Category: Internet Security Issues

VoteAllegheny Analysis of Election Risks in One County

VoteAllegheny presents a report by Carnegie-Mellon researchers on the vulnerabilities in a single county in a swing state. The biggest takeaway for us is understanding that a top-down analysis of vulnerabilities can yield the most cost-effective areas to focus on preventing election fraud. Where we spend our resources can make a difference in the results!

VoteAllegheny presents a report by Carnegie-Mellon researchers on the vulnerabilities in a single county in a swing state.  The biggest takeaway for us is understanding that a top-down analysis of vulnerabilities can yield the most cost-effective areas to focus on preventing election fraud. Where we spend our resources can make a difference in the results!

As Connecticut spends $5million+ in Federal election security dollars, perhaps an independent study like this one for Connecticut would be the most effective use of the 1st $1.00, pointing to the most cost-effective use of the rest of the $5million+.

Book Review: Reporter: A Memoir by Seymour Hersch

If you think it’s unfair to Hersh to reveal all his secrets in a review, don’t worry — this is not even 1/100 of what his book contains…

“Reporter” provides detailed explications of how Hersh has used these lessons [about investigated journalism], making it one of the most compelling and significant books ever written about American journalism. Almost every page will tell you something you’ve never heard before about life on earth. Sometimes it’s Hersh elaborating on what he’s already published; sometimes it’s new stories he felt he couldn’t write about when he first learned of them; and sometimes it’s the world’s most intriguing, peculiar gossip.

There is an excellent interview with Sy Hersh just released as an Intercepted podcast

Starting at about 10min in to the interview, Sy provides his take on the evidence that Russians accessed the DNC emails in the run-up to the Nov 2016 election…

I could write my own book review of Seymour Hersh’s memoir Reporter: A Memoir  but Jon Schwarz has done a much better job at the Intercept that I every could Seymour Hersh’s New Memoir Is a Fascinating, Flabbergasting Masterpiece <read>.  After reading that I immediately bought the book. Schwarz covers several of Hersh’s revelations. The book is full of revelations about political actors, inside jobs, and Hersh himself. Here is are two paragraphs that accurately summarize what awaits readers:

If you think it’s unfair to Hersh to reveal all his secrets in a review, don’t worry — this is not even 1/100 of what his book contains…

“Reporter” provides detailed explications of how Hersh has used these lessons [about investigated journalism], making it one of the most compelling and significant books ever written about American journalism. Almost every page will tell you something you’ve never heard before about life on earth. Sometimes it’s Hersh elaborating on what he’s already published; sometimes it’s new stories he felt he couldn’t write about when he first learned of them; and sometimes it’s the world’s most intriguing, peculiar gossip.

I was especially fascinated by Hersh’s discussions of what is required of and investigative journalist, his candor, his constant battles/debates with editors about what to publish, and how much he chose not to publish. Although I am not a reporter, let alone an investigative reporter, I take some solace in the incidents and issues with election integrity that for one reason or another I do not pursue or cover in CTVotersCount.org.

Speaking of elections. There is an excellent interview with Sy Hersh just released as an Intercepted podcast: Intercepted Live From Brooklyn With Sy Hersh, Mariame Kaba, Lee Gelernt, and Narcy <listen>

Starting at about 10min in to the interview, Sy provides his take on the evidence that Russians accessed the DNC emails in the run-up to the Nov 2016 election – He says that there is yet no evidence available implicating Russians.

Election Vulnerability: What we can learn from Ed Snowden and the NSA.

Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:

Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.

Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:

Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.

Cyber risks do not come from Russia alone; do not come from nation states alone; they come from hackers and political actors of all persuasions and motivations. There are also insider attacks, attacks from political actors, and their sympathizers. There is also the risk of error.

We focus too much on preventing attacks and errors, neglecting the equally important areas of detection and recovery. Ultimately prevention, at best, will always be an incomplete, never ending process. Detention and recovery means protecting paper ballots and actually using them. Using them means following up elections with sufficient post-election audits and recounts. Post-election audits with sufficient chance of detecting errors, expanding those audits when errors indicate that the apparent winners may be incorrect, expanding those audits ultimately, when necessary to full recounts. Audits should include process audits to assure that registration lists and voters checked in were accurate enough to guarantee the election was fair. When all else fails, being ready to rerun critically flawed elections.

Snowden and the NSA

This is not about what Ed Snowden did, but how he did it. Snowden was able, because as a single contractor, he had the keys to the kingdom! All the cyber expertise of the NSA came down to one individual who had the information and the capability to expose everything. The motive and opportunity. He could just have easily have gummed up the works of the entire NSA system. Most systems have such people – they know the technology and are key to keeping it working. We need them. The system needs them. How many are there? Likely a lot more than we think. In the NSA, every critical support person with access to the NSA system. Not just with password access to the official system: Also any one who supports the underlying software and hardware systems: application software, compilers, operating systems, mainframes, servers, routers, the network/phone system.

Every election office has those people and vulnerabilities. Every election official who has access to voting machines and memory cards over their lifetime. The contractors who program the memory cards. Postal employees, shippers, and contractors charged with the mail or package delivery of memory cards. The person in the mail room in town hall. How safe is the storage of the machines, memory cards, and paper ballots? How safe is town hall on weekends and overnight? Who is responsible for managing the town network and computers? Who are all the contractors in town hall? Or employed by the voting machine maintenance vendor? Are your election officials and town staff able to do what the NSA could not?

If you don’t believe this, trust me. I have been there in the bowels of a large company and working for small software companies supporting large companies and government agencies.  Consider Chelsea Manning a single specialist at a computer in a war zone. Manning needed no technical expertise. None is required to program memory cards or clandestinely provide access to or conspire with those with expertise.

 

Testimony to the Connecticut Cybersecurity Task Force – UPDATED

I testified in my capacity as Executive Director of the Connecticut Citizen Election Audit. I was the only member of the public providing testimony.

Why are post-election audits and paper ballots a critical component of protecting our elections?  “[D}data protection involves prevention, detection, and recovery”.  Cybersecurity and other measures protecting voting equipment and voting systems are primarily prevention measures and to a lesser degree detection measures. No matter how much effort we put into cybersecurity, software testing, and hardware maintenance there will always be a significant level of vulnerability.

Paper ballots, sufficient post-election audits, and recounts provide a primary means of detecting cyber, software, human, and hardware failures. They also provide a means of recovery. They provide for, so called, software independent verification of election results, resulting in justified public confidence.

Today was the 2nd and perhaps last meeting of the Connecticut Cybersecurity Task Force, aimed at recommending items for Connecticut’s share of the $5.1 million in new Federal Funding.

I testified in my capacity as Executive Director of the Connecticut Citizen Election Audit. I was the only member of the public providing testimony. In a couple of days I will pass on the video of the event, once it becomes available.  For now:
Here is the Agenda: <read> and my Testimony: <read>

I largely addressed the need for paper ballot security and post-election audits and how some of the new Federal money could be used to enhance them now and in the future.

I think I raised some awareness from my testimony and the questions members asked, yet it seems that the modest items I suggested might be deemed cost prohibitive. I spoke for six minutes and addressed questions for about 10 minutes (the emboldened portion of my written testimony), so the video will be interesting. The recommendations for spending the $5.1 million will apparently closely mimic the items listed near the end of the agenda.

Here is an excerpt of some highlights:

Enhancing post-election audits was explicitly included as an appropriate use of funds in the Federal legislation. Protection of paper ballots is a necessary component of trustworthy post-election audits.  I recommend initial steps that will cost, less than one-half a million dollars and outline a more comprehensive, yet efficient plan for the long run that might best protect Connecticut elections and ultimately our democracy.

Why are post-election audits and paper ballots a critical component of protecting our elections?  “[D}data protection involves prevention, detection, and recovery”.  Cybersecurity and other measures protecting voting equipment and voting systems are primarily prevention measures and to a lesser degree detection measures. No matter how much effort we put into cybersecurity, software testing, and hardware maintenance there will always be a significant level of vulnerability.

Paper ballots, sufficient post-election audits, and recounts provide a primary means of detecting cyber, software, human, and hardware failures. They also provide a means of recovery. They provide for, so called, software independent verification of election results, resulting in justified public confidence. I agree with Secretary Merrill that public confidence is important. I emphasize that the goal should be justified public confidence.

For post-election audits and recounts to be trusted requires strong paper ballot security and a credible chain-of-custody. Audits must also be transparent and publicly verifiable. The independent Citizen Audit reports show our ballot security is woefully inadequate.

Connecticut currently has an insufficient post-election audit. Insufficient because it only audits 5% of polling-place cast, machine counted ballots, exempting all centrally counted absentee ballots, Election Day Registration ballots, and originally hand-counted ballots from the audit. Insufficient because many of the local counting sessions are poorly conducted, with most differences in counts attributed to human counting error and left uninvestigated – a phenomenon that is, as far as I can tell, unique to Connecticut.

Fortunately, there is a straight-forward remedy close at hand. The UConn VoTeR Center in conjunction with the Secretary’s Office have developed an independent, electronic system to rescan and recount the ballots, called the Audit Station.  Unfortunately, the Audit Station has not been used in a way that meets requirements for software independence or that would satisfy most election integrity activists, leading scientists, and security experts.

The good news is that the Audit Station could easily be enhanced to satisfy most experts.My written testimony details Citizen Audit recommendations for ballot security and audits. Once again, I emphasize that audits and protected paper ballots are necessary for detection and recovery from every type of attack, breakdown, and error.

The Registrars of Voters Association asked for money for electronic pollbooks and for GEMS systems to accumulate results from memory cards, presumably somehow replacing or enhancing our new, completely air-gaped Election Night Reporting System.

Without explanation the Registrars linked those systems to improved cybersecurity.

They also asked the State to pay for new computers, newer than the XP systems many registrars use and sometimes share with other town employees.

Those suggestions were apparently ignored.

For the agenda from the 1st meeting and a list of task force members, see this press release: <read>

***********UPDATE:

Days sooner than last time, the video is available: <View>

My testimony starts at about 45 minutes in.

In reviewing the video, I note that Secretary Merrill did express interest in using some of the Federal money for some of our recommendations and considering improving some aspects of the audits.

Do you need a blockchain? (Probably not!)

Blockchains are the latest technology to enter the mainstream.  A blockchain powers and makes BitCoin possible. Many are treating blockchains as the next big breakthrough in technology. There is even a Blockchain Caucus in Congress.

Do not get your hopes up or bet your retirement savings on blockchains, they are definitely not the next Internet or Hula Hoop.  Most importantly they will not transform elections or solve the challenges of online voting.

From IEEE Do You Need a Blockchain?

“I find myself debunking a blockchain voting effort about every few weeks,” says Josh Benaloh, the senior cryptographer at Microsoft Research. “It feels like a very good fit for voting, until you dig a couple millimeters below the surface.”

Blockchains are the latest technology to enter the mainstream.  A blockchain powers and makes BitCoin possible. Many are treating blockchains as the next big breakthrough in technology. There is even a Blockchain Caucus in Congress.

Do not get your hopes up or bet your retirement savings on blockchains, they are definitely not the next Internet or Hula Hoop.  Most importantly they will not transform elections or solve the challenges of online voting.

From IEEE Do You Need a Blockchain? <read>

Blockchain technology is, in essence, a novel way to manage data. As such, it competes with the data-management systems we already have. Relational databases…suffer from one major constraint: They put the task of storing and updating entries in the hands of one or a few entities, whom you have to trust won’t mess with the data or get hacked.

Blockchains, as an alternative, improve upon this architecture in one specific way—by removing the need for a trusted authority. With public blockchains…, a group of anonymous strangers (and their computers) can work together to store, curate, and secure a perpetually growing set of data without anyone having to trust anyone else. Because blockchains are replicated across a peer-to-peer network, the information they contain is very difficult to corrupt or extinguish.

This feature alone is enough to justify using a blockchain if the intended service is the kind that attracts censors…

However, removing the need for trust comes with limitations. Public blockchains are slower and less private than traditional databases, precisely because they have to coordinate the resources of multiple unaffiliated participants. To import data onto them, users often pay transaction fees in amounts that are constantly changing and therefore difficult to predict. And the long-term status of the software is unpredictable as well. Just as no one person or company manages the data on a public blockchain, no one entity updates the software. Rather, a whole community of developers contributes to the open-source code in a process that, in Bitcoin at least, lacks formal governance…

“If you don’t mind putting someone in charge of a database…then there’s no point using a blockchain, because [the blockchain] is just a more inefficient version of what you would otherwise do,” says Gideon Greenspan, the CEO of Coin Sciences, a company that builds technologies on top of both public and permissioned blockchains.

With this one rule, you can mow down quite a few blockchain fantasies. Online voting, for example, has inspired many well-intentioned blockchain developers, but it probably does not stand to gain much from the technology.

“I find myself debunking a blockchain voting effort about every few weeks,” says Josh Benaloh, the senior cryptographer at Microsoft Research. “It feels like a very good fit for voting, until you dig a couple millimeters below the surface.”

Benaloh points out that tallying votes on a blockchain doesn’t obviate the need for a central authority. Election officials will still take the role of creating ballots and authenticating voters. And if you trust them to do that, there’s no reason why they shouldn’t also record votes.

In my early days of advocacy, my congressman at a forum claimed that there would be no problems with electronic voting because of a magic new technology, “encryption”. It has not worked out that way.  Like encryption, blockchains cannot protect against corruption of the computer itself – a laptop or smartphone used for online voting, an optical scanner or touch-screen voting machine, or the central server collecting and reporting results.

American Progress Report: State Election Security Readiness

American Progress Report: Election Security in All 50 States

The report gives every state grades based on some detailed criteria. Connecticut was graded ‘B’, which it shared with several other states as the highest grade awarded. Yet there are problems and limitations with such reports. We would give Connecticut lower grades in some areas, higher in others, and are uncomfortable with other grades.

The report is useful and provides directions for improvement in many areas in every state. Election officials, legislators, and voters should act to improve our voting systems and laws in the near term.  We would give the authors A+ for effort and the report a grade of B.

American Progress Report: Election Security in All 50 States  <read>

The report gives every state grades based on some detailed criteria. Connecticut was graded ‘B’, which it shared with several other states as the highest grade awarded – it sets pretty stiff criteria for an ‘A’, yet we doubt that any state deserves an ‘A’.  Yet there are problems and limitations with such reports. We would give Connecticut lower grades in some areas, higher in others, and are uncomfortable with other grades.

The criteria at a high level:

1.Minimum cybersecurity standards for voter registration systems
2.Voter-verified paper audit trail
3.Post-election audits that test election results
4.Ballot accounting and reconciliation
5.Return of voted paper absentee ballots
6.Voting machine certification requirements
7.Pre-election logic and accuracy testing
The criteria are good at first glance, yet I question why only “minimum” standards for voter registration systems, criteria should include “recounts” and standards for security of voted paper ballots.
A big weakness in such reports is that much of the information is based on self-reporting by election officials,who can be biased, limit their views to their state’s practices, and may not have the technical expertise to evaluate many of the criteria.  Also state statutes may be misread or not represent the actual implementation in practice:
The information included in this report is derived primarily from state statutes and regulations, as well as interviews with state and local election officials.
The ratings in each category ranged from Unsatisfactory, Mixed, and Fair, to Good.  Connecticut received a ‘B’ from category ratings of:
Fair     1.Minimum cybersecurity standards for voter registration systems
Good   2.Voter-verified paper audit trail
Mixed 3.Post-election audits that test election results
Fair    4.Ballot accounting and reconciliation
Fair    5.Return of voted paper absentee ballots
Fair    6.Voting machine certification requirements
Fair    7.Pre-election logic and accuracy testing
The factors and category ratings were somewhat complex, with some categories providing a score of 0 or 1 and others scoring 0 to 3 based on the number of criteria matched. resulting in totals leading to the final letter grade.  So, where do we question Connecticut’s scores?  The details for Connecticut can be found starting on page 50 of the report.  Our comments and concerns:
Minimum cybersecurity standards for voter registration systems. This criteria is difficult to judge. The criteria is likely only based on interviews with officials. I suspect there is a tendency to say ‘Yes’ as often as possible. And even with accurate answers it is difficult to judge how well those criteria are met in practice.  Yet, for Connecticut it is clear that officials are concerned and working on cybersecurity for of all our systems, not just election systems.  As a central mainframe system managed by the State, the voter registration system is subject to every protection applied to that environment.
We would give Connecticut higher grades.  Connecticut was downgraded because the voter registration system was judged over 10 years old. We disagree with that broad-brush criteria and the definition of Connecticut’s system as over 10 years old. As an IBM Mainframe, CICS, DB2 system our voter registration system is presumably regularly upgraded with new versions of the operating system, CICS, and DB2. The hardware may also be less than 10 years old. In addition, the registration system itself has been enhanced.
Post-election audits that test election results. Here we would downgrade the “mixed” results. As has been repeatedly reported by the Citizen Audit, the conduct of the audit falls short of what would be reasonably expected of any effective audit. While it is true the statutes require that the audit be completed before certification, in practice that is impossible in some elections since certification must be complete before the date the audits can commence. It also depends on the definition of “complete”. In practice, the overall audits are not complete until the Secretary of the State receives the final report from UConn and files that with the SEEC.  The reports for all elections since November 2011 are yet to be filed and only one report  for a primary (2014) has been filed in that period.
Ballot accounting and reconciliation. Once again we would downgrade Connecticut’s score. In practice, ballot accounting and reconciliation do not always occur.  In recent years in almost every election, the Citizen Audit, has documented instances where write-in ballots (up to 151) have been read into the scanner at the end of election day in error. That results in counts that exceed the number of checked-off voters. In most instances those discrepancies have been discovered only by the audit, showing that they had not been discovered or addressed in the closing of the polls, nor in the review of results by both registrars and municipal clerks.
Voting machine certification requirements.  Here we would upgrade Connecticut’s score. Connecticut was downgraded because our optical scanners are just over 10 years old – their design and circuits are even older in technology. Yet, they are working fine and from random survey’s of the Citizen Audit are not showing signs of age. There are incrementally better systems available today, yet voter marked paper ballots will continue to protect our votes. We expect they will need to be replaced in the next 5 to 10 years, but not yet. The longer we wait the better options will become available, at lower cost, and will also last that many years longer.
Missing Criteria Recounts:  About half the states have close-vote recounts.  Connecticut has close-vote recanvasses, which fall short of the best adversarial manual recounts in some other states.  Connecticut should have more open, adversarial recounts, with more time to call for and perform recounts, with stronger criteria than the upper limit of 2000 vote differences which is too low a threshold ( as low as 0.12% in statewide elections).  We should also allow for candidates, parties, or citizens to call for a limited number of directed recounts of specified districts, perhaps at a reasonable fee. We would rate Connecticut mixed in this criteria, as our recanvasses are actually conduced, usually fairly, yet not conduced uniformly and in accordance with the law.  Sadly, that mixed rating would put us in the top 50% of all States in the recount category.
Protection of Paper Ballots. Here, once again, we would rate Connecticut mixed. Connecticut has an inadequate law for the protection of paper ballots and the actual practices in the vast majority of towns do not provide credible evidence that ballots were not tampered with. Once again, see the Citizen Audit reports.  Despite inadequate law and practice, the distributed nature of Connecticut’s election system mean that for statewide elections it is doubtful that enough ballots could be manipulated in the same direction to change anything but the closest of outcomes.  Unfortunately, that leaves local and regional elections vulnerable, protected only by trust in every election official and other local staff that frequently have access to voted ballots.
Finally, despite flaws, the report is useful and provides directions for improvement in many areas in every state. Election officials, legislators, and voters should act to improve our voting systems and laws in the near term.  We would give the authors A+ for effort and the report a grade of B.

“Does your vote count?” Glastonbury MLK Conversation

Last Wednesday evening, I was one of five speakers and a moderator at a Community Conversation held by the Glastonbury Martin Luther King Community Initiative. There were about 60 to 75 in attendance. We addressed “Does your vote count? An examination of the Issues” I addressed issues in two areas: How could you know if your vote was counted? And what I would recommend to expand democracy in Connecticut, without risking election integrity. Here are my prepared remarks:

Last Wednesday evening, I was one of five speakers and a moderator at a Community Conversation held by the Glastonbury Martin Luther King Community Initiative.  There were about 60 to 75 in attendance.  We addressed “Does your vote count? An examination of the issues.”  I addressed issues in two areas:  How could you know if your vote was counted? And what I would recommend to expand democracy in Connecticut, without risking election integrity.  Here are my prepared remarks <read>

Some excerpts:

I tend not to agree with anyone 100% of the time.  I view voting through a lens of balancing three priorities

  • Voting Integrity, that is Justified Confidence
  • Engaging more people in Democracy
  • The costs of Elections

To me, Justified Confidence is the highest priority, followed by a balance between increasing voter engagement and cost.

Let’s talk voting integrity.  Said another way “Does your vote count?”  The problem is that you and I cannot answer that question.  The systems we have, by intention or not, prevent us from answering that question…

For Democracy to function, citizens must have JUSTIFIED CONFIDENCE in elections — elections providing strong evidence that the correct winner was declared.

The 2016 elections surfaced two election integrity questions in the minds of many citizens:

  • First, Did the Russians hack our election systems? That is distinct from did they influence our elections?
  • Second, Were the winners of the Primaries and Election accurately determined?

There is a lack of confidence in the system. There are legitimate, yet often exaggerated questions of integrity.

It is especially important that losers believe they lost fair and square.

There is excessive emphasis on Russian hacking,  ignoring other risks. And a myriad of other cyber-attacks are just a part of the risks…

There is too much emphasis on cyber-attack by outsiders.  The greater risk is INSIDER ATTACK.  Insider attack is easier and likely more frequent – air-gaps cannot prevent insider attack – there is motive, opportunity, and the ability to cover-up…

Fortunately. there are remedies to these risks and lack of credibility.  They come down to TRANSPARENT, PUBLICLY VERIFIABLE ELECTIONS.  That is elections where every critical aspect CAN be verified by citizens, candidates, and parties.

“Extraordinary Claims Require Extraordinary Evidence.”…

We need to open-up the system to candidates.

  • I would enhance our Citizen’s Election Program.
  • We should reduce prohibitive signature and finance requirements for third-party and petitioning candidates.
  • We have a crazy law that prevents the posting of the list of Write-In Candidates in polling places. Posting the list should be mandatory…

The evidence is not that Millennials avoid voting because it’s inconvenient. They avoid it because they don’t have enough information about voting and candidates.

  • We need to change our archaic lever-look ballot layout. I am tired of consoling voters who missed the question on the ballot.
  • We need better voting web sites in Connecticut’s towns, many lack critical information, some have incorrect information.
  • We have Election Day Registration, yet it is the most difficult, and restrictive in the Nation. That would remedy many of the errors that cause voters to be unintentionally not registered or removed from the roles…

I am an election official, a Certified Moderator. I ran our Glastonbury Academy polling place in the 2016 presidential primary. That day changed me.

Let’s at least allow unaffiliated voters to vote in the primary. I saw many voters who did not understand the system and could not vote. They were not party regulars, they were first time voters or those that had not voted in years. I was moved that very few were upset that they could not vote. That bothers me. We may never see them attempting to participate in democracy again.

Finally, Two things you can do to help – two days for each election.

  • First, volunteer one weekday observing a post-election audit with the Citizen Audit.
  • Second, Invest a day as an election official at your local polling place.

I guarantee you will learn a lot.  Let us work together, to create a flourishing democracy we can trust.

************Update 2/29/2018

Courant coverage: Does Your Vote Count <read>

Note one small misquote:

“First, did the Russians hack our election systems? Second, were the winners of the primary elections actually determined?” [Weeks] said.
That ‘actually’ should be ‘accurately’ !

 

 

A Year After, Our Elections Aren’t Much More Secure

From Buzzfeed’s Cyber Security Correspondent, Kevin Collier:  A Year After Trump’s Victory, Our Elections Aren’t Much More Secure

But the focus on how Facebook and Twitter were used to sow division in the US electorate has diverted attention from one of the weakest spots in the system: … a simple cyberattack can be effective against weak infrastructure and unprepared IT workers. Whether that can be fixed by 2018 or even 2020 is an open question…

“We’re not doing very well,” Alex Halderman, a renowned election security expert, told BuzzFeed News. “Most of the problems that existed in 2016 are as bad or worse now, and in fact unless there is some action at a national policy level, I don’t expect things will change very much before the 2018 election.”

From Buzzfeed’s Cyber Security Correspondent, Kevin Collier:  A Year After Trump’s Victory, Our Elections Aren’t Much More Secure  <read>

The halfway point between the election of President Donald Trump and the 2018 midterms has come and gone, and it still isn’t fully clear what Russian hackers did to America’s state and county voter registration systems. Or what has been done to make sure a future hacking effort won’t succeed.

US officials, obsessed for now with evidence that Russia’s intelligence services exploited social media to sway US voters, have taken solace in the idea that the integrity of the country’s voting is protected by the system’s acknowledged clunkiness. With its decentralized assortment of different machines, procedures, and contractors, who could possibly hack into all those many systems to change vote totals?

But the focus on how Facebook and Twitter were used to sow division in the US electorate has diverted attention from one of the weakest spots in the system: the gap between those locally operated voting systems that are well-protected by sophisticated technology teams and those that are less prepared. Russia knows those gaps exist and that a simple cyberattack can be effective against weak infrastructure and unprepared IT workers. Whether that can be fixed by 2018 or even 2020 is an open question.

Most states’ elections officials still don’t have the security clearances necessary to have a thorough discussion with federal officials about what’s known about Russian, or others’, efforts to hack into their systems.

Seven states still use all-electronic voting systems whose results cannot be verified because there is no paper trail.

And hundreds of US counties rely on outside contractors to maintain their registration records and update the software on voting machines. Some of those contractors are small operations with few employees and minimal computer security skills.

Here we caution that it is not just Russia to be concerned with.  Those same vulnerabilities are open to other foreign actors, foreign and U.S. hackers, along with elements of the the U.S. Government. Beyond that open to official and contractor insiders.  Not being connected to the Internet does not preclude attack from any of these actors, especially insiders.

Seven states still use all-electronic voting systems whose results cannot be verified because there is no paper trail.

And hundreds of US counties rely on outside contractors to maintain their registration records and update the software on voting machines. Some of those contractors are small operations with few employees and minimal computer security skills.

Many local officials are reluctant to seek federal help, worried about ceding authority to outside agencies.

“We’re not doing very well,” Alex Halderman, a renowned election security expert, told BuzzFeed News. “Most of the problems that existed in 2016 are as bad or worse now, and in fact unless there is some action at a national policy level, I don’t expect things will change very much before the 2018 election.”…

But in the aftermath of last year’s vote, it has become clear that the sheer complexity of the system is no reassurance that it can’t be exploited by a determined hostile power. Halderman, the election security expert, says that just because it didn’t happen last time — or in the voting completed Tuesday — doesn’t mean it won’t.

“It’s only a matter of time, if we don’t have coordinated national action, until a major US election is disrupted, or even its outcome changed, by a foreign nation-state in a cyberattack,” [former FBI director James Comey] said.

To this day, DHS points to the fact that it’s never found evidence that vote tallies were changed

We add that DHS, as far as we know has not looked for such evidence anywhere, let alone everywhere.

As we have said before. Protecting databases and votes requires Prevention, Detection, and Recovery.

  • Protection alone is insufficient.  Large corporations, the Federal Government agencies, and technology companies are regularly hacked.  State and Local officials can’t come close to those ultimately limited efforts.
  • Detection is necessary to provide assurance that hacking did not occur.
  • Recovery is necessary for all sorts of potential errors, hacks, and fraud.

Paper ballots, properly secured, are the first requirement for detection and recovery of votes.  Strong pre-election voter database backup and audits along with paper voter checkin lists are part, just a part, of recovery from corrupted or electronic voter lists, or election day power failure, equipment failure, and cyber attack.

 

Just a step in the right direction: Merrill meets with Homeland Security

“Yesterday, along with representatives from the state’s information technology and public safety departments, I met with regional officials from the United States Department of Homeland Security to discuss how we can work together to ensure that Connecticut elections are safe from outside interference or manipulation. We had a productive meeting and I look forward to working together in the months and years to come to protect our elections, the bedrock of our democracy.” – Denise Merrill, Connecticut Secretary of the State

We applaud this step in the right direction.  Last year as leader of the National Association of Secretaries of State, Merrill opposed the designation of elections as critical infrastructure, leading in expressing the concern for a Federal take-over of elections. We were critical of that stand then and remain so.

In our opinion this is just a step. There are several aspects to election security/integrity that should be addressed,. This  step may assist in those that are under direct control of the of the the State, yet less so those under local control.

Secretary Merrill met with Homeland Security on Thursday:

Merrill Statement on Meeting with DHS Officials Regarding Election Cybersecurity

“Rosenberg, Gabe” <Gabe.Rosenberg@ct.gov>: Oct 27 04:57PM

“Yesterday, along with representatives from the state’s information technology and public safety departments, I met with regional officials from the United States Department of Homeland Security to discuss how we can work together to ensure that Connecticut elections are safe from outside interference or manipulation. We had a productive meeting and I look forward to working together in the months and years to come to protect our elections, the bedrock of our democracy.” – Denise Merrill, Connecticut Secretary of the State

Gabe Rosenberg
Communications Director
Connecticut Secretary of the State Denise Merrill

We applaud this step in the right direction.  Last year as leader of the National Association of Secretaries of State, Merrill opposed the designation of elections as critical infrastructure, leading in expressing the concern for a Federal take-over of elections. We were critical of that stand then and remain so.

In our opinion this is just a step. There are several aspects to election security/integrity that should be addressed,. This  step may assist in those that are under direct control of the of the the State, yet less so those under local control.  It’s not an issue of a State take-over of local elections, but the impossibility of every town in the State doing what even the NSA has failed at – protecting their most sensitive systems from attack. Yet, like the NSA, the State is capable of doing ever better.

  • We need to protect our Centralized Voter Registration System (CVRS) from corruption and denial of service attacks on election day.
  • We need to protect the CVRS from incremental loss or corruption of data over time.  That means independently logging of every add, change, and delete of the file, balancing, and auditing those changes against the database regularly, and especially in the days and weeks before an election.
  • Making sure that if we use electronic pollbooks that there is a usable paper pollbook in every polling place and a copy of that in the Registrars’ Offices during every election.  We want to avoid the disaster that occurred in a NC county in the last election

Cybersecurity from “outside interference or manipulation” is insufficient. We must prevent insider attacks. We must be able to recover from “interference and manipulation”, since complete prevention is not possible.. As we have said before, database and election integrity depends on Prevention, Detection, and Recovery.

  • We have paper ballots everywhere in Connecticut.  Yet, they need to be protected better.  In the majority of Connecticut municipalities they can be accessed by either Registrar for hours, undetected.  In many, they can be accessed by any official in the Registrars’ Offices, sometimes by other officials.  Without paper that we can trust there can be no detection or recovery from insider attack.
  • We need to have sufficient audits of results we can trust, from the accurate counting/adjudication of paper ballots to the totals reported by the State.  Where necessary those audits ending in full recounts to determine and certify the correct winners.
  • We also need process audits to verify various aspects of the election process:  Comparing checkoffs to ballots counted; verifying ballot security; verifying the integrity of checkoffs to actual legal voters; the integrity of the absentee ballot process, from application integrity,  mail delivery. signature verification, counting etc.