Where Common Sense fails: Do insider attacks require a sophisticated conspiracy?

Note: This is the fifth post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <previous> <next>

We frequently hear versions of the following comments, often from election officials:

“It would take a very sophisticated operation to steal an election. Computer experts with access to the election system.”

“Our staff is trusted and they don’t have that level of expertise.”

“You are a conspiracy theorist, you just don’t trust election officials, and the security of our voting machines”

To some of these charges I plead guilty and with others items beg to disagree:

  • I do believe in the existence and possibilities of fraud by conspiracy, yet in the case of election integrity argue that compromising an election does not require the existence of a conspiracy of the sort implied by the current definition of conspiracy theory. In fact, individuals have been convicted or exposed for small to moderate size conspiracies.
  • I do trust most election officials. The problem is that many election officials express and request blind trust of all election officials. This despite regular instances of errors by officials, and occasional successful prosecution of various election officials for criminal violations. Unless election officials are cut from a different class than other citizens and public officials, some of the time, some of them will make errors, and others will comitt fraud, sometimes without prosecution, and sometimes undetected.
  • It does not require a sophisticated operation to steal an election. Fraud would not necessarily require computer experts with access to the election system.

In this post, we address where Common Sense fails. Where what seems obvious to individuals and election officials is often counter to the facts or science. Here we have to be careful trusting our own initial views and those of honest officials, we need to be open to the idea that we may not individually have all the answers -willing to listen to, if not completely trust, scientists and the facts. (We are not just talking about elections here, but many other areas which are critical to democracy and life.)

Those that are unfamiliar with technology and a specific area of science often overestimate how difficult or easy specific things are to accomplish. As we often confuse conspiracy and conspiracy theory, we often confuse the meanings of theory, between the common meaning of theory and a scientific theory. They are as different as a Pat Robertson theory of earthquakes and the germ theory of disease.

For instance, people often think technologists can do anything such as solve the nuclear waste problem, cure all cancer, make smoking safe, produce clean coal, or provide safe internet voting. These are all hard problems that have, so far, eluded teams of the best scientists. I frequently recall a friend in middle school, in the late 1950’s, who had no concerns with smoking, saying “By the time I get lung cancer in 30 or 40 years, science will have a cure”.

Once even “scientists” believed with the right recipe sea water could be turned into gold. In the dark ages of the 1950’s it was believed it would be possible to predict the weather and the economy, if only we had enough data and the right programs. Since then, with the advent of Chaos Theory, we have learned both are impossible, yet that fact has provided us the opportunity to deal with the economy and weather more rationally and realistically. Since the 30’s or 40’s we have also known that it is impossible to prove that any computer software/hardware system is accurate and safe – there is no recipe possible. (And thus it is also impossible to build a computer or communications system that is provably safe. In practice, we can see from failed attempts of government and industry that the best systems are, in fact, regularly compromised, providing practical as well as theoretical reasons to avoid trusting any computer/communications system.)

On the other side, many things are much easier than the public and many elections officials believe. Smart individuals and small groups continue to create computer viruses and hack into the best systems of the most sophisticated government agencies and industries. On the easy side, the U.S. Government believes, apparently with good reason, that a single Army Private could access and steal a huge number of confidential documents from many Federal agencies. (That he was a low level insider with lots of access, just emphasizes how vulnerable systems are to a single insider and that it would take steps in addition to a safe computer system, even if that were possible, to protect us from an insider.)

How often have we each gone to an expert with what we viewed as a tough problem, only to have it solved quickly and inexpensively? For example: Recently, my condominium unit needed a new main shut-0ff valve. The maintenance staff and I believed it would be a big job requiring service interruption to dozens in my neighborhood requiring a shut-off of a valve in the street. Enlisting the help of a general plumbing contractor, the contractor simply froze my pipe while installing a new valve.

When it comes to election machine hacking, online voting, and conventional stealing of votes it is relatively easy in many jurisdictions to compromise the vote, especially when it only requires a single insider. Some attacks take extensive technical knowledge which many hackers possess and could help or intimidate a single insider to execute or could simply get a job in election administration. Other attacks take very little technical expertise. When officials misjudge how easy it is for attacks to be accomplished, when officials don’t understand technology, it makes it all the easier for a single trusted insider.

One company, LHS, programs all the election memory cards for Connecticut and other states. LHS’s President said that we are safe from hacked cards because he has no employees with software expertise (including himself). There are several fallacies in this:
— How would he know if a particular employee has technical expertise?
— It is not all that hard to miss-program memory cards.
— A single employee could gain outside technical help or be intimidated to do what an outsider demands.

Similarly, many election officials would claim we are safe because they do not have computer experts on their staff. Once again, how would they know how much it would take and what a person does not know?

As for outsider attacks, one example: To our knowledge, in only one instance, a Internet voting system was subjected to a open, public security test. It was compromised extensively and quickly. Even if it had not been compromised so easily or was subjected to a more extensive test it would hardly be proven safe, hardly be safe from attack by insiders.

In our view, the best we can do realistically is voter created paper ballots, counted in public by machine, a printout of results in public, followed by a secure ballot chain of custody, followed by effective independent post-election audits, and where necessary complete recounts.  All transparent.

Finally, we need to emphasize the requirement for a “secure ballot chain-of-custody” or at least a reasonably secure system making it difficult for single insiders to compromise ballots. For those with blind trust in security seals we provide presentations by an expert <view> and examples of quick  seal compromise by that same expert and an amateur <read>


Leave a Reply

You must be logged in to post a comment.