Last month, the District conducted an Internet voting experiment that resulted in a team from the University of Michigan infiltrating election computers so completely that they were able to modify every ballot cast and all election outcomes without ever leaving their offices. They also retrieved the username and password for every eligible overseas voter who had signed up to participate. The team even defended the system against attackers from China and Iran. More than any other event in recent years, this test illustrates the extreme national security danger of Internet voting.
Though the District’s Board of Elections and Ethics prudently dropped the plan to use the most dangerous parts of the system in Tuesday’s midterms, the board still claims Internet voting is the wave of the future. By contrast, the consensus of the computer security community is that there is no secure Internet voting architecture suitable for public elections. The transmission of voted ballots over the Internet, whether by Web, e-mail or other means, threatens the integrity of the election. Simply fixing the problems identified in the District’s test will not prove the system secure. Almost certainly the next test will discover new vulnerabilities yielding a similar disastrous result.
People frequently ask: If we can bank online, why can’t we vote online? The answer is that because every banking transaction must be associated with a customer, banks know what their customers are doing, and customers get monthly statements that can be used to detect unauthorized transactions. There is no banking equivalent of the requirement for a secret ballot untraceable to the voter. While banks have huge budgets for mitigating security problems, they still lose substantial sums due to online fraud. In addition, while banks may tolerate the costs of online theft, because they save money overall, elections cannot tolerate a “small” amount of vote theft. For more than a decade, computer security scientists have been warning of certain core dangers related to Internet voting. The successful Michigan incursion confirmed many of them.
1. Internet voting systems can be attacked from anywhere by any hostile government, criminal syndicate or self-aggrandizing individual. The Michigan team demonstrated this by conducting their attack entirely from Ann Arbor.
2. The attackers can determine the winners of an election. The Michigan attackers changed all the votes, and left no way for officials to restore the originals.
3. Effective defense is virtually impossible. There are an abundance of vulnerabilities in almost any complex software system, and voting systems are no exception. Attackers need only exploit one vulnerability, while defenders must find and defend against them all. And some things were out of bounds in the D.C. experiment; in a real election, criminal or foreign attackers would have additional opportunities for attack.
4. A cyber attack on an election may go completely unnoticed. The wrong people could be elected without anyone noticing. D.C. officials did not detect the Michigan attack for at least a day, even though the attackers thoughtfully played an audio “signature” (the Michigan fight song) after each ballot was cast. By the time officials discovered the attack, it was too late to recover from it.
By dramatically demonstrating the danger of Internet voting, the Michigan team has done our nation an enormous service. They deserve our congratulations and thanks.
The D.C. Board of Elections and Ethics deserves credit as well for choosing to conduct a public test of the system — the first of its kind anywhere. However, we cannot expect the Michigan team or anyone else to perform pro bono testing repeatedly for each new Internet voting scheme.
Unfortunately, more than 30 other states have not learned from D.C.’s experiment and are allowing Internet voting in this week’s elections. None of them has opened its systems to outside scrutiny, and all are simply relying on the assertions of their vendors or IT personnel that the systems are secure. Even companies such as Google, with vast resources and expertise, have been unable to protect themselves from remote penetration attacks from China. There is no reason to believe that states and localities can do better.
The results of the test are abundantly clear. General elections are not for experimentation. Unless and until someone produces a demonstrably secure Internet voting system that the computer security community endorses, government must not take risks that jeopardize our democracy.
Jeremy Epstein is a senior computer scientist with SRI International in Arlington. David Jefferson is a computer scientist at Lawrence Livermore National Laboratory and chairman of Verified Voting. Barbara Simons is a former IBM researcher and former president of the Association for Computing Machinery.