Verified Voting Blog: Election Security Is a Matter of National Security | David Dill

State-sponsored cyber-attacks seemingly intended to influence the 2016 Presidential election have raised a question: Is the vulnerability of computerized voting systems to hacking a critical threat to our national security? Can an adversary use methods of cyber-warfare to select our commander-in-chief?

A dedicated group of technically sophisticated individuals could steal an election by hacking voting machines key counties in just a few states. Indeed, University of Michigan computer science professor J. Alex Halderman says that he and his students could have changed the result of the presidential election. Halderman et al. have hacked a lot of voting machines, and there are videos to prove it. I believe him.

Halderman isn’t going to steal an election, but a foreign power might be tempted to do so. The military expenditures of a medium-size country dwarf the cost of a multi-pronged attack, which could include using the internet, bribing employees of election offices and voting machine vendors, or just buying voting machine companies. It is likely that such an attack would not be detected, given our current election security practices.

What would alert us to such an attack? What should we do about it? If there is reason to suspect an election result (perhaps because it’s an upset victory that defies the vast majority of pre-election polls), common sense says we should double-check the results of the election as best we can. But this is hard to do in America. Recount laws vary with each state. In states where it is possible to get a recount, it often has to be requested by one of the candidates, often at considerable expense.

In the recent election, it is fortunate that Green Party Presidential candidate Jill Stein, citing potential security breaches, recently requested a recount of the 2016 presidential vote in Wisconsin and Pennsylvania and plans to do so in Michigan. Donald Trump unexpectedly won these three states by very narrow margins, and their recount laws are favorably compared with some of the other swing states.

The Voting News Weekly: The Voting News Weekly for November 15-27 2016

Green Party candidate Jill Stein announced her intention to call for recounts in Michigan, Pennsylvania and Michigan. The Clinton campaign has indicated that they will support the Green effort and Clinton campaign lawyer Mark Elias explained their rationale at Medium.com.

University of Michigan computer scientist Alex Halderman made the case for recounts observing that “the only way to know whether a cyberattack changed the result is to closely examine the available physical evidence — paper ballots and voting equipment in critical states like Wisconsin, Michigan, and Pennsylvania. Unfortunately, nobody is ever going to examine that evidence unless candidates in those states act now, in the next several days, to petition for recounts.”

Michigan state election director Chris Thomas expressed confidence in the state’s ability to conduct a recount under the tight deadline imposed by the Electoral College. “Our plans are being drafted,” Thomas said. “We’re on top of it. We’ve got some blueprints on how it will be done.” Just under 4.8 million votes were cast for president in Michigan and all would be counted by hand under the state election code and the recount would need to be completed before the 16 members of Michigan’s electoral college meet on Dec. 19 to cast their votes for the winner of the presidential race.

Election officials in Wisconsin acknowledged the challenges with Wisconsin Elections Commission Administrator Michael Haas estimating that the cost and complexity of the recount would be in excess of the state’s last recount in 2011, which carried a price tag of more than $520,000. In that recount over a state Supreme Court seat, the commission had to recount 1.5 million votes — about half the 2.975 million ballot votes that were cast during the 2016 presidential election.

Meanwhile, incumbent Governor Pat McCrory has requested a statewide recount of the gubernatorial race in North Carolina. Legislators in Virginia have proposed restrictions on third party voter registration drives.

Election tensions spilled onto Haiti’s streets with shots fired outside the presidential palace as various candidates claimed victory in a re-run vote and Malians burned ballot boxes and one candidate was kidnapped during local elections meant to fill posts left vacant in the north since Islamist militants hijacked a 2012 Tuareg rebellion and ousted the government.

Verified Voting Blog: Want to Know if the Election was Hacked? Look at the Ballots | J. Alex Halderman

You may have read at NYMag that I’ve been in discussions with the Clinton campaign about whether it might wish to seek recounts in critical states. Thatarticle, which includes somebody else’s description of my views, incorrectly describes the reasons manually checking ballots is an essential security safeguard (and includes some incorrect numbers, to boot). Let me set the record straight about what I and other leading election security experts have actually been saying to the campaign and everyone else who’s willing to listen. 

How might a foreign government hack America’s voting machines to change the outcome of a presidential election? Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

Could anyone be brazen enough to try such an attack? A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election. This summer, attackers broke into the email system of the Democratic National Committee and, separately, into the email account of John Podesta, Hillary Clinton’s campaign chairman, and leaked private messages. Attackers infiltrated the voter registration systems of two states, Illinois and Arizona, and stole voter data. And there’s evidence that hackers attempted to breach election offices in several other states.

In all these cases, Federal agencies publicly asserted that senior officials in the Russian government commissioned these attacks. Russia has sophisticated cyber-offensive capabilities, and has shown a willingness to use them to hack elections. In 2014, during the presidential election in Ukraine, attackers linked to Russia sabotaged the country’s vote-counting infrastructure and, according to published reports, Ukrainian officials succeeded only at the last minute in defusing vote-stealing malware that was primed to cause the wrong winner to be announced. Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities.

[caption id="attachment_108182" align="aligncenter" width="800"]The pink counties predominately use optical scan paper ballots, which can be examined to confirm that the computer voting machines produced an accurate count. Blue counties use paperless voting systems, which require forensic analysis. The pink counties predominately use optical scan paper ballots, which can be examined to confirm that the computer voting machines produced an accurate count. Blue counties use paperless voting systems, which require forensic analysis.[/caption]

Were this year’s deviations from pre-election polls the results of a cyberattack? Probably not. I believe the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked. But I don’t believe that either one of these seemingly unlikely explanations is overwhelmingly more likely than the other. The only way to know whether a cyberattack changed the result is to closely examine the available physical evidence — paper ballots and voting equipment in critical states like Wisconsin, Michigan, and Pennsylvania. Unfortunately, nobody is ever going to examine that evidence unless candidates in those states act now, in the next several days, to petition for recounts.

Media Release: Voting Experts Call for Nationwide Audit to Verify Election Results

Days after an unexpected outcome in the presidential election, a leading voting security group is reinforcing its call for a national post-election manual audit to validate computer-generated election results. In the months leading up to the election federal authorities issued unprecedented warnings regarding the computer security of the U.S. election system following revelations that over 20 states’ voter registration systems and a Florida voting system vendor were targeted by foreign cyber attacks. Federal officials acknowledged that the system vendor and four states’ voter registration databases were compromised by hackers including Illinois and Arizona.

“This national election was held under an unfortunate cloud of uncertainty due to documented attacks on U.S. election systems and claims of rigging before votes were even cast,” said Verified Voting President Pamela Smith. “In order for democracy to work, we all need to believe in the system that elects our leaders. Voters must have assurance their ballots will be counted the way they intended to cast them—especially in a time when so much doubt has been cast on the electoral process. Luckily, there’s an easy way to do this: a post-election audit that manually examines a random sample of the ballots.”

Almost all ballots cast in the U.S. are tabulated by computers; software is vulnerable to errors, bugs, malware and attacks. The security breaches identified in the months before the election led national security experts in both the federal government and private sector to issue unprecedented warnings about the cyber security of U.S. voting systems. In an extraordinary move, the Department of Homeland Security partnered with state and federal election officials in an effort to shore up voting system security following the disclosed attacks.

A nationwide audit of about 1.4 million ballots–just over 1% of the votes cast– could give 95% confidence that each state’s result is right. About 25% of Americans voted on equipment that does not produce an auditable paper record, mostly in Delaware, Georgia, Louisiana, and New Jersey. But votes cast by the other 75% are on paper ballots or paper records voters have the chance to check, and those can and should be checked in every election.

Verified Voting Blog: Still time for an election audit | Ron Rivest and Philip Stark

A Washington Post–ABC News poll found that 18% of voters — 33% of Clinton supporters and 1% of Trump supporters — think Trump was not the legitimate winner of the election. Sen. Lindsey Graham, R-S.C., has called on Congress to investigate the Russian cyberattack on the Democratic National Committee and the election. There are reasons for concern. According to the director of national intelligence, the leaked emails from the DNC were “intended to interfere with the U.S. election process.” The director of national intelligence, the Department of Homeland Security, and the National Security Agency concluded that the Russian government is behind the DNC email hack and that Russian hackers attacked U.S. voter registration databases.

We know that the national results could be tipped by manipulating the vote count in a relatively small number of jurisdictions — a few dozen spread across a few key states. We know that the vast majority of local elections officials have limited resources to detect or defend against cyberattacks. And while pre-election polls have large uncertainties, they were consistently off. And various aspects of the preliminary results, such as a high rate of undervotes for president, have aroused suspicion.

Computers counted the vast majority of the 130 million votes cast in this year’s election. Even without hacking, mistakes are inevitable. Computers can’t divine voter intent perfectly; computers can be misconfigured; and software can have bugs. Did human error, computer glitches, hacking, or other problems change the outcome? While there is, as yet, no compelling evidence, the news about hacking and deliberate interference makes it worth finding out.

The Voting News Weekly: The Voting News Weekly for November 14-20 2016

voting_booths_260Amid the ruins of the ugliest presidential campaign in modern history, Democrats are bemoaning an election apparatus so balky and politically malleable that throngs of would-be voters either gave up trying to cast ballots or cast ones that were never counted.the first presidential election in a half century that was held without the full protection of the Voting Rights Act of 1965, so few Americans cast ballots that a new president was elected by barely a quarter of Americans eligible to vote. Civil rights groups say that Republican-backed “voter suppression” laws enacted since 2010 probably helped tip the scale for Republican nominee Donald Trump in some closely contested states on election night. In a USA Today Ron Rivest and Philip Stark advocated “risk-limiting” audits of election results, an audit that manually examines a random sample of the ballots in a way that has a large chance of detecting and correcting incorrect results. The Illinois Senate has voted to override Governor Rauner’s veto of automatic voter registration legislation. Opponents of ballot initiatives in Maine that would legalize recreational marijuana and tax the state’s highest earners to help fund public schools have submitted requests for recounts. A statewide recount is also possible in the North Carolina gubernatorial contest. The ultimate of Texas’ voter id requirement remains up in the air. Voters went the polls in China, while hurricane-ravaged Haiti holds elections today.

The Voting News Weekly: The Voting News Weekly for November 7-13 2016

long_lines_260As voters flooded polling places across the country on Election Day, some reported problems such as broken machines, long lines and voter intimidation in states ranging from Texas to Pennsylvania. Despite concerns about possible attempts to hack or otherwise tamper with the US election, voting appears to have gone smoothly, with the Department of Homeland Security saying it had no reports of election-related cyber breaches. Bruce Schneier shared his concerns about the potential for election cyber attacks and Candace Hoke outlined measures needed to ensure the integrity of elections in the future. Technical problems in the debut of Connecticut’s election results website resulted in the deletion of tallies from Tuesday’s presidential election and the system to be temporarily shut down. Voters in Missouri overwhelmingly voted to reinstate campaign donation limits and to require photo identification for future elections. A recount of the North Carolina Governor’s race is likely to extend well past the Thanksgiving holidays. Milwaukee’s elections chief said that Wisconsin’s voter ID law caused problems at the polls in the city and likely contributed to lower voter turnout. Austria’s Interior Minister said there was no reason to delay again its presidential election due on Dec. 4 after newspapers reported it was possible to order postal ballots online using fake passport numbers and German Chancellor Angela Merkel warned that Russia could try to influence next year’s German national elections through cyber warfare and disinformation.

Verified Voting Blog: Election integrity: Missing components to remedy

This oped appeared originally at the The Hill on November 8, 2016.

Our election systems’ vulnerabilities received unprecedented bipartisan and media attention from mid-summer onward, sparked by the apparently Russian origins of hacks into the Democrat’s communications systems. If tampering with the U.S. election process was a goal, then election technologies used for voter registration and vote tabulation, and the Internet itself, were hypothesized as additional potential targets. Further disclosures added fire to the considerable smoke.

While correction of U.S. election vulnerabilities may appear to be largely a simple matter of upgrading the election technologies, including voting devices and voter registration databases, that focus alone would be window dressing.  It would conceal and permit continuation of a broad array of vulnerabilities warranting reassessment and remedy.  Indeed, a full cyber risk assessment of our “mission critical” election processes would highlight a broad range of soft points that include many not yet a part of public and policymaker scrutiny. Outdated technology may appear to be the easiest correction, yet it is not. Other weak links in the process will defeat secure and resilient elections processes unless they, too, are redressed—like any weak chain.

Our election systems’ vulnerabilities received unprecedented bipartisan and media attention from mid-summer onward, sparked by the apparently Russian origins of hacks into the Democrat’s communications systems. If tampering with the U.S. election process was a goal, then election technologies used for voter registration and vote tabulation, and the Internet itself, were hypothesized as additional potential targets. Further disclosures added fire to the considerable smoke.

While correction of U.S. election vulnerabilities may appear to be largely a simple matter of upgrading the election technologies, including voting devices and voter registration databases, that focus alone would be window dressing.  It would conceal and permit continuation of a broad array of vulnerabilities warranting reassessment and remedy.  Indeed, a full cyber risk assessment of our “mission critical” election processes would highlight a broad range of soft points that include many not yet a part of public and policymaker scrutiny. Outdated technology may appear to be the easiest correction, yet it is not. Other weak links in the process will defeat secure and resilient elections processes unless they, too, are redressed—like any weak chain.

The illustrative list below elucidates some agenda items relevant on the eve of casting, counting, and reporting tallies — and on checking the accuracy of vote tallies if hacking may have occurred.

The Voting News Weekly: The Voting News Weekly for October 31 – November 6 2016

cybersecurity_260Days before Election Day, warnings of a rigged vote have led to anxiety across the country about the integrity of the electoral process, leaving election officials and local authorities scrambling to verify claims of mischief and, often, to offer reality checks. The New York Times reports of stories of Trump supporters in Ohio sending wild dogs to scare off black voters, possessed voting machines flipping votes Donald J. Trump to Hillary Clinton, and an amateur genealogist said to be committing voter fraud by jotting down names found on gravestones.

The U.S. government believes hackers from Russia or elsewhere may try to undermine next week’s presidential election and is mounting an unprecedented effort to counter their cyber meddling. “The Russians are in an offensive mode and [the U.S. is] working on strategies to respond to that, and at the highest levels,” said Michael McFaul, the U.S. ambassador to Russia from 2012 to 2014.

Politico wrote about concens raised by incresing reliance on the internet for election administration and even voted ballot delivery. Tens of thousands of military and overseas Americans casting ballots online this fall face a high risk of being hacked, threatening to cause chaos around Election Day if their votes get manipulated or they transmit viruses to state and local election offices. As the article notes, internet voting also can leave the state and local government networks susceptible to hard-to-detect cyberattacks once election officials in the U.S. open up the ballot via email or click on what looks like a seemingly legitimate document.

Larry Greenemeier at Scientific American also wrote about the security concerns surrounding internet voting.  At least 31 states and the District of Columbia do let military and expatriate voters use the internet to submit marked ballots via e-mailed attachments, fax software or a Web portal.

Philip Stark and Poorvi Vora point out the inadequacy of Maryland’s automated post election audit. While acknowledging that some sort of audit is btter than none and applauds the decision to review all votes in all races and counties, they warn that relying on the scans — which are as vulnerable as any other computer data — limits the kinds of problems the reviews can detect. As they note, “the scans aren’t like photographs; they can differ due to machine error, tampering or human error (for instance leaving out a batch of ballots or scanning the same batch twice).”

A federal appeals court panel rejected a challenge to an Arizona election law that throws out ballots cast by voters who go to the wrong precinct. Lawyers representing the state and national Democratic parties said Arizona throws out more out-of-precinct ballots than any other state and that minorities are more likely to be affected. A federal judge in Phoenix rejected the challenge last month, ruling that the state has a valid reason not to count such votes because different races are on ballots in different precincts.

In response to a lawsuit filed by the North Carolina NAACP seeking an emergency halt to voter roll purges, a U.S. District Court judge ruled that four counties must restore names to voter rolls that were part of a recent mass purge. The US Supreme Court denied an emergency request from the Ohio Democratic Party to put on hold provisions of two election laws concerning absentee and provisional ballots in the state.

Voters in Ivory Coast’s referendum were asked to approve a draft constitution containing provisions that the opposition contended will significantly strengthen the power of the presidency and in Nicaragua Daniel Ortega is seeking his second consecutive re-election, with his wife, Rosario Murillo, as the vice-presidential candidate.

Verified Voting Blog: Trump’s claim the election is rigged is unfounded

I serve as President of Verified Voting, a voting security organization that seeks to strengthen democracy by working to ensure that on Election Day, Americans have confidence that their votes will be counted as we intended to cast them. Election officials, security experts and advocates have been working together around the country toward that goal, at a level that also is unprecedented.

Elections are administered by local officials. America doesn’t have one monolithic national voting system the way there is in other countries. We have thousands of them, operating under state and local supervision.

In recent years, the way in which America votes has trended toward increasingly reliable and verifiable methods. More than 75 percent of Americans will vote this election on paper ballots or on voting machines with voter verifiable paper trails. That’s more than in past elections, including 2012 and 2014. (You can check out how your local area votes on our map of voting systems, at http://verifiedvoting.org/verifier ) That means more voters than ever will be voting on recountable, auditable systems.

Why is that important? Because it offers officials a way to demonstrate to the loser of an election and the public that yes, they really did get fewer votes than their opponent or opponents.This is a nonpartisan issue. If you lose an election because something went wrong with a voting system somewhere, that’s fundamentally unfair. The more checks and balances we have in place (such as paper backup trails and audits), the greater our ability to withstand tampering or just general malfunction.

That’s not to say that our systems have no vulnerabilities. We have a higher degree of reliability in our election systems than in the past, but there’s still work to be done. What’s notable is that more is being done to ensure security this year than ever before.

Verified Voting Blog: David Dill: Why Can’t We Vote Online? | KQED

This interview was posted at KQED on October 4, 2016, where audio of the interview can be heard.

david_dillWe can bank online and we can shop online so why can’t we vote online? To answer that question, we first need to agree on what it means, said David Dill, a computer science professor at Stanford and the founder of the Verified Voting Foundation. In other words, what do people mean when they ask: “Why can’t we vote online?”

“The reason people want internet voting is because they want the convenience to vote at home or vote on their smartphone,” Dill said. I have to agree. I want to vote online like I do everything else online. I want to vote anywhere, anytime and on any device. If that’s the case, Dill said the answer is simple: We can’t vote online because our personal devices are too easy to hack. “If we had online elections, we would never be able to trust the results of those elections,” Dill said. “These systems are just notoriously insecure.”

If you follow the news, you know that our smartphones and personal computers are constantly getting hacked. While antivirus companies try, no software can stop all viruses. In fact, you might have a virus on your computer right now and not realize it, Dill said. “Now you can imagine the impact on trying to cast a ballot on such a machine,” Dill said. “The technology does not exist for secure online voting.”

But aren’t there places that have voted online? Yes, but Dill says they’ve all been hacked.

Verified Voting Blog: Andrew W. Appel: My testimony before the House Subcommittee on IT

This article appeared originally at Freedom to Tinker on September 30, 2016. I was invited to testify yesterday before the U.S. House of Representatives Subcommittee on Information Technology, at a hearing entitled “Cybersecurity: Ensuring the Integrity of the Ballot Box.”  My written testimony is available here.  My 5-minute opening statement went as follows:

My name is Andrew Appel.  I am Professor of Computer Science at Princeton University.   In this testimony I do not represent my employer. I’m here to give my own professional opinions as a scientist, but also as an American citizen who cares deeply about protecting our democracy. My research is in software verification, computer security, technology policy, and election machinery.  As I will explain, I strongly recommend that, at a minimum, the Congress seek to ensure the elimination of Direct-Recording Electronic voting machines (sometimes called “touchscreen” machines), immediately after this November’s election; and that it require that all elections be subject to sensible auditing after every election to ensure that systems are functioning properly and to prove to the American people that their votes are counted as cast. There are cybersecurity issues in all parts of our election system:  before the election, voter-registration databases; during the election, voting machines; after the election, vote-tabulation / canvassing / precinct-aggregation computers.  In my opening statement I’ll focus on voting machines.  The other topics are addressed in a recent report I have co-authored entitled “Ten Things Election Officials Can Do to Help Secure and Inspire Confidence in This Fall’s Elections.”

Verified Voting Blog: What are the post-Election Day procedures states can take to confirm the election went well?

Ensuring the accuracy and integrity of the vote count can help generate public confidence in elections. Two of the most important steps happen after voting concludes on Election Day. Ballot accounting and reconciliation (BA&R) is a not-so-exciting name for a crucial best practice. BA&R is a multi-step process that is designed to account for all ballots, whether cast at the polling place or sent in remotely, and compare that with the number of voters who voted, as the first pass. After that, the next step is to ensure that all batches of votes from all the polling places are aggregated into the totals once (and only once). This is a basic “sanity check” that makes sure no ballots are missing, none are found later, none were counted twice, etc. Most jurisdictions do a good job at this task.

Verified Voting Blog: Which voting machines can be hacked through the Internet?

Over 9000 jurisdictions (counties and states) in the U.S. run elections with a variety of voting machines: optical scanners for paper ballots, and direct-recording “touchscreen” machines.  Which ones of them can be hacked to make them cheat, to transfer votes from one candidate to another?

The answer:  all of them.  An attacker with physical access to a voting machine can install fraudulent vote-miscounting software.  I’ve demonstrated this on one kind of machine, others have demonstrated it on other machines.  It’s a general principle about computers: they run whatever software is installed at the moment.

So let’s ask:

  1. Which voting machines can be hacked from anywhere in the world, through the Internet?  
  2. Which voting machines have other safeguards, so we can audit or recount the election to get the correct result even if the machine is hacked?

The answers, in summary:

  1. Older machines (Shouptronic, AVC Advantage, AccuVote OS, Optech-III Eagle) can be hacked by anyone with physical access; newer machines (almost anything else in use today) can be hacked by anyone with physical access, and are vulnerable to attacks from the Internet.
  2. Optical scan machines, even though they can be hacked, allow audits and recounts of the paper ballots marked by the voters.  This is a very important safeguard.  Paperless touchscreen machines have no such protection.  “DRE with VVPAT” machines, i.e. touchscreens that print on paper (that the voter can inspect under glass while casting the ballot) are “in between” regarding this safeguard.

The most widely used machine that fails #1 and #2 is the AccuVote TS, used throughout the state of Georgia, and in some counties in other states.

Verified Voting Blog: Steven Bellovin Joins Verified Voting’s Board of Advisors

bellovin-300Verified Voting is pleased to announce that noted computer scientist Steven M. Bellovin has joined our Board of Advisors. Bellovin is the Percy K. and Vidal L. W. Hudson Professor of computer science at Columbia University and member of the Cybersecurity and Privacy Center of the university’s Data Science Institute. He is the Technology Scholar at the Privacy and Civil Liberties Board. He does research on security and privacy and on related public policy issues. In his copious spare professional time, he does some work on the history of cryptography. He joined the faculty in 2005 after many years at Bell Labs and AT&T Labs Research, where he was an AT&T Fellow.

Prof. Bellovin received a BA degree from Columbia University, and an MS and PhD in Computer Science from the University of North Carolina at Chapel Hill. While a graduate student, he helped create Netnews; for this, he and the other perpetrators were given the 1995 Usenix Lifetime Achievement Award (The Flame). Bellovin has served as Chief Technologist of the Federal Trade Commission. He is a member of the National Academy of Engineering and is serving on the Computer Science and Telecommunications Board of the National Academies of Sciences, Engineering, and Medicine. In the past, he has been a member of the Department of Homeland Security’s Science and Technology Advisory Committee, and the Technical Guidelines Development Committee of the Election Assistance Commission; he has also received the 2007 NIST/NSA National Computer Systems Security Award and has been elected to theCybersecurity Hall of Fame.

Verified Voting Blog: Security against Election Hacking – Part 2: Cyberoffense is not the best cyberdefense!

This article was originally posted at Freedom to Tinker on August 18, 2016.

State and county election officials across the country employ thousands of computers in election administration, most of them are connected (from time to time) to the internet (or exchange data cartridges with machines that are connected).  In my previous post I explained how we must audit elections independently of the computers, so we can trust the results even if the computers are hacked.

Still, if state and county election computers were hacked, it would be an enormous headache and it would certainly cast a shadow on the legitimacy of the election.  So, should the DHS designate election computers as “critical cyber infrastructure?”

This question betrays a fundamental misunderstanding of how computer security really works.  You as an individual buy your computers and operating systems from reputable vendors (Apple, Microsoft, IBM, Google/Samsung, HP, Dell, etc.).  Businesses and banks (and the Democratic National Committee, and the Republican National Committee) buy their computers and software from the same vendors.  Your security, and the security of all the businesses you deal with, is improved when these hardware and software vendors build products without security bugs in them.   Election administrators use computers that run Windows (or MacOS, or Linux) bought from the same vendors.

Verified Voting Blog: Security against Election Hacking – Part 1: Software Independence

This article was originally posted to Freedom to Tinker on August 17, 2016.

There’s been a lot of discussion of whether the November 2016 U.S. election can be hacked.  Should the U.S. Government designate all the states’ and counties’ election computers as “critical cyber infrastructure” and prioritize the “cyberdefense” of these systems?  Will it make any difference to activate those buzzwords with less than 3 months until the election? First, let me explain what can and can’t be hacked.  Election administrators use computers in (at least) three ways:

  1. To maintain voter registration databases and to prepare the “pollbooks” used at every polling place to list who’s a registered voter (for that precinct); to prepare the “ballot definitions” telling the voting machines who are the candidates in each race.
  2. Inside the voting machines themselves, the optical-scan counters or touch-screen machines that the voter interacts with directly.
  3. When the polls close, the vote totals from all the different precincts are gathered (this is called “canvassing”) and aggregated together to make statewide totals for each candidate (or district-wide totals for congressional candidates).

Any of these computers could be hacked.  What defenses do we have?  Could we seal off the internet so the Russians can’t hack us?  Clearly not; and anyway, maybe the hacker isn’t the Russians—what if it’s someone in your opponent’s political party?  What if it’s a rogue election administrator?

To maintain voter registration databases and to prepare the “pollbooks” used at every polling place to list who’s a registered voter (for that precinct); to prepare the “ballot definitions” telling the voting machines who are the candidates in each race.
Inside the voting machines themselves, the optical-scan counters or touch-screen machines that the voter interacts with directly.
When the polls close, the vote totals from all the different precincts are gathered (this is called “canvassing”) and aggregated together to make statewide totals for each candidate (or district-wide totals for congressional candidates).
Any of these computers could be hacked. What defenses do we have? Could we seal off the internet so the Russians can’t hack us? Clearly not; and anyway, maybe the hacker isn’t the Russians—what if it’s someone in your opponent’s political party? What if it’s a rogue election administrator?

Verified Voting Blog: Why voting systems must be as secure as the U.S. power grid

This oped was posted by Reuters on August 17, 2016.

Every American has the right to have their vote counted. The Department of Homeland Security is weighing steps to help safeguard that right. The agency is considering actions to secure the voting process against cyber-threats by designating voting systems as “critical infrastructure.” In a democracy, our voting systems are critical infrastructure like our power grids, hospital systems and nuclear power plants. The U.S. government maintains its authority based on the consent of the governed.

The revelation that hackers, possibly sponsored by Russia, illegally entered the computer system of the Democratic Congressional Campaign Committee, as well as that of the Democratic National Committee, and monitored email activity for more than one year shows the vulnerability of the U.S. political infrastructure. Emails of members of Congress were also hacked.

There have been other serious hacking episodes. Arizona’s statewide voter registration database, for example, was recentlytaken down for more than a week so that the FBI and the state could investigate a potential breach. Arizona Secretary of State Michele Reagan called the breach an“extremely serious issue.” The FBI described the threat as “8 out of 10” on its severity scale.

The question remains: If a nation wants to influence U.S. elections, would the hackers go directly after ballots and voting systems? If that’s the case, shouldn’t protecting these systems receive the highest priority?

Verified Voting Blog: Why Online Voting is a Danger to Democracy

If, like a growing number of people, you’re willing to trust the Internet to safeguard your finances, shepherd your love life, and maybe even steer your car, being able to cast your vote online might seem like a logical, perhaps overdue, step. No more taking time out of your workday to travel to a polling place only to stand in a long line. Instead, as easily as hailing a ride, you could pull out your phone, cast your vote, and go along with your day. Sounds great, right?

Absolutely not, says Stanford computer science professor David Dill. In fact, online voting is such a dangerous idea that computer scientists and security experts are nearly unanimous in opposition to it.

Dill first got involved in the debate around electronic voting in 2003, when he organized a group of computer scientists to voice concerns over the risks associated with the touchscreen voting machines that many districts considered implementing after the 2000 election. Since then, paperless touchscreen voting machines have all but died out, partly as a result of public awareness campaigns by the Verified Voting Foundation, which Dill founded to help safeguard local, state, and federal elections. But a new front has opened around the prospect of Internet voting, as evidenced by recent ballot initiatives proposed in California and other efforts to push toward online voting. Here, Dill discusses the risks of Internet voting, the challenge of educating an increasingly tech-comfortable public, and why paper is still the best way to cast a vote.

Verified Voting Blog: California’s Internet Voting Initiatives

This article was originally published in Communications of the ACM on February 24, 2016.

California, home of an underabundance of rain and an overabundance of ballot initiatives, may be confronted with one or two initiatives on this November’s ballot that, if passed by the voters, will mandate the establishment of Internet voting in the state.

A total of three such initiatives are under consideration so far. The first, poorly written and probably a long shot, represents one of the hazards of the initiative process: anyone can pay the fees and submit any crazy idea for a new law. But the other two are closely related, with the same sponsor and largely identical content. We expect only one of those two will go forward. Since they represent the most significant concern, for the rest of this blog we discuss only them.

The two initiatives, numbered 15-0117 and 15-0118, can be found at the CA Attorney General’s site. They are carefully drafted to avoid ever using the terms “Internet voting” or “online voting” or “email” or “web,” etc. Instead, they refer throughout to “secure electronic submission of vote by mail ballots.” Presumably, this is in part because the computer and elections security communities have managed to give “Internet voting” a bad name.

Media Release: Verified Voting announces appointment of John DeCock as new Executive Director

Verified Voting, the nation’s leading election integrity organization, today announced the appointment of John DeCock as our new Executive Director.

“We are delighted to have John join our team,” said Verified Voting President Pamela Smith. “John’s appointment signals an important step in our efforts to safeguard elections and to support each voter’s right to cast an effective ballot. John’s exceptional skills and experience will support our outreach and ability to share our resources with a broad range of communities, from voters to policymakers to election officials and more. Working together with John, I am certain that we will continue making vital contributions towards achieving reliable and publicly verifiable elections.”

“There is nothing more fundamental to our Democracy than the right to vote and the knowledge that each vote matters and will be properly counted,” said DeCock. “I am looking forward to working with the talented staff and board at Verified Voting, as well as with the many experts who have collectively achieved so much. There still is much to do to improve the systems by which we cast our votes and to guarantee that every voter knows that his or her vote is counted as cast.”

Verified Voting Blog: All Election Integrity is Local: Remembering John Washburn (1962-2016)

We were saddened to learn of the untimely passing of election integrity activist John Washburn at the age of 53. John was a fiercely independent thinker – disarmingly honest and contagiously cheerful – and a passionate advocate for transparent election administration. Verified Voting President Pamela Smith noted that John “was actively engaged with the Wisconsin Government Accountability Board, referring to himself as their “thorn” in his good-natured way. He could be thorny, but it was in the best interests of reliable elections, and he came at the work with the highest level of integrity. I suspect he will be missed by both friends and “adversaries” alike.”

On a tribute board set up by the funeral home where John’s memorial service will be held on January 23, Verified Voting Advisory Board member Douglas Jones observed that “John was a man who fought to protect democracy using careful research and the weight of facts to ensure that election results actually report the will of the people. His testimony before government panels at both the state and national level was always calm, reasoned and persuasive.”

John studied the issue of pre-election testing extensively and compiled exemplary guidelines for creating ballot test decks for Logic and Accuracy Testing. A glimpse of his contributions to the struggle for transparent and reliable elections can be gained from his blog Washburn’s World and his website Washburn Research. John felt strongly that election activists should get involved with their local elections. With deep appreciation for John’s contributions to the struggle for fair and accurate election, we are reposting John’s plea for getting involved on the ground that first appeared on the VoteTrustUSA website in 2006.

All Election Integrity is Local
by John Washburn

It has been pointed out on my blog, my focus on the election irregularities in my home voting district of Gemantown District #1 is petty and I should move down the road to the big fish, the City of Milwaukee. I agree the City of Milwaukee is where 10% of the entire ballots cast in the state of Wisconsin are cast in the 314 wards of the City of Milwaukee. So by the simple application of the Willy Sutton Maxim, the bulk of state fraud is committed there because that is where the votes are. And, I have spent time examining the election irregularities there. I disagree though that I should ignore the election irregularities perpetrated by my neighbors and my village clerk. The Swedes have a delightful proverb, “Sweep your own stoop before you offer to sweep you neighbor’s stoop”. The same holds for election integrity; more so actually.

Media Release: Verified Voting Welcomes Andrew Appel to the Advisory Board

Verified Voting is pleased to welcome Andrew W. Appel, PhD. to our Advisory Board. Dr. Appel is the Eugene Higgins Professor of Computer Science at Princeton University, where he has been on the faculty since 1986. He served as Department Chair from 2009-2015. His research is in software verification, computer security, programming languages and compilers, and technology policy. He received his A.B. summa cum laude in physics from Princeton in 1981, and his PhD in computer science from Carnegie Mellon University in 1985.

Dr. Appel has been Editor in Chief of ACM Transactions on Programming Languages and Systems and is a Fellow of the ACM (Association for Computing Machinery). He has worked on fast N-body algorithms (1980s), Standard ML of New Jersey (1990s), Foundational Proof-Carrying Code (2000s), and the Verified Software Toolchain (2010s).

Verified Voting Public Commentary: Statement to the Pennsylvania Senate State Government Committee Re: SB 1052

Verified Voting is writing today to express our opposition to Senate Bill 1052, a bill which would permit the return of ballots by electronic transmission over insecure Internet means for military voters in Pennsylvania, and to urge you to vote NO on SB 1052. Ballots sent by email are vulnerable to undetectable manipulation or tampering while in transit over the Internet. Ballots sent by fax are also vulnerable to attackers. Today most facsimiles are sent via Internet over facsimile mail programs which have the same threat profile as emailed ballots. By permitting the electronic return of voted ballots, SB 1052 will significantly damage the integrity of Pennsylvania’s elections and put the ballots of military voters at grave risk.

Department of Defense and National Institute of Standards and Technology oppose online voting.

At the start of the 21st century the promise of secure Internet voting seemed attainable; Congress directed the Department of Defense (DOD) in the 2002 National Defense Authorization Act (NDAA) to develop an online voting system for military and overseas voters. The Federal Voting Assistance Program (FVAP), an agency administered by the DOD, developed a system for deployment in 2004. After a security review the DOD cancelled the project because it could not ensure the legitimacy of votes cast over the Internet. In 2005 Congress directed the National Institute of Standards and Technology (NIST) to study the online return of voted ballots for the purpose of setting security standards so DoD and FVAP could develop a secure online voting system for military voters. NIST published numerous reports on its research, and documented several security issues that cannot be mitigated or solved with the cyber security safeguards and voting system protocols currently available. NIST concluded that until these challenges are overcome, secure Internet voting is not yet feasible.

For these reasons the Department of Defense has warned that it cannot ensure the legitimacy of ballots sent over the Internet and has stated “[the Department of Defense] does not advocate for the electronic transmission of any voted ballot, whether it be by fax, email or via the Internet.” In addition, the Federal Voting Assistance Program, in a report to Congress in 2013, stated clearly that the postal mail return of a voted ballot, coupled with the electronic transmission of a blank ballot is the “most responsible”[4. Federal Voting Assistance Program, May 2013, “2010 Electronic Voting Support Wizard (EVSW) Technology Pilot Program Report to Congress http://www.fvap.gov/uploads/FVAP/Reports/evsw_report.pdf] method of absentee voting for UOCAVA voters. The overwhelming evidence that secure Internet voting is not within our grasp led Congress to repeal, in the 2015 National Defense Authorization Act, the earlier directive that DoD pursue online voting for military and overseas voters.

It is not reasonable to expect the Pennsylvania Department of State should be able to develop a secure online ballot return system when the Department of Defense and the National Institute of Standards and Technology have determined secure online voting is not presently achievable.

Verified Voting Blog: What if Volkswagen made Voting Machines?

Volkswagen stock plummeted today, because of accusations by the Environmental Protection Agency that VW uses software that turns on its emission control device when the software detects that one of its diesel cars is undergoing emission testing. When not being tested, the software disables the device, thereby causing the car to spew as much as 40 times the pollution limit of the Clean Air Act.

Like VW cars, modern voting machines contain software that is tested before use in elections. It would not be difficult to write voting machine software that would, like the VW software, know when it is being tested, and thus behave correctly during testing but not during an actual election. If such behavior were detected after an election, the vendor stock would plummet, but so would voter confidence in the outcome of the election. Furthermore, in the case of some voting systems that cannot be legitimately recounted, such as paperless voting machines or online votes, there would be no way to determine after the election if the declared winners were the actual winners.

Verified Voting Blog: Colorado Secretary of State Wayne Williams obscured key facts in online-voting commentary

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

In it, Secretary Williams implies that the federal government expanded voting by email. He writes, “The federal government, along with the Colorado General Assembly, expanded the electronic ballot transmission for military and overseas voters.” In fact the federal government has neither endorsed nor expanded the return of marked ballots over email. The Military and Overseas Voter Empowerment, or MOVE Act of 2009 (a bill we proudly supported) only directs states to send blank ballots to military and overseas voters electronically, not return of voted ballots That’s because voted ballots could be manipulated or deleted in transit — undetectably. Due to such unsolved security issues, last year Congress eliminated a Defense Department online voting project. The federal agency tasked with helping enfranchise military voters has stated that ballot return by postal mail is the “most responsible” method. In no instance does the federal government encourage states to offer electronic ballot return for military and overseas voters.

In 2006 the Colorado General Assembly passed legislation to permit online ballot return for military voters, but only under the most restricted circumstances. And it did so before most of the public was aware of today’s cybersecurity risks and of attacks in which data and sensitive information of millions of Americans had been compromised.

Verified Voting Blog: How not to measure security

This article was originally posted at Freedom to Tinker on August 10, 2015. It is reposted here with permission of the author.

A recent paper published by Smartmatic, a vendor of voting systems, caught my attention. The first thing is that it’s published by Springer, which typically publishes peer-reviewed articles – which this is not. This is a marketing piece. It’s disturbing that a respected imprint like Springer would get into the business of publishing vendor white papers. There’s no disclaimer that it’s not a peer-reviewed piece, or any other indication that it doesn’t follow Springer’s historical standards. The second, and more important issue, is that the article could not possibly have passed peer review, given some of its claims. I won’t go into the controversies around voting systems (a nice summary of some of those issues can be found on the OSET blog), but rather focus on some of the security metrics claims.

The article states, “Well-designed, special-purpose [voting] systems reduce the possibility of results tampering and eliminate fraud. Security is increased by 10-1,000 times, depending on the level of automation.”

That would be nice. However, we have no agreed-upon way of measuring security of systems (other than cryptographic algorithms, within limits). So the only way this is meaningful is if it’s qualified and explained – which it isn’t. Other studies, such as one I participated in (Applying a Reusable Election Threat Model at the County Level), have tried to quantify the risk to voting systems – our study measured risk in terms of the number of people required to carry out the attack. So is Smartmatic’s study claiming that they can make an attack require 10 to 1000 more people, 10 to 1000 times more money, 10 to 1000 times more expertise (however that would be measured!), or something entirely different?

Verified Voting Public Commentary: Comments on Colorado Rules Concerning Internet Voting

We are pleased to provide testimony and remarks regarding proposed rule changes to Colorado’s Rules Concerning Elections 8 CCR 1501-5. We appreciate the effort of your office to solicit preliminary comments from the public to inform the draft of the proposed rule changes and were happy to participate in the process. We remain in opposition to Rule 16.2.1(c). However, before addressing Rule 16.2.1(c), we would first like to address proposed new Rule 16.2.8 prohibiting Internet voting because it is inextricably linked to proposed Rule 16.2.1(c).

Public comments voiced significant objection to Internet voting. The Secretary has proposed Rule 16.2.8 which states:

New Rule 16.2.8:
16.2.8 NOTHING IN THIS RULE 16.2 PERMITS INTERNET VOTING. INTERNET VOTING MEANS A SYSTEM THAT INCLUDES REMOTE ACCESS, A VOTE THAT IS CAST DIRECTLY INTO A CENTRAL VOTE SERVER THAT TALLIES THE VOTES, AND DOES NOT REQUIRE THE SUPERVISION OF ELECTION OFFICIALS

Proposed new Rule 16.2.8 unfortunately fails to recognize that email and fax return of voted ballots (permitted and expanded in Rule 16.2.1(c)) is Internet voting and includes all of the inherent security risk of Internet voting. In fact, email (and digital fax) are considered by voting system experts at both the National Institute of Standards and Technology and the U.S. Election Assistance Commission to be even less secure, [1. “E-mails are significantly easier to intercept and modify in transit than other forms of communication.” NIST IR 7551 A Threat Analysis of UOCAVA Voting Systems http://www.nist.gov/itl/vote/upload/uocava-threatanalysis-final.pdf], [2. “Email is about the least secure method of ballot delivery,” Brian Hancock The Canvass – “Internet voting, not ready for prime-time?” Feb 2013 http://www.ncsl.org/Portals/1/Documents/legismgt/elect/Canvass_Feb_2013_no_37.pdf] than the type of Internet voting system described in proposed Rule 16.2.8.

Verified Voting Blog: Just Ducky

If it looks like a duck, walks like a duck, and quacks like a duck, it’s a duck.  It is not a seagull.  People will, understandably, refer to it as a duck.  Deciding to call it a seagull does not cause it to cease being a duck and does not transform it into a seagull.  With me so far?  An election held by a California city is an “advisory election” if its purpose is to enable only the city’s registered voters to voice their opinions on substantive issues in a non-binding manner.  City advisory elections are subject to the California Election Code’s general requirements and prohibitions.

Now consider the following scenario.  A small California city’s leaders, and the elections system vendor they hire, plan an election that in all respects is described by California Elections Code section 9603.  The city leaders and vendor publicly and consistently refer to the planned activity as an “advisory vote” and “advisory election.”  The city is notified that the election will be illegal, both because it will use an Internet voting system, prohibited by the Elections Code, and because the system is not state-certified, as required by the Elections Code.   With just two weeks to go, the city’s leaders and vendor respond by re-labeling the planned activity a “poll” or “community poll” but make no other changes.

Verified Voting Blog: Principles for New Voting Systems

Many jurisdictions will need to replace their voting systems in the next few years. Commercial voting systems currently in the marketplace are expensive to acquire and maintain and difficult to audit effectively. Elections may be verifiable in principle–if they generate a voter-verifiable paper trail that is curated well–but current systems make it hard or impractical to verify elections in practice.

Recent experience with open-source tabulation systems in risk-limiting audits in California and Colorado, and voting system projects in Los Angeles County, CA, and Travis County, TX, suggest that the US could have voting systems that are accurate, usable, verifiable, efficiently auditable, reliable, secure, modular, and transparent, for a fraction of the cost of systems currently on the market.

The key to reducing costs is to use commodity off-the-shelf hardware, open-source software, and open data standards.  Usability and auditability need to be designed into new systems from the start. The US could have the best possible voting systems, instead of just the best voting systems money can buy, if new systems adhere to the Principles enunciated below. (Download PDF)