Transparency Is Solution to Shameful Lack of Security For US Voting Systems Revealed by NSA Leak

Elections belong to the public. Just as we have the right to understand our overall election process, we have a right to understand the underlying hardware and software involved in electronic voting. We have a right to understand where our votes and voter registrations go, who checks them, and which institutions have access to that information.

The NSA document allegedly leaked by Reality Leigh Winner and recently published by The Intercept suggests that the government is no longer confident about that critical information. The report details a Russian spear-phishing campaign that introduced malware into election contractors’ and officials’ machines, causing them to run “an unknown payload from malicious infrastructure.” According to the report, “It is unknown...what potential data could have been accessed” by Russian hackers. The malicious code was implanted into instructions for EViD, a piece of software that allows poll workers to verify voters’ sensitive personal information, including name, address, registration status, and voting history. The verification is done entirely over the Internet, and all data is communicated to and from EViD’s “secure website.”

After reading the report, I wanted to see for myself how EViD’s creators address information security. Enter the only EViD documentation I could find: an FAQ from EViD’s parent company, VR Systems. Here is VR Systems’ explanation: “Is the EViD system secure? During design and development of the EViD system, VR Systems implemented extensive security measures to protect the EViD system from electronic attack.”

If you’re wondering where the rest is, you’re not alone. Those are the only mentions of security. What are “extensive security measures”? Your guess is as good as mine. Great for their secure design and development, but what about maintenance? Ongoing updates and patches are just as important as the initial product. What kinds of attacks did they account for, specifically? “Electronic attack” is about as meaningless as “physical attack.” OK, maybe you have a bullet-proof vest, but what if somebody drops a piano on your head? In the same way it’s possible to prevent a malicious piece of code from being written into the system, but that doesn’t mean they’ve accounted for vulnerabilities that would allow an attacker to read data, for example. And physical attacks apply here, too—after all, the software is being run on a machine made of wires, boards, and sensors.

So how does the government vet such vital critical infrastructure? Did a security expert look at VR Systems’ hardware and software, and if so, where are the results of the audit?

A researcher named Emily Gorcenski recently compiled an evaluation of federally endorsed certification and testing practices and voting system guidelines, as well as a state-by-state breakdown of electronic voting systems regulations. The physical hardware of voting machines is subject to well-established engineering quality standards, while software is largely evaluated by automated code-checkers for style rather than substance. These surface evaluations do not account for subtle vulnerabilities like memory handling or algorithmic errors that can only be caught by expert evaluation and extensive testing. There is no mention of voter registration systems like EViD (the only state to even mention voter registration in the state-by-state breakdown is Oklahoma).

Moreover, federal regulations are voluntary—and 20 states have chosen not to adopt any of them. The decentralized nature of a patchwork system could work in our favor if each state had its own individually secured infrastructure, but most election infrastructure companies work across state borders and the flaws carry over. Centralized voter registration systems like EViD that are seemingly not subject to any regulation at the state or federal level are especially vulnerable targets. Bloomberg reports that the Russian hackers were able to penetrate poll workers’ systems in 39 states.

And even with extensive testing and review, no one—not even a team of experts—can be aware of all of the flaws in a piece of code. Developers are constantly pushing updates and it’s difficult for security teams to keep pace. Bugs can be hydras—patch one, create three more. Laws and regulations can only go so far in that respect. The software standards, NSA report, and general behavior surrounding the cyberattacks illustrates a catastrophic lack of understanding, testing, and oversight on the government’s part. This is not to say government contractors or officials are incompetent—software security is one of the trickiest beasts around. Good software security relies on transparency and frequent testing. Hiding the code under fluffy language and hoping that nothing goes wrong is the absolute least effective way to achieve security. It would be like a safe salesman telling you to put your life’s savings into a box made of unknown material with a hidden locking mechanism. Nobody really knows how it works and plenty of them have been broken into, but trust him, he took “extensive security measures.”

Voting systems are the same—no government at any level should be relying on proprietary, closed-source software for vital critical infrastructure, especially software that they do not understand themselves.

And even then, the practice of using electronic voting systems at all is questionable, especially if they are connected to the Internet. While cryptographers can provide secure electronic voting algorithms, most security flaws happen at the implementation level—and again, there is no way to anticipate every flaw. Experts emphasize the need to confirm e-voting results by checking them against paper ballots in a statistically meaningful sample of areas across the country (“statistically meaningful” just means they take enough samples in enough diverse areas so that the probability of missing suspicious activity is very low). This simple physical check on our vulnerable electronic infrastructure must be an election process requirement.

This attack was not the first. Not only have researchers hacked into machines in a controlled setting, there have been numerous cases of problems with election infrastructure in the wild:

  • The 4-6 million votes lost in the 2000 presidential election.
  • The Diebold ban in California preceding the 2004 presidential election, after Diebold committed fraud.
  • This executive summary of the 2006 midterm election, in which there were 1,022 reported problems with e-voting equipment in 314 counties across 36 states.

All evidence, both theoretical and empirical, suggests that these electronic voting systems are vulnerable. Ignorance is not an excuse. Federal, state, and local governments know better than to put blind trust in e-voting companies, so why do they continue to do so despite all of their problems? Why do they insist on using proprietary closed-source software instead of open-source software that is vetted by a community of experts? As with most major government contracts, electronic voting has been plagued by a history of questionable policy and shady business dealings that go against expert recommendation. The Washington Post reports that in mid-August 2016, the federal government encountered a “wall of resistance” from state officials in trying to shore up election infrastructure after the Russia hacking story first broke. State officials acted like getting help from the federal government in patching the systems against the well-evidenced threat of election tampering was a political ploy and “an assault on state rights.” 

Fair elections are the cornerstone of free society, not cause for political squabbling or corporate enterprise. We fight on behalf of whistleblowers because we need people who are willing to stand up and say enough is enough, now more than ever. Reality Leigh Winner didn’t breach national security, she exposed a breach in national security—one that poses a clear and present danger to us all by threatening the very foundation of our democracy.

The threat to national security posed by electronic voting systems is one perpetuated by Congress, federal, state, and local governments and covered up by the NSA. Yet whistleblowers are the ones charged with the careless handling of defense information. One could bring the same charges against these government institutions for failing to sufficiently vet and maintain the technology used in critical infrastructure, and for allowing our election officials to become sitting ducks for Russian attackers. The only difference is, the government is in control.

Instead of focusing on these real threats to our democracy, legislatures have chased phantom problems like voter impersonation with Voter ID laws, which fail to prevent fraud and overwhelmingly impact poor communities and communities of color. In 2013, the Supreme Court struck down a section of the Voting Rights Act that prevented states like Texas from making changes to voting law without permission from the federal government. In 2016, a federal appeals court ruled that the Texas voter ID law—which had been in place since 2011—violated the Voting Rights Act. This is just one example of many that the ACLU Voting Rights Project fights to address.

It is time we demand with our voices and votes that the innards of electronic voting systems and all other obscured facets of our election process become matters of public record, and that statistically significant audits occur as a matter of routine rather than exception. Hiding from expert opinions and throwing whistleblowers in jail is not the way to make our country more secure. There have always been problems with our election process, but Reality check: the flaws are real, they are exploited, and they may significantly undermine our democracy if we continue to ignore them.

Add a comment (9)
Read the Terms of Use

Gregory Miller

Leah, great job on this important and timely piece. If you only knew the 1/2 of it. I have served as a subject matter expert to DHS and still provide input to Congress on election technology integrity matters. The OSET Institute's TrustTheVote Project is working feverishly to address this, building ElectOS (see: bit.ly/EOSt1). To learn more see: bit.ly/ttv-learn. I'd like to speak more about the issues and our work. gmiller at osetfoundation daht org

Eli Samuel Goldman

Oh, puhleeeze! I've been saying this for years and years non-stop. Now someone else speaks on the necessity of "transparency" in all government processes and they're hailed as "timely" and touted as brilliant. Horse-pucky. If anyone had paid attention to me before the election or all election long Trump couldn't have had the election hacked, or gotten away with it once he did. In so tired about the world taking credit for everything I say, write, do and create. ....John F. Kennedy talked on the need for what amounts to transparency in a public speech about a year before he was shot and even told the public the conservative fringe intended to kill him. Noone listened but many heard. Roughly a year later he was dead, and everyone acted shocked. Idiots!

Roy Lipscomb, I...

An excellent analysis of election insecurity!

May I expand on the remedies proposed by the author? She advises--

"It is time we demand ...that the innards of electronic voting systems and all other obscured facets of our election process become matters of *public record*, and that
*statistically significant audits* occur as a matter of routine rather than exception." [Emphasis added]

A vote audit commonly consists of a platoon of inspectors sitting down together in a large room to review piles of paper ballots. Though only few people can actually observe the ballots, this is called a "public audit."

But let's instead imagine a cast of thousands performing the same service, without ever having to convene or to coordinate.

And let's imagine that this process also happens to create insurance against compromise or loss of the original ballots.

And let's imagine further, that the cost to the elections authority for all this is essentially nil.

Such a process is made possible today by two inventions, the smartphone and the Internet. And the process can be inaugurated by a simple legislative edict: Let poll watchers video-record and publish the ballots. The result is "public records" of the highest order, and "public audits" in the fullest sense.

If such a policy is feasible, then advantages abound:

* The videos can be downloaded by thousands of citizens, thereby creating reliable backups for the ballots in case of loss or compromise.
* Each citizen can personally tally votes of interest--in any way desired, with or without computer assistance.
* All tallies will quickly converge on the same results, removing doubts about their authenticity.
* Concerns about voting-machine errors will be dispelled because machine tallies get vetted by other tallies.
* Recounts by the election authority will become superfluous.
* The videos will offer fine-grained data for election forensics and for demographic research.

But is such a policy feasible? That is, can the two main concerns be resolved: preserving the anonymity of the ballots, and ensuring the authenticity of the videos? Indications are that the answer is "Yes."

* Anonymity of the ballots has developed into a non-issue in Humboldt County, California, which has been publishing their ballots since June of 2007. Ideal safeguards for such a policy include allowing voters to mark their ballot via a ballot printer, thereby eliminating handwriting as a possible identifier.

* Authenticity is guaranteed by two features:

o Checks and balances. Each poll watcher independently records and publishes a video of the ballots. Each video thus serves as a check and balance on the others.

o Resilience. If a video gets compromised, its creator can alert the public through thousands of emails and postings, and can easily re-post (or otherwise distribute) the authentic video.

In summary: Compared to a standard audit of the vote, a crowdsourced "public audit" has more advantages, and is virtually cost-free.

For more discussion, see http://mapelection.org/citizensaudit.pdf

FrankHenry

Lets hope the ACLU team pick up the task of gaining the
"32 Full Voting Rights" for all voters in all 50 states.

These Rights have been ignored/suppressed for too long...!

ACLU get behind the movement for our 32 Full Voting
Rights...!

Thanks and Good Luck,
Frank Henry
Full Voting Rights Advocate
Cottonwood, Arizona
Tel: 928-649-0249
e-mail: fmhenry4@netzero.com

BruceO'Dell

As a cybersecurity professional, if I designed any system with the ludicrous vulnerabilities of our computerized voting systems I'd deservedly be laughed out of the room. Every form of computerized voting system has been demonstrated to be vulnerable to manipulation by insiders as well as foreign hackers. There is no place for computers in elections: the fundamental issue is that voting is both a private and an anonymous transaction - unlike all other types of transactions for which we can and do design effective security controls. The answer is simple: cast votes on paper and count them in public - as in Canadian federal elections, as well as in elections in places like the Netherlands that have scrapped computerized voting systems due to the inherent risks for which there is no technical fix.

Anonymous

Very good, I think I found the knowledge I needed. I will see and refer some information in your post. thank you.
http://bloxorzonline.com

food places near me

You have done an excellent job writing this article, I believe that it will greatly help not only me but other people
http://places-near-me.com/

http://www.hras...

http://www.hrassignments
Good event, I think because to have a necessary books is very important for every profession, especially, for writers who make your life easier everywhere.

https://www.mar...

https://www.marketingassignmentz
Good event, I think because to have a necessary books is very important for every profession, especially, for writers who make your life easier everywhere.

Sign Up for Breaking News