When Alaska voters go to the polls tomorrow to help decide whether the U.S. Senate will remain in Democratic control, thousands will do so electronically, using Alaska’s first-in-the-nation internet voting system. And according to the internet security experts, including the former top cybersecurity official for the Department of Homeland Security, that system is a security nightmare that threatens to put control of the U.S. Congress in the hands of foreign or domestic hackers. Any registered Alaska voter can obtain an electronic ballot, mark it on their computers using a web-based interface, save the ballot as a PDF, and return it to their county elections department through what the state calls “a dedicated secure data center behind a layer of redundant firewalls under constant physical and application monitoring to ensure the security of the system, voter privacy, and election integrity.” That sounds great, but even the state acknowledges in an online disclaimer that things could go awry, warning that “when returning the ballot through the secure online voting solution, your are voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”
That disclaimer is a pre-emptive admission of failure, says Bruce McConnell, who served until 2013 as the top cybersecurity officer for DHS. “They admit that they are not taking responsibility for the validity of the system,” McConnell told The Intercept. “They’re saying, ‘Your vote may be counted correctly, incorrectly, or may not be counted at all, and we are not taking any responsibility for that.’ That kind of disclaimer would be unacceptable if you saw it on the wall of a polling place.”
… Computer scientists have already done some of these things in controlled laboratory experiments, in some cases attacking the same systems that Scytl has deployed in other jurisdictions around the world. In fact just this week Joseph Kiniry, a principal investigator at Galois, an international cybersecurity firm, asked his team to figure out ways to alter locked, supposedly un-editable PDFs remotely without detection. It took them, he said, a day. “It’s a scary threat because the way we’ve done it, no one will ever know the ballot got changed,” Kiniry said. “The ballot isn’t changed on the voter’s computer. We haven’t done anything to attack the election department’s computers. We just changed the ballot while it goes over the internet.”
… Ed Felten, the director of Princeton University’s Center for Information Technology Policy, Kiniry, McConnell, and University of Michigan Professor Alex Halderman are among the more prominent voices urging against the implementation of online voting. Earlier this year, Halderman’s students proved that the e-voting system in Estonia—considered the most secure in the world—can be hacked. Kiniry’s work demonstrating serious vulnerabilities in small-scale trials of Norway’s online voting system is one reason the country scrapped the project last year.