could still ride it, but “safeguards” is what you’d need to compensate for this basic omission: limiting riding to only over flat ground, with riders wearing shoes that work as brake pads, and so on.

Paperless DREs are like that. They need extra safeguards to compensate for the fundamental shortcoming of no ballot. And it is election officials and poll workers that work hard to make that bike level and smooth.

The Real Safeguards

The safeguards are “too many” in that

  • they require a lot of extra work for hardworking election officials and poll-workers to do, and
  • they are all absolutely needed to compensate for the major shortcomings of DREs, especially paperless.

I’ve seen this firsthand, as a poll worker before CA decertified its voting machines, developed safeguards sufficient for the deficiencies found in the “Top to Bottom Review”, and re-certified with the proviso that each county needed to demonstrate adequate staff and poll worker training to operate the systems with all the required safeguards. The re-training was intense, and the additional work on election night was easily an hour or more per precinct on election day, and night, alone.

We had new tamper-evident seals (TES) on every part of the DREs, check sheets for every step in set-up and tear-down, bags for each of several kinds of evidence, a TES-sealed bag of TESs to apply the bags at the end of the day, double-sign-off sheets, new rules for ballot reconciliation, new procedures for physical chain of custody of pretty much everything.

And that was the tip of the iceberg, considering what the election officials and their temp staff had to do to set all this up, plus the back-office safeguards that the public doesn’t see. For the ultra-geeks, I’ll provide a specific couple examples later, explaining why each bit of extra work is necessary — but I hope you get the idea here.

The Five P’s for an Election Outcome

Another way of putting this is that with today’s DREs the technology platform has deficiencies that require a complex set of safeguards by people and process. Those two “P’s” are always required, but can get hairy when the 3rd “P”, the platform, wasn’t designed with self-protections that create a reasonable amount of activity from people and process.

Sure, there is a risk to the platform being compromised (or malfunction unnoticed) if the people don’t do the process adequately. We had that risk for years, with election tech that’s worse that we have now, and we still had election verification – just with a really vexing amount of work, both for the protection, and the oversight that it was done properly. And that’s part of the 4th “P”, policies, including the policy that the public must be able to verify the first 3 “P”s as part of the election outcome.

The procedures, and documentation of their performance, are both essential. It’s not enough to do the extra work to implement the safeguards required by the platform. Election officials must also prove that they did so, by following policies on documentation and record keeping. The election outcome is an important concept here.

Election outcome is not just the election results, the vote counts, who won, who lost. It is that plus all the evidence that the election was performed well enough to have confidence in the result. That’s the ultimate purpose of elections – a result that’s believable and does not create an impediment to the ordinary transfer of power.

The Federal election of 2000 is the example of what happens when the election outcome is not sufficient, and the transfer was power was in doubt for days. And that was in a calmer time, pre-Ferguson, pre-Occupy-Wall-St., before the computer in your pocket that can spread real or feigned outrage to millions in moment.s

The Real Threat

What we can see in this campaign of 2016 is the greater threat to election integrity – the 5th “P” of politics. This election is politically unique with the campaigns’ messaging on “rigging”, on cyber-risk to elections, on cyber-operations against campaigns and parties, and even foreign government influence.

It’s hard to be sure amidst all the rhetoric, but it sure looks like there is a higher risk of a situation where Federal election results aren’t enough, and the “prove that you ran the election right” demand might be placed on election officials in an unprecedented way that is far more public and adversarial than the usual and relatively gentlemanly activity of election law, litigation, recounts, and so on. The Minnesota Senate Al Franken Norm Coleman fracas could look positively quaint by comparison.

As a result, there’s the possibility of far higher stakes for the people and process to generate the evidence that proves that the election results are legitimate. The preparation for, and, heaven forbid, the execution of that proof, will be even more work than usual. Preparation could be huge, both literally in terms of work, and figuratively in terms of importance.

Preparation Is Huge

When you possibly have an election where the second place candidate says, “prove that these are the exactly correct vote totals”, you can never do that regardless of the election technology, including ancient Greek marbles and jars. That’s why “rigging” rhetoric will always be attractive.

But you can prove that all the required protective measures were done, and that there is no reasonable doubt about the result as supported by the technology. In jurisdictions with op-scanned paper ballots and documented chain of custody, the proof is relatively simple: here’s why we know that these are the legitimate paper ballots; we did a manual ballot audit and found no significant discrepancy with the machine counts. Done.

But here’s the bummer for election officials in all the paperless jurisdictions: there is more work to do. They need to prove that there is no reasonable doubt that the DREs accurately recorded each voter’s intent; and recorded the votes properly as tally datasets on removable media; and the that media used in tabulation were those same media; and the data on the media was not modified en route from polling place to election result. The proof, in other words, is complicated.

Collecting that proof is more work, and yields much more complex records, but it is not mysterious. Election officials have been doing this for years. But the complexity is an inherent vulnerability. The complexity makes it easy to have political rhetoric that points fingers at the many places it could have gone wrong, casts doubt on the proof. And it could be very effective FUD, if the proof is more complex than the public at large is willing or able to digest.

Where’s the Risk?

The risk is essentially equal for all the paperless jurisdictions, not jut the ones that the campaigns are currently pointing to, and the media scrutinizing. They all have tech with the same shortcomings and vulnerabilities, and the same extra work to implement safeguards to compensate. With this voting technology, you have to work even harder prepare to respond to claims of rigging, and even if you do a great job, it could still get ugly because of the complexity.

I don’t worry so much about the jurisdictions currently in the limelight (or hotseat) because the very limelight itself provides a great incentive to properly prepare and execute. In the so-called battleground states, the state election leadership understands the issues, and the local election officials on the ground have the experience.

Where I really worry is around the edges Perhaps if FL turns out to be the narrowest-margin state, and we see a repeat of a county’s previous breakdown in physical chain of custody. Or perhaps if GA turns out to be closer than anybody would every have expected a year ago, and election officials did not prepare as carefully to defend against claims of “rigging”.

That’s what we face in this election, and I say “never again”. We can replace all the aging-out voting systems, paperless and otherwise, with far better platform that requires reasonable efforts from people to implement processes that create comprehensible proof, enabling meaningful policies of public oversight that much less vulnerable to the politics of fear, uncertainty and doubt.

— John Sebes

NBC News, Voting Machines, and a Grandmother’s PC

 

I’d like to explain more precisely what I meant by “your grandmother’s PC” in the NBC TV Bay Area’s report on election technology. Several people thought I was referring to voting machines as easily hacked by anyone with physical access, because despite appearances:

Voting machines are like regular old PCs inside, and like any old PC …

  • … it will be happy to run any program you tell it to, where:
  • “You” is anyone that can touch the computer, even briefly, and
  • “Program” is anything at all, including malicious software specially created to compromise the voting machine.

That’s all true, of course, as many of us have seen recently in cute yet fear mongering little videos about how to “hack an election.” However, I was referring to something different and probably more important: a regular old PC running some pretty basic windows-XP application software, that an election official installed on the PC in the ordinary way, and uses in the same way as anything else.

That’s your “grandmother’s PC,” or in my son’s case, something old and clunky that looks a exactly like the PC that his grandfather had a decade plus ago – minus some hardware upgrades and software patches that were great for my father, but for voting systems are illegal.

But why is that PC “super important”? Because the software in question is the brains behind every one of that fleet of voting machines, a one stop shop to hack all the voting machines, or just fiddle vote totals after all those carefully and securely operated voting machines come home from the polling places. It’s an “election management system” (EMS) that election officials use to create the data that tells the voting machines what to do, and to combine the vote tally data into the actual election results.

That’s super important.

Nothing wrong with the EMS software itself, except for the very poor choice of creating it to run on a PC platform that by law is locked in time as it was a decade or so ago, and has no meaningful self-defenses in today threat environment. As I said, it wasn’t a thoughtful choice – nobody said it would be a good idea to run this really important software on something as easily hacked as anyone’s grandparent’s PC. But it was a pragmatic choice at the time, in the rush to the post-hanging-chads Federally funded voting system replacement derby. We are still stuck with the consequences.

It reminds me of that great old radio show, Hitchhiker’s Guide to the Galaxy, where after stealing what seems like the greatest ship in the galaxy, the starship Heart of Gold, our heroes are stuck in space-time with Eddie Your Ship-Board Computer, “ready to get a bundle of kicks from any program you care to run through me.” The problem, of course, is that while designed to do an improbably large number of useful things, it’s not able to do one very important thing: steer the ship after being asked to run a program to learn why tea tastes good.

Election management systems, voting machines, and other parts of a voting system, all have an individual very important job to do, and should not be able to do anything else. It’s not hard to build systems that way, but that’s not what’s available from today’s 3 vendors in the for-profit market for voting systems, and services to operate them to assist elections officials. We can fix that, and we are.

But it’s the election officials, many many of them public servants with a heart of gold, that should really be highlighted. They are making do with what they have, with enormous extra effort to protect these vulnerable systems, and run an election that we all can trust. They deserve better, we all deserve better, election technology that’s built for elections that are Verifiable, Accurate, Secure, and Transparent (VAST as we like to say). The “better” is in the works, here at OSET Institute and elsewhere, but there is one more key point.

Don’t be demoralized by the fear uncertainty and doubt about hacking elections. Vote. These hardworking public servants are running the election for each of us, doing their best with what they have. Make it worth something. Vote, and believe what is true, that you are an essential part of the process that makes our democracy to be truly a democracy.

— John Sebes

Old School, New Tech: What’s Really Behind Today’s Elections

Many thanks to coverage by Bloomberg’s Michaela Ross, on election tech and cyber-security.

Given so much at stake for this election with its credibility rocked by claims of rigging, and so much more at stake as we move ahead to replace and improve our election infrastructure, I’m rarely enthused about reading more about how some people think Internet voting is great, and others think it is impossible.  However, Ms. Ross did a great job of following that discussion about how “Old School May Be Better” with supporting remarks from many long time friends and colleagues in election administration and technology worlds.

Where I’d like to respond is to re-frame the “old” part of “old school” and to reject one remark from a source that Ross quoted: They’re pretending what we do today is secure … There’s not a mission critical process in the world that uses 150-year-old technology.” Three main points here:

  1. There is plenty of new technology in the so-called old school;
  2. No credible election expert pretends that our ballots are 100% secure, not even close; and
  3. That’s why we have several new and old protections on the election process, including some of that new technology.

Let me address that next in three parts, mostly about what’s old and what’s new, then circle back to the truth about security, and lastly a comment on iVoting that I’ll most defer to a later re-up on the iVoting scene.

Old and New

Here is what’s old: paper ballots. We use them because we recognize the terrible omission in voting machines from the late 19th century mechanical lever machines (can be hacked with toothpicks, tampered with screwdrivers, and retain no record of any voter’s intent other than numbers on odometer dials) and many of today’s paperless touchscreens: “hack-able” and “tamper-able” even more readily, and likewise with no actual ballot other than bits on a disk. We use paper ballots (or paper-added touchscreens as a stop-gap) because no machine can be trusted to accurately record every voter’s intent. We need paper ballots not just for disputes and recounts, but fundamentally as a way to cross check the work of the machines.

Here’s what’s new: recently defined scientific statistical methods to conduct a routine ballot audit for every election, to cross check the machines’ work, with far less effort and cost than today’s “5% manual count and compare” and variant methods used in some states. It’s never been easier to use machines for rapid counts and quick unofficial results, and then (before final results) to detect and correct instances of machine inaccuracies whether from bugs, tampering, physical failure, or other issues. It’s called Risk Limiting Audit or RLA.

Here’s what new-ish: the new standard approach is for paper ballots to be rapidly machine counted using optical scanners and digital image processing software. There are a lot of old clunky and expensive (to buy, maintain, and store) op-scanners still in use, but this isn’t “150 years old,” any more than our modern ballots are like the old 19th-century party-machine-politics balloting that was rife with fraud that led to the desire for the old lever machines. However, these older machines have low to no support for RLA.

Here’s what’s newer: many people have mobile computers in their pocket that can run optical-capture and digital image processing. It’s no longer a complicated job to make a small, inexpensive device that can read some paper, record what’s on it, and retain records that humans can cross check. There’s no reason why the op-scan method needs to be old and clunky. And with new systems, it is easy to keep the type of records (technically, a “cast vote record” for each ballot) needed for easy support for RLA.

And finally, here’s the really good part: innovation is happening to make the process easier and stronger, both here at the OSET Institute and elsewhere ranging from local to state election officials, Federal organizations like EAC and NIST, universities, and other engines of tech innovation. The future looks more like this:

  • Polling place voting machines called “ballot marking devices” that use a familiar inexpensive tablet to collect a voter’s ballot choices, and print them onto a simple “here’s all and only what you chose” ballot to
    be easily and independently verified by the voter, and cast for optical scanning.
  • Devices and ballots with professionally designed and scientifically tested usability and accessibility for the full range of voters’ needs.
  • Simple inexpensive ballot scanners for these modern ballots.
  • Digital sample ballots using the voter’s choice of computer, tablet, or phone, to enable the voter to take their own time navigating the ballot, and creating a “selections worksheet” that can be scanned into a
    ballot marking device to confirm, correct if needed, and create the ballot cast in a polling place
  • or to be used in a vote-by-mail  process, without the need to wait for an official blank ballot to arrive in the mail.
  • And below that tip of the iceberg for the critical ballot-related operations, there is a range of other innovations to streamline voter registration, voter check-in, absentee ballot processing, voter services
    and apps to navigate the whole process and avoid procedural hurdles or long lines, interactive election results exploration and analytics, and more
  •   and all with the ability for election official to provide open public data on the outcome of the whole election process, and every voter’s success in participation or lack thereof.

That’s a lot of new tech that’s in the pipeline or in use already, but in still in the old school.

Finally, two last points to loop back to Michaela’s article.

Election Protection in the Real World

First, everyone engaged in elections knows that no method of casting and counting ballots is secure.

  • Vote by mail ballots go to election officials by mail passing through many hands, not all of which may seem trustworthy to the voters.
  • Email ballots and other digital ballots go to election officials via the Internet — again via many “virtual hands” that are definitely not trustworthy — and to computers that election officials may not fully control.
  • Polling place ballots in ballot boxes are transported by mere mortals who can make mistakes, encounter mishaps, and as in a very few recent historical cases, may be dishonest insiders.
  • Voting machines are easily tampered with by those with physical access, including temp workers and contractors in warehouses, transportation services, and pre-election preparations.
  • The “central brains” behind the voting machines is often an ordinary antique PC with no real protection in today’s daunting threat environment.
  • The beat goes on with voter records systems, electronic poll books, and more.

That’s why today’s election officials work so hard on the people and processes to contain these risks, and retain control over these vital assets throughout a complex process that — honestly, going forward — could be a lot simpler and easier with innovations designed to reduce the level of effort and complexity of these same type of protections.

The Truth About iVoting Today

Secondly, lastly, and mostly for another time: Internet voting. It’s desirable, it will likely happen someday, and it will require a solid R&D program to invent the tech that can do the job with all the protections — whether against, fraud, coercion, manipulation, and accidental or intention disenfranchisement — the we have today in our state-managed, locally-operated, and (delightfully but often frustratingly) hodge podge process of voting in 9,000+ jurisdictions across the US.  I repeat, all, no compromises; no waving the magic fairy wands of trust-me-it-works-because-it-is-cool or blockchains or so-called “military grade” encryption or whatever the latest cool geek cred item is.

In the meantime short-term, we have to shore up the current creaky systems and process, especially to address the issues of “rigging,” and the crazy amount of work election professionals have to do get the job done and maintain order and trust.

And then we have to replace the current systems in the existing process with innovations that also serve to increase trust and transparency. If we don’t fix the election process that we have now, and soon, we risk the hasty addition of i-voting systems that are just as creaky and flawed, hastily adopted, and poorly understood, the same as the paperless voting machines that adopted more than a decade ago.

We can do better, in the short-term and long, and we will.  A large and growing set of election and tecnology folks, in organizations of many kinds, are dedicated to making these improvements happen, especially as this election cycle has shown us all how vitally important it is.

— John Sebes

Yet Another Report About Voter Fears & Voting System Integrity

Today, we learned of yet another blog post and a White Paper about voter “concerns” and sentiments regarding the trustworthiness of our existing election infrastructure.  This was led by a bit of a sensational headline:
.

“Democracy at Risk: More Than 15 Million Voters May Stay Home on Election Day Over Cyber-Security Doubts”

.
The sum and substance of their article is that the State of PA is the most vulnerable for an election hack.  Or as one respected Media outlet asked of us today, “Would you agree that Pennsylvania — given any number of aspects, incbwp_covercluding non-paper ballots —  is among the most vulnerable states to cyber-focused attacks?
 .
No.  Not so much.  Not even close, actually.
 .
FACT: “PA is no more vulnerable to cyber-focused attacks than any other state relying heavily if not completely on digital voting machinery, namely DREs,” says John Sebes, CTO at the OSET Institute.  Notwithstanding reports such as the CarbonBlack white paper, PA’s voting machines share the same technical security vulnerabilities as in other states, no more and no less.”
 .
Let’s put a fine point on this:  If one believes there are State actors seeking to alter an election result by exploiting voting machine vulnerabilities — despite the fact there are lower-cost higher-impact attack opportunities on U.S. elections in general, including some already underway — then PA might be a more attractive target.  In other words, PA is not more vulnerable but potentially more attractive insofar as attempts on voting machines.  While we’re at it, a few more points worth making:
.
  • Its really not just about PA.  Actually, FL, and VA, are also among potential swing states that have paperless voting machine vulnerabilities, and have potential Federal election margins that might be narrow enough for an undetected exploit to have a chance of being effective.
  • Although elections are at some risk from State sponsored adversaries, concern over possible “voting machine hacks” should not be the major concern of voters, and certainly not a reason to not vote.
  • The best way to make sure your ballot isn’t counted correctly, is to not cast one in the first place.
  • Voters with concerns over paperless DREs should consider their alternatives for voting on paper ballots in absentee, by-mail, early, and election-day voting.
.
Honestly, we’re not impressed with the nearly sensational approach Ben Johnson’s  blog post presents.  And while the paper makes some interesting observations (and is a slick presentation to be sure), we don’t believe CarbonBlack is a subject matter expert in elections technology and infrastructure.  But if they are, then they’re not being particularly intellectually honest in their assessment by singling out PA for convenience of making their point.
.
We take Ben’s point about the potential for people to stay at home; we’ve seen some similar numbers from equally unscientific polls regarding voter sentiment we’ve been involved with, but chose not to publish.  We’re working with some folks deeply experienced at polling, who believe more thorough polling would be required to vet this potential.  However, we agree that there does seem to be a rising sentiment.
.
This is one of the reasons election integrity professionals are walking a fine line publicly discussing it.
.
All that observed, the most important value in CarbonBlack’s blog post or any discussion about voter fears should be a wake-up call that more messaging is required to inform voters of the importance to get out and vote (and disregard the hype about rigging, legitimacy, or hacking concerns.)  That is, lest we experience a BREXIT of our own.
.
We note Mr. Johnson obtained his Masters in CS from Johns Hopkins in 2006, and he has some impressive credentials with some good experience (e.g., computer scientist for certain 3-letter Agencies).  We’d welcome a professional like Ben into the election integrity community.  For starters, our CTO has a professional colleague who is a Professor at Johns Hopkins, and truly one of the top election technology integrity experts in the nation if not globally.  Actually, we’d be surprised if Ben doesn’t know this Professor already.  Maybe we should (re)connect them.  Then perhaps, once embedded in the election integrity community, Ben’s writing will be a bit more conditioned on some internal realities.  For sure, we’d welcome CarbonBlack acquiring the domain expertise to contribute to the integrity and security mandates of this critical democracy infrastructure.  We’re just not sure this blog post or the accompanying White Paper serves the best interest of election integrity goals, where intellectual honesty, a lack of hyperbole, and straight talk are essential.
.
But then, if media coverage is the goal and publishing bait too delicious for the Media to pass on, then there is one more note of clarity deserving here.  CarbonBlack has just quietly filed for an IPO (Initial Public Offering), so brand awareness raising activity like this White Paper is normal.
.
Think about it from their PoV: “Let’s leverage all the “FUD” about this year’s election integrity and tie it together with our need for lots of media coverage to support our impending IPO road show.”  Sorry, a bit self-serving IOHO.  Apologies if this reads strongly, but add grains of salt accordingly.
.
BTW: we offered to chat with CarbonBlack about their paper.  Had that happened, we might have been able to help boost their credibility without this work looking so self-serving.  There response to us on Twitter?  “Sure, send eMail to media@carbonblack.com.”  Really? Directing us to your Media Relations team?  That flagged us to look into CarbonBlack a bit more, and that’s when we discovered the IPO filing news breaking today.
.
Look, even we are feeling trepidation about recent interviews and demos we’ve put together with NBC Nightly News, due to air soon.  Its such a fine line between scaring off the vote, and yet having a vital conversation about how election integrity can be increased, while costs are decreased, and usability is improved.  To wit, we recently launched this video to start that delicate conversation, striking the right chord.
.
And no, we don’t single out any jurisdiction, let alone PA, a State doing the best it can (and a good job at that) to be as ready as possible.
.
Back to work here.