Category: Our Editorials

The front line of election security in Connecticut has about 169 weak points

Last week, West Haven paid a $2,000 ransom to hackers to unlock its computer systems. In a statement from the city, the ransom was characterized as a “one-time fee.” The word-choice here reveals an oversimplified view of the reality of ransomware, a cyberattack in which hackers lock data and demand payment.

First, West Haven was lucky to regain access to its systems after paying the ransom. Fewer than a quarter of ransomware victims actually get their files back after paying up. More often, hackers pocket the money and leave the data scrambled.

The notion of a “one-time fee” also fails to account for reputation damage and loss of trust. A city like West Haven — which is already navigating difficult financial straights — needs to rally community support. A blunder like this undermines the momentum it was building…

 

Excellent op-ed in the Courant today, explaining the risks of ransomeware. Cities Must Pay For Cybersecurity, Not Ransoms <read>

Last week, West Haven paid a $2,000 ransom to hackers to unlock its computer systems. In a statement from the city, the ransom was characterized as a “one-time fee.” The word-choice here reveals an oversimplified view of the reality of ransomware, a cyberattack in which hackers lock data and demand payment.

First, West Haven was lucky to regain access to its systems after paying the ransom. Fewer than a quarter of ransomware victims actually get their files back after paying up. More often, hackers pocket the money and leave the data scrambled.

The notion of a “one-time fee” also fails to account for reputation damage and loss of trust. A city like West Haven — which is already navigating difficult financial straights — needs to rally community support. A blunder like this undermines the momentum it was building…

However, the fact is that remediating a cyberattack comes at a much greater cost than preventing one in the first place. While the $2,000 ransom may seem relatively low, tracking how the attack happened, assessing the damage and shoring up defenses quickly is an expensive proposition. Just ask Lansing, Mich., which, even with insurance, paid $500,000 out of pocket for remediation after a 2016 ransomware attack (total cost: $2.4 million).

The best way to bounce back from ransomware is to have a strong backup system, something every organization needs for a number of reasons. The fact that West Haven paid the ransom suggests that there was no effective backup system in place. If that is the case, the city truly did not have a lot of options once the ransomware attack occurred.

Our Editorial

When it comes to elections the problem starts with cybersecurity, yet also requires physical security of voting equipment and voted paper ballots. In most towns in Connecticut ballots and voting equipment are “protected” by a single key, often accessible by multiple single individuals, keys often associated with weak locks and storage closets, all providing access available single individuals for hours, undetected.

The solution is strong security of equipment and especially voted paper ballots, with strong, sufficient recount and audit laws, well followed, with transparency and public verifiability.

The most vulnerable state: Georgia

Electronic election suspicions in Georgia have been there since the dawn of century. Now with Secretary of State Brian Kemp running for Governor, a New Yorker article reviews the recent history of ongoing vulnerability, lack of investigation by the state, and cover-up.

Our Editorial

Has our democracy been stolen in Georgia? Will it continue to be stolen? This is not just a problem for Georgia voters. The Senators and Representatives from each state change the balance in Washington, the Electoral College votes from Georgia count toward who is our President, especially in close elections like 2000, 2004 and 2016. The fully justified suspicion alone undermines confidence in Democracy.

Instead of papering over suspicions, Georgia should be moving to paper ballots and sufficient post-election audits.

Electronic election suspicions in Georgia have been there since the dawn of century. Deserving of chapters in Bev Harris’ book Black Box voting <read> which included the suspicious loss of Senator Max Cleland and the election of Governor Sonny Perdue.

Now with Secretary of State Brian Kemp running for Governor, a New Yorker article reviews the recent history of ongoing vulnerability, lack of investigation by the state, and cover-up: Trump, Election Hacking, and the Georgia Governor’s Race <read>

The indictment also revealed—for the first time—that the Russians had targeted county Web sites in Georgia, looking for election-related vulnerabilities. (The indictment said that the hackers also looked at county Web sites in Iowa and Florida.) In one sense, this was an unremarkable fact: the top cybersecurity official in the Department of Homeland Security, Jeanette Manfra, told Congress in April that Russians hackers had likely targeted every state’s systems in 2016. But, for the past two years, Kemp has been contemptuous of efforts by the D.H.S. to shore up election systems nationally. And, though not going so far as to say that Russian interference is “all a big hoax,” as Trump has, [Secretary of the State and Candidate for Governor Brian] Kemp has been an outspoken advocate of not taking the whole thing so seriously…

Labelling elections as critical infrastructure, Kemp declared, opened the door for the federal government to “subvert the Constitution to achieve the goal of federalizing elections under the guise of security.” Georgia is one of only five states that uses voting machines that create no paper record, and thus cannot be audited, and the Center for American Progress has given it a D grade for election security. But, when D.H.S. offered cybersecurity assistance, Kemp refused it…

The suit was filed on July 3rd. Four days later, the servers at the Center for Election Systems were wiped clean. On August 9th, less than twenty-four hours after the case was moved to the U.S. District Court for the Northern District of Georgia, all the data on the Center’s backup servers were destroyed as well. As the Coalition said in a brief, “The State of Georgia and its officials have the legal, moral, and ethical obligation to secure the State’s electoral system. Sadly—and inexplicably—they appear to lack the will to do so.”

Our Editorial

Has our democracy been stolen in Georgia? Will it continue to be stolen? This is not just a problem for Georgia voters. The Senators and Representatives from each state change the balance in Washington, the Electoral College votes from Georgia count toward who is our President, especially in close elections like 2000, 2004 and 2016. The fully justified suspicion alone undermines confidence in Democracy.

Instead of papering over suspicions, Georgia should be moving to paper ballots and sufficient post-election audits.

Election Vulnerability: What we can learn from Ed Snowden and the NSA.

Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:

Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.

Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:

Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.

Cyber risks do not come from Russia alone; do not come from nation states alone; they come from hackers and political actors of all persuasions and motivations. There are also insider attacks, attacks from political actors, and their sympathizers. There is also the risk of error.

We focus too much on preventing attacks and errors, neglecting the equally important areas of detection and recovery. Ultimately prevention, at best, will always be an incomplete, never ending process. Detention and recovery means protecting paper ballots and actually using them. Using them means following up elections with sufficient post-election audits and recounts. Post-election audits with sufficient chance of detecting errors, expanding those audits when errors indicate that the apparent winners may be incorrect, expanding those audits ultimately, when necessary to full recounts. Audits should include process audits to assure that registration lists and voters checked in were accurate enough to guarantee the election was fair. When all else fails, being ready to rerun critically flawed elections.

Snowden and the NSA

This is not about what Ed Snowden did, but how he did it. Snowden was able, because as a single contractor, he had the keys to the kingdom! All the cyber expertise of the NSA came down to one individual who had the information and the capability to expose everything. The motive and opportunity. He could just have easily have gummed up the works of the entire NSA system. Most systems have such people – they know the technology and are key to keeping it working. We need them. The system needs them. How many are there? Likely a lot more than we think. In the NSA, every critical support person with access to the NSA system. Not just with password access to the official system: Also any one who supports the underlying software and hardware systems: application software, compilers, operating systems, mainframes, servers, routers, the network/phone system.

Every election office has those people and vulnerabilities. Every election official who has access to voting machines and memory cards over their lifetime. The contractors who program the memory cards. Postal employees, shippers, and contractors charged with the mail or package delivery of memory cards. The person in the mail room in town hall. How safe is the storage of the machines, memory cards, and paper ballots? How safe is town hall on weekends and overnight? Who is responsible for managing the town network and computers? Who are all the contractors in town hall? Or employed by the voting machine maintenance vendor? Are your election officials and town staff able to do what the NSA could not?

If you don’t believe this, trust me. I have been there in the bowels of a large company and working for small software companies supporting large companies and government agencies.  Consider Chelsea Manning a single specialist at a computer in a war zone. Manning needed no technical expertise. None is required to program memory cards or clandestinely provide access to or conspire with those with expertise.

 

We cannot trust computers, communications, or officials with elections

Recently two serious structural flaws in computer chips have been disclosed (they were discovered several months ago). So far, the understanding is that one will be difficult to fix and the other impossible, without a new computer architecture.  See:  The World Grapples with Critical Computer Flaws <read>

We cannot say it enough, “Ultimately, computers cannot be protected from fraud and error.” We also cannot trust officials to operate flawlessly. Fortunately, there are solutions.

Recently two serious structural flaws in computer chips have been disclosed (they were discovered several months ago). So far, the understanding is that one will be difficult to fix and the other impossible, without a new computer architecture.  See:  The World Grapples with Critical Computer Flaws <read>

We cannot say it enough, “Ultimately, computers cannot be protected from fraud and error.”

It is useful to take steps to test and protect computers and communication systems from fraud, hacking, and error. Yet, ultimately they cannot be fully protected – that was proven many years ago by Alan Turing, a consequence of his “Halting Problem”.

We also cannot trust officials to operate flawlessly.  We cannot trust them even to understand the science involved.  Many believe that air-gapped computers are safe from hacking, ignoring the science and the experience of STUXNET.

Fortunately, there are solutions.

Editorial:

The solution is software independence – that a voting system results not be dependent on software – that the system, electronic and manual will detect any error in hardware or software, providing the correct election result. That means paper ballots followed by sufficient ballots security, post-election audits, and where necessary full recounts. AND;

Official independence – that a voting system does not depend on trusting officials. That there is sufficient transparency and public verifiablity that citizens can independently verity all aspects of the voting process, including independently verifying that all votes were counted and totaled accurately.

No New York, Virginia is not like Florida 2000

From the New York Times: Virginia: Voting Mess Was Never Supposed to Happen After Bush v. Gore 

I don’t know where the impression was left that somehow we would not have close elections after 2000.  There are some analogies here but not everything is the same.

Editorial:

Close elections happen.  Each voter and each vote is critical to the result.  Every error by voters, by officials, by machines, and by fraud can change the result. When it is this close it truly is a crap-shoot, even when one candidate or the other wins by a hand-full of votes.  What is needed is a process that is of high-integrity, every step of the way, followed by a fair, per-established adjudication method.  In our opinion that is exactly what is happening in Virginia. A far cry from 2000 and Gore v Bush.

From the New York Times: Virginia: Voting Mess Was Never Supposed to Happen After Bush v. Gore  <read>

It was the electoral nightmare Virginia never wanted to experience: being host to a high-profile mess like the 2000 presidential election recount in Florida, with officials obsessing over questionable ballots as political power hangs in the balance. So 17 years ago, the state began writing a guidebook on how to handle such situations. The latest edition includes pictographs of ballots marked in unconventional ways — names crossed out, several boxes checked, “My guy” scrawled over a candidate’s name. Despite the best intentions to avoid a Florida-style snafu, that is where Virginia now finds itself, with lawyers fighting over how to interpret one questionable ballot. And at stake is possible control of the Legislature.

I don’t know where the impression was left that somehow we would not have close elections after 2000.  There are some analogies here but not everything is the same.

  • First, there have been many close elections since 2000, with high-profile court cases.  Perhaps the most noted was the Frankin-Coleman Senate contest in Minnesota. Or the close Connecticut House race which went from tie, to single vote win, to tie, ending in a re-vote.
  • In Florida 2000, there was no recount.  That was stopped by the Secretary of the State and the Supreme Court. In Virginia we had a very close race and then a recount that came down to one ballot. It was decided by a legal process and now it is before a court.
  • The hanging chads with thousands of ballots where votes were in question and also the integrity of preservation of the chads as they were handled multiple times.
  • This is one ballot that needs to be interpreted in the face of unintended ambiguity/contradiction in the detailed description of how to count voter intent on ambiguous ballots.

Editorial:

Close elections happen.  Each voter and each vote is critical to the result.  Every error by voters, by officials, by machines, and by fraud can change the result. When it is this close it truly is a crap-shoot, even when one candidate or the other wins by a hand-full of votes.  What is needed is a process that is of high-integrity, every step of the way, followed by a fair, per-established adjudication method.  In our opinion that is exactly what is happening in Virginia. A far cry from 2000 and Gore v Bush.

What’s the matter with Wisconsin (and almost every state?)

Recent Headlines:

Wisconsin: Walker makes it harder for candidates to get a recount in close races

Former Trump Advisor: Scott Walker Has ‘Rigged’ 5 Elections 

Editorial: What is wrong with this picture? 

Wisconsin: Walker makes it harder for candidates to get a recount in close races <read>

Gov. Scott Walker has made it harder to ask for an election recount in Wisconsin. Walker last week signed into law a bill introduced in reaction to Green Party presidential candidate Jill Stein’s 2016 recount request in Wisconsin after she finished a distant fourth. Under the new law, only candidates who trail the winner by 1 percentage point or less in statewide elections could seek a recount. If that had been in effect last year, Democrat Hillary Clinton could have requested a recount since she finished within that margin, losing the state by only 22,000 votes. But Stein would have been barred. Democrats argued against the change, saying if candidates want to pay for a recount they should be allowed to pursue it. Stein paid for the Wisconsin recount.

Former Trump Advisor: Scott Walker Has ‘Rigged’ 5 Elections <read>

“As someone with great sentimental attachment to the Republican Party, as I joined as the party of Goldwater, both parties have engaged in voting machine manipulation,” Stone wrote. “Nowhere in the country has this been more true than Wisconsin, where there are strong indications that Scott Walker and the Reince Priebus machine rigged as many as five elections including the defeat of a Walker recall election.”

Editorial: What is wrong with this picture? We don’t for a second believe Roger Stone. Yet, we have no reason to believe Scott Walker or Wisconsin election integrity.  What is needed is transparent and publicly verifiable elections so that we do not need to trust anyone.

Just a step in the right direction: Merrill meets with Homeland Security

“Yesterday, along with representatives from the state’s information technology and public safety departments, I met with regional officials from the United States Department of Homeland Security to discuss how we can work together to ensure that Connecticut elections are safe from outside interference or manipulation. We had a productive meeting and I look forward to working together in the months and years to come to protect our elections, the bedrock of our democracy.” – Denise Merrill, Connecticut Secretary of the State

We applaud this step in the right direction.  Last year as leader of the National Association of Secretaries of State, Merrill opposed the designation of elections as critical infrastructure, leading in expressing the concern for a Federal take-over of elections. We were critical of that stand then and remain so.

In our opinion this is just a step. There are several aspects to election security/integrity that should be addressed,. This  step may assist in those that are under direct control of the of the the State, yet less so those under local control.

Secretary Merrill met with Homeland Security on Thursday:

Merrill Statement on Meeting with DHS Officials Regarding Election Cybersecurity

“Rosenberg, Gabe” <Gabe.Rosenberg@ct.gov>: Oct 27 04:57PM

“Yesterday, along with representatives from the state’s information technology and public safety departments, I met with regional officials from the United States Department of Homeland Security to discuss how we can work together to ensure that Connecticut elections are safe from outside interference or manipulation. We had a productive meeting and I look forward to working together in the months and years to come to protect our elections, the bedrock of our democracy.” – Denise Merrill, Connecticut Secretary of the State

Gabe Rosenberg
Communications Director
Connecticut Secretary of the State Denise Merrill

We applaud this step in the right direction.  Last year as leader of the National Association of Secretaries of State, Merrill opposed the designation of elections as critical infrastructure, leading in expressing the concern for a Federal take-over of elections. We were critical of that stand then and remain so.

In our opinion this is just a step. There are several aspects to election security/integrity that should be addressed,. This  step may assist in those that are under direct control of the of the the State, yet less so those under local control.  It’s not an issue of a State take-over of local elections, but the impossibility of every town in the State doing what even the NSA has failed at – protecting their most sensitive systems from attack. Yet, like the NSA, the State is capable of doing ever better.

  • We need to protect our Centralized Voter Registration System (CVRS) from corruption and denial of service attacks on election day.
  • We need to protect the CVRS from incremental loss or corruption of data over time.  That means independently logging of every add, change, and delete of the file, balancing, and auditing those changes against the database regularly, and especially in the days and weeks before an election.
  • Making sure that if we use electronic pollbooks that there is a usable paper pollbook in every polling place and a copy of that in the Registrars’ Offices during every election.  We want to avoid the disaster that occurred in a NC county in the last election

Cybersecurity from “outside interference or manipulation” is insufficient. We must prevent insider attacks. We must be able to recover from “interference and manipulation”, since complete prevention is not possible.. As we have said before, database and election integrity depends on Prevention, Detection, and Recovery.

  • We have paper ballots everywhere in Connecticut.  Yet, they need to be protected better.  In the majority of Connecticut municipalities they can be accessed by either Registrar for hours, undetected.  In many, they can be accessed by any official in the Registrars’ Offices, sometimes by other officials.  Without paper that we can trust there can be no detection or recovery from insider attack.
  • We need to have sufficient audits of results we can trust, from the accurate counting/adjudication of paper ballots to the totals reported by the State.  Where necessary those audits ending in full recounts to determine and certify the correct winners.
  • We also need process audits to verify various aspects of the election process:  Comparing checkoffs to ballots counted; verifying ballot security; verifying the integrity of checkoffs to actual legal voters; the integrity of the absentee ballot process, from application integrity,  mail delivery. signature verification, counting etc.

 

 

 

 

Registrars mess up, City (taxpayers) pay fines, eventually

“Justice delayed is justice denied.” What could be worse?  Perhaps “Justice delayed and fines transferred to the victims.”

In 2014 the Registrars in Hartford failed to provide check-off lists to polling places in time for voting to begin at 6:00am.   From the stories of the public and explanations from officials at the time, it seems pretty clear it was not a simple error or comedy of errors.

Editorial
The pollbook delay went beyond incompetence. These conclusions and fines should not take close to three years.  The well-compensated registrars should be paying the fines not the City.

“Justice delayed is justice denied.” What could be worse?  Perhaps “Justice delayed and fines transferred to the victims.”

In 2014 the Registrars in Hartford failed to provide check-off lists to polling places in time for voting to begin at 6:00am.   From the stories of the public and explanations from officials at the time, it seems pretty clear it was not a simple error or comedy of errors. <read>

From the Courant:  City Fined $9,600 For Election Day Problems – Investigation Critical Of Registrars Of Voters <read>

The state Elections Enforcement Commission has fined the city of Hartford $9,600 for the 2014 Election Day snafus that left many people, including the governor, unable to vote when polls opened.
The state’s investigation found that the three Hartford registrars of voters didn’t finish preparing the official voter registry lists until a half hour before polls opened and, because of that, 14 polling places opened late or without the proper voter lists needed to check off names…
Even after polls closed, the registrars had issues. The investigation found that there was a 2,035-vote discrepancy in the number of ballots cast for governor versus the number of people check ed off as having voted. There also was a 93-vote discrepancy in absentee ballots.
After a second count, the absentee ballot disparity was corrected, but there was still a 1,542 difference in votes for governor that was never resolved.
The investigation is critical of all three Hartford Registrars—Republican Sheila Hall, Democrat Olga Vazquez and Working Families Party Urania Petit—but was particularly harsh toward Vazquez, who was tasked with getting the voter rolls ready.
“Ms. Vazquez’s wantonly poor decision-making reflected either a too casual approach to her work, or a serious deficiency in her ability to do the job,” the report concluded.
Vazquez was in charge of getting the voter registry lists to the moderators at each of the 24 polling places. But the books weren’t sent to the printer until only a few days before the election, and the registrars didn’t cross absentee voters off the lists until only two days before the election. They didn’t
complete that task until 5:30 a.m. on Election Day—a half hour before polls were to open.
The investigation made it clear the delay was primarily Vazquez’s fault.
“Starting with a misreading of the election calendar concerning when she needed to print the list—an inexcusable mistake by a registrar with her experience—she appeared to miss opportunity after opportunity to avoid the slowly unfolding calamity that rolled into the public eye on the morning of Election Day,” the report concluded.
Our Editorial
The pollbook delay went beyond incompetence. These conclusions and fines should not take close to three years.  The well-compensated registrars should be paying the fines not the City.
Also victimized are the voters of the State and candidates for State Office who depend on every municipality to conduct fair and accurate elections.

Common Sense: Limits on Testing From Turing to Self Driving Cars

At first this may not seem like Common Sense. We have the famous Turing Halting Problem which has some very important consequences for voting which may not, at first, make common sense:

Note: This is then thirteenth post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <previous>

At first this may not seem like Common Sense. We have the famous Turing Halting Problem which has some very important consequences for voting which may not, at first, make common sense:

  • We cannot use testing to be sure that the software in a voting machine will provide accurate election results.
  • And any hardware circuits are also part of the machine and come under the limits of the halting problem

It is worse, beyond the halting problem:

  • We really have no way of knowing if the software that actually ran on a machine when the results were created and printed was actually the approved, tested software.
  • We really have no way of determining if the results were somehow changed by some some means external to the software.
  • We have no way of really determining that the components of the hardware were what were tested were actually those running the machine.
  • There could also be permanent or intermittent hardware errors.
  • The hardware errors could include logic circuits, wires, or sensors.

At this point you may be complaining that this is crazy or at least not common sense.

Consider the idea of self-driving cars.  How comfortable are you with them today?  Do you think testing is sufficient?  Maybe. Yet, they could be subject to intermittent errors and hacking – similar to today’s vehicles that rely almost entirely on software to translate the driver’s commands into action. See:  <60 Minutes Shows Threats to Autos and Voting Machines are Real>

Do Not Hide Voter Information

Voting as we know it, depends on two important keys that are often difficult for the public, media, and sometimes even experts to understand.

Voting rolls and check-in lists need to be available to every citizen, young and old, so that the public can be assured that only registered voters voted, that they voted in the correct primary, that the number of ballots match the number of voters checked in, and that those checked in actually did vote. Otherwise there is no basis for trust in democracy.

Public voting rolls provide the only means for individuals and news organizations to independently investigate voting fraud; they provide officials with the credible proof that fraud is limited; and they help the public to trust in decisions by the State Elections Enforcement Commission.

 

Voting as we know it, depends on two important keys that are often difficult for the public, media, and sometimes even experts to understand.  One is the need for anonymous voting, aka the “secret ballot”.   The other is the need for voting rolls and the record of who voted to be public.  We addressed that second one in a letter published in the Hartford Courant today:

Do Not Hide Voter Information

I was surprised to learn that Dan Barrett, Connecticut ACLU legal director, was against “any old person on the street [being] able to access [voter rolls].”

Voting rolls and check-in lists need to be available to every citizen, young and old, so that the public can be assured that only registered voters voted, that they voted in the correct primary, that the number of ballots match the number of voters checked in, and that those checked in actually did vote. Otherwise there is no basis for trust in democracy.

Public voting rolls provide the only means for individuals and news organizations to independently investigate voting fraud; they provide officials with the credible proof that fraud is limited; and they help the public to trust in decisions by the State Elections Enforcement Commission.

Not so long ago, UConn students used that data to expose the extent to which the rolls included deceased voters. That same data was used by officials to demonstrate, in a way that could be verified, that very few of those entries were associated with actual fraud. More recently, those public rolls were used to uncover and confirm that a state representative had voted for several years and had been elected based on an illegal residence. Currently, there is a criminal investigation underway in Stamford based on absentee voters checked off who did not actually vote.

What prompted this letter was an article with the quote along with quotes from several officials proposing to restrict access to voter rolls Lawmakers Seek More Voter Privacy <read>