As the midterm congressional primaries heat up amid fears of Russian hacking, roughly 1 in 5 Americans will cast ballots on machines that do not produce a paper record of their votes. That worries voting and cybersecurity experts, who say lack of a hard copy makes it difficult to double-check results for signs of manipulation. “In the current system, after the election, if people worry it has been hacked, the best officials can do is say, ‘Trust us,’” said Alex Halderman, a voting machine expert who is director of the University of Michigan’s Center for Computer Security and Society.Full Article: Lack of paper trail a concern amid fears of election hacking | The Columbian.
National: Russia’s still targeting U.S. elections, King warns, and experts say we’re not prepared | Portland Press Herald
For weeks, U.S. Sen. Angus King has been telling anyone who’ll listen that the biggest, most worrisome thing about Russian interference in the 2016 election isn’t getting enough attention and has nothing to do with President Trump. King has warned in congressional hearings, television appearances and interviews with reporters that Moscow tried and is still trying to compromise American voting systems – and that if nothing’s done it might very well change the results of an election. … While intelligence officials say there is no evidence that vote counts were changed last November, a leading expert on security threats to voting machines said this possibility cannot be excluded without a forensic audit of the results. Even voting and vote counting machines that are not connected to the internet can be and could have been compromised when they received software programming them to display or recognize this year’s ballots, said J. Alex Halderman, director of the University of Michigan Center for Computer Security and Society.Full Article: Russia's still targeting U.S. elections, King warns, and experts say we're not prepared - Portland Press Herald.
A computer science professor told the Senate Intelligence Committee Wednesday that voting machines that create an electronic record of the voters’ decisions are open to fraud and computer hacking, vulnerabilities that are big enough to potentially change the outcome of some elections. J. Alex Halderman, professor of computer science at Michigan University, said he and his team began studying “direct-recording electronic” (DRE) voting machines 10 years ago and found that “we could reprogram the machine to invisibly cause any candidate to win. We also created malicious software — vote-stealing code — that could spread from machine-to-machine like a computer virus, and silently change the election outcome.” … As a computer science professor, Halderman has not only run academic trials on hacking voting machines, he has also run real-time examples.Full Article: Computer expert: Some voting machines can be directly hacked.
Hackers can breach air-gapped voting machines and vote tallying systems – those not connected to internet – in an attempt to alter ballots to sway the outcome of an election, the Senate Select Committee on Intelligence has learned. “Our election infrastructure is not as distant from the internet as it may seem,” Alex Halderman, a University of Michigan computer science professor, testified Wednesday before the Senate Select Committee on Intelligence The Senate panel, as well as its House counterpart, held simultaneous hearings focused on the impact of Russian hacking on America’s election process (see Election Systems’ Hacks Far Greater Than First Realized ). At both sessions, lawmakers heard witnesses agree that Russian hackers did not alter votes in the 2016 presidential election.Full Article: Intelligence Panel Learns How to Hack Air-Gapped Voting Systems.
As new reports emerge about Russian-backed attempts to hack state and local election systems, U.S. officials are increasingly worried about how vulnerable American elections really are. While the officials say they see no evidence that any votes were tampered with, no one knows for sure. Voters were assured repeatedly last year that foreign hackers couldn’t manipulate votes because, with few exceptions, voting machines are not connected to the Internet. “So how do you hack something in cyberspace, when it’s not in cyberspace?” Louisiana Secretary of State Tom Schedler said shortly before the 2016 election. But even if most voting machines aren’t connected to the Internet, says cybersecurity expert Jeremy Epstein, “they are connected to something that’s connected to something that’s connected to the Internet.” … While it’s unclear if any of the recipients took the bait in the email attack, University of Michigan computer scientist Alex Halderman says it’s just the kind of phishing campaign someone would launch if they wanted to manipulate votes.Full Article: If Voting Machines Were Hacked, It Might Not Be Obvious : NPR.
The leaked NSA document published by The Intercept on Monday revealed a report that Russian military actors attacked one of the most especially vulnerable aspects of the American voting system: online voting registration databases. The classified document was leaked to the press by a 25-year-old intelligence contractor who has been arrested by the Department of Justice. The five-page report, which the AP has yet to authenticate, details a cyberattack that began in August 2016. The document does not reveal whether or not the Russian attempts at were successful, nor does it address if it could have affected voting outcomes in the presidential election. It does, however, validate the concerns of cybersecurity experts who have long considered the possibility of this type of attack as a potential threat to our voting process’ security.Full Article: Experts Warned About Voting Vulnerability At Center Of NSA Leak - Vocativ.
A leaked intelligence document outlining alleged attempts by Russian military intelligence to hack into U.S. election systems is the latest evidence suggesting a broad and sophisticated foreign attack on the integrity of the nation’s elections. And it underscores the contention of security experts and computer scientists that the highly decentralized, often ramshackle U.S. election system remains profoundly vulnerable to trickery or sabotage. The document, purportedly produced by the U.S. National Security Agency, does not indicate whether actual vote-tampering occurred. But it adds significant new detail to previous U.S. intelligence assessments that alleged Russia-backed hackers had compromised elements of America’s electoral machinery. It also suggests that attackers may also have been laying groundwork for future subversive activity. The operation described in the document could have given attackers “a foothold into the IT systems of elections offices around the country that they could use to infect machines and launch a vote-stealing attack,” said J. Alex Halderman, a University of Michigan computer scientist. “We don’t have evidence that that happened,” he said, “but that’s a very real possibility.”Full Article: Leaked NSA doc highlights deep flaws in US election system - Houston Chronicle.
… J. Alex Halderman, a computer science professor at the University of Michigan, and Ph.D. student Matt Bernhard have assembled a number of reasons that they say render US voting machines susceptible to outside interference that could affect the accuracy of their tallies. In 2002, after the chaotic presidential election two years before, Congress passed the Help America Vote Act. The legislation provided funding for several private electronic voting machine manufacturers, including Diebold. Voting machines today fall predominantly into two categories. Optical scanners can be small, like the ones used at local polls or huge, or like the ones used at central voting centers to read absentee ballots. Direct Recording Electronic machines are touch screen devices that may or may not have a printer attached that makes a hard copy of the votes cast so they can be verified. According to Verified Voting, more than 20% of the DREs in use in the United States lack printers, making it impossible to detect fraudulent activity. “These machines are just so poorly engineered, the only real way to secure them is to destroy them and start over,” says the University of Michigan’s Matt Bernhard. In fact, their operating systems are often based on obsolete platforms such as Windows 98 or Vista.Full Article: Hacking US Voting Machines Is Child's Play | CleanTechnica.
National: Professor Who Urged an Election Recount Thinks Trump Won, but Voting Integrity Still Concerns Him | The Chronicle of Higher Education
In the days after November’s election, a news report described a professor of computer science and engineering at the University of Michigan at Ann Arbor, J. Alex Halderman, as having a made a provocative discovery. The report suggested he had found “persuasive evidence” of voting anomalies in three key swing states, each barely won by Donald J. Trump, that gave him the margin of his surprise victory, and asked whether computer hacking could have been responsible. Claims that Hillary Clinton’s vote totals were suspiciously lower in counties that relied on computerized voting machines helped fuel recount demands by Jill Stein, the Green Party’s presidential nominee, that later were joined by Mrs. Clinton’s campaign.Full Article: Professor Who Urged an Election Recount Thinks Trump Won, but Voting Integrity Still Concerns Him - The Chronicle of Higher Education.
This article appeared originally in the March 2017 issue of Scientific American.
The FBI, NSA and CIA all agree that the Russian government tried to influence the 2016 presidential election by hacking candidates and political parties and leaking the documents they gathered. That’s disturbing. But they could have done even worse. It is entirely possible for an adversary to hack American computerized voting systems directly and select the next commander in chief.
A dedicated group of technically sophisticated individuals could steal an election by hacking voting machines in key counties in just a few states. Indeed, University of Michigan computer science professor J. Alex Halderman says that he and his students could have changed the result of the November election. Halderman et al. have hacked a lot of voting machines, and there are videos to prove it. I believe him.
Halderman isn’t going to steal an election, but a foreign nation might be tempted to do so. It needn’t be a superpower like Russia or China. Even a medium-size country would have the resources to accomplish this, with techniques that could include hacking directly into voting systems over the Internet; bribing employees of election offices and voting-machine vendors; or just buying the companies that make the voting machines outright. It is likely that such an attack would not be detected, given our current election security practices.Full Article: Our Voting System Is Hackable by Foreign Powers - Scientific American.
Five days after Donald Trump was elected president, Alex Halderman was on a United Airlines flight from Newark to Los Angeles when he received an urgent email. A respected computer scientist and leading critic of security flaws in America’s voting machines, Halderman was anxious to determine whether there had been foul play during the election. Had machines in Wisconsin or Michigan been hacked? Could faulty software or malfunctioning equipment have skewed the results in Pennsylvania? “Before the election, I had been saying I really, really hope there’s not a hack and that it’s not close,” he says. “Afterwards, I thought, ‘Wait a minute, there’s enough reason here to be concerned.’ ” Now, wedged into a middle seat on the cross-country flight, Halderman stared in disbelief at the email from Barbara Simons, a fellow computer scientist and security expert. Working with Amy Rao, a Silicon Valley CEO and major Democratic fundraiser, Simons had arranged a conference call with John Podesta, Hillary Clinton’s campaign chair, to make the case for taking a closer look at the election results. Could Halderman be on the call in 15 minutes? United’s wi-fi system didn’t allow for in-flight phone calls. But Halderman wasn’t fazed. “I’m blocked,” he emailed Simons, “but I can try.” Within minutes, Halderman had circumvented the wi-fi and established an interface with computers at the University of Michigan, where at 36 he is the youngest full professor in the history of the computer science department. He dialed in to the call but did not speak, afraid of drawing attention to the fact that he was violating the airline’s phone ban.Full Article: Inside the Recount | New Republic.
National: Not Okay: Professor Smeared After Advocating for Election Integrity | Electronic Frontier Foundation
Imagine if someone, after reading something you wrote online that they didn’t agree with, decided to forge racist and anti-Semitic emails under your name. This appears to be what happened to J. Alex Halderman, a computer security researcher and professor of computer science at the University of Michigan. Halderman is one of many election security experts—along with EFF, of course—who has advocated for auditing the results of the 2016 presidential election. The recent attempts to smear his name in retaliation for standing up for election integrity are a threat to online free speech. Halderman, who is a frequent collaborator and sometimes client of EFF, published a piece on Medium in November 2016 arguing that we should perform recounts in three states—Wisconsin, Michigan, and Pennsylvania—to ensure that the election had not been “hacked.” To be clear, despite a report in New York Magazine, Halderman never stated that there was hard evidence that the election results had in fact been electronically manipulated. He just stated that we should check to be sure:
The only way to know whether a cyberattack changed the result is to closely examine the available physical evidence — paper ballots and voting equipment in critical states like Wisconsin, Michigan, and Pennsylvania.Full Article: Not Okay: Professor Smeared After Advocating for Election Integrity | Electronic Frontier Foundation.
After partial vote recounts in certain states, US election officials found no evidence that votes had been manipulated by a cyberattack on voting machines, security researchers told an audience at the Chaos Communication Congress hacking festival on Wednesday. But, the researchers called for a vast overhaul in voting machine security and related legislation, warning that an attack is still possible in a future election. “We need this because even if the 2016 election wasn’t hacked, the 2020 election might well be,” said J. Alex Halderman, a professor of computer science at the University of Michigan, during a presentation with Matt Bernhard, a computer science PhD student. Halderman’s and other security experts’ concerns made headlines in November when he participated in a call with the Clinton campaign about a potential recount in some states. Green Party candidate Jill Stein subsequently held a crowdfunding campaign to finance the recounts. “Developing an attack for one of these machines is not terribly difficult; I and others have done it again and again in the laboratory. All you need to do is buy one government surplus on eBay to test it out,” Halderman, who has extensively researched voting machine security, said during the talk.Full Article: The 2016 Election Wasn’t Hacked, But the 2020 Election Could Be | Motherboard.
National: Clinton camp remains mum as 3-state recount urged over hacking questions | The New York Times
Hillary Clinton’s lead in the popular vote is growing. She is roughly 30,000 votes behind Donald Trump in the key swing states of Michigan and Wisconsin, a combined gap that is narrowing. Some of her impassioned supporters are urging her to challenge the results in those two states and Pennsylvania, grasping at the last straws to reverse Trump’s decisive majority in the Electoral College. In recent days, the supporters have seized on a report by a respected computer scientist and other experts suggesting that Michigan, Pennsylvania and Wisconsin, the keys to Trump’s Electoral College victory, need to manually review paper ballots to ensure the election was not hacked. “Were this year’s deviations from pre-election polls the results of a cyberattack?” J. Alex Halderman, a computer-science professor at the University of Michigan who has studied the vulnerabilities of election systems at length, wrote on the online-publishing platform Medium on Wednesday as the calls based on his conclusions mounted. “Probably not.” More likely, he wrote, pre-election polls were “systematically wrong.” But the only way to resolve the lingering questions would be to examine “paper ballots and voting equipment in critical states,” he wrote.Full Article: Clinton camp remains mum as 3-state recount urged over hacking questions | The New York Times.
Since hackers have targeted the election systems of more than 20 states, cyber-security experts say Michigan should change its policy and routinely audit a sample of its paper ballots to protect against election fraud. Voter registration lists were hacked recently in Arizona and Illinois. The U.S. Department of Homeland Security would not acknowledge whether those particular systems were breached, but Secretary Jeh Johnson said hackers “in a few cases … gained access to state voting-related systems.” The department would not disclose whether Michigan was one of “a large number of state systems” scanned by hackers in preparation for possible attacks, but the Michigan Secretary of State’s office said the state’s voter registration lists have not been targeted or affected. … Audits in Michigan are only triggered in certain circumstances, according to the Secretary of State’s office. Automatic recounts for presidential ballot results happen when the leading candidates are 2,000 or fewer votes apart, while a losing candidate can request a recount for a district or certain precincts, according to the Secretary of State’s office. “It should be done routinely in order to provide a strong degree of confidence,” said University of Michigan cyber-security expert Alex Halderman. “That’s an opportunity for Michigan to improve its election procedures. You should audit every election.”Full Article: Experts: State should audit election results.
One in four registered voters in the United States live in areas that will use electronic voting machines that do not produce a paper backup in the November presidential election despite concerns that they are vulnerable to tampering and malfunctions, according to a Reuters analysis. The lack of a paper trail makes it impossible to independently verify that the aging touch-screen systems are accurate, security experts say, in a year when suspected Russian hackers have penetrated political groups and state voting systems and Republican presidential candidate Donald Trump has said the election may be “rigged.” Election officials insist the machines are reliable, but security experts say they are riddled with bugs and security holes that can result in votes being recorded incorrectly. A Reuters analysis of data from the U.S. Census Bureau, the Election Assistance Commission and the Verified Voting Foundation watchdog group found that 44 million registered voters, accounting for 25 percent of the total, live in jurisdictions that rely on paperless systems, including millions in contested states such as Georgia, Pennsylvania and Virginia.Full Article: Despite flaws, paperless voting machines remain widespread in U.S. | Reuters.
The U.S. election system will likely face a significant trial this year, thanks to a summer of startling revelations including nation-state-linked attacks targeting the Democratic National Committee and state voter databases, along with a statement of no-confidence by the Republican nominee. The result has been a slew of media stories positing how the election could be hacked. The ongoing cyber-attacks and raised doubts will put states’ choice of voting technology under the microscope, with a focus on the security of voting systems and the ability to audit the results produced by those balloting systems, according to election security experts. Unfortunately, while all but five states now have at least some systems with a verifiable paper trail, more than half do not have meaningful post-election audits, according to Verified Voting, a group focused on improving election-system integrity and accuracy. “We would like to see post-election audits everywhere,” Pamela Smith, director of the group, told eWEEK. “There is actual research showing that being able to conduct a robust audit in a public way brings confidence in the election. A voter-verifiable paper ballot is a tool to instill confidence that the election has come to true result.”Full Article: Security Experts Voice Fears About Election Result Accuracy, Integrity.
In the aftermath of the 2 July federal election, Prime Minister Malcolm Turnbull and opposition leader Bill Shorten both indicated support for the potential use of eVoting to avoid drawn-out post-election ballot counting. However, the eVoting platform used in Australia’s most populous state — New South Wales’ iVote system — has again come under fire. The iVote system supports telephone and Internet-based voting in the state. The current version of iVote was produced by Scytl in partnership with the NSW Electoral Commission (NSWEC) and used in the 2015 state election. The robustness, privacy and verification method of the system have been questioned by two university researchers, one of whom was previously instrumental in uncovering a security vulnerability in iVote.Full Article: NSW’s eVoting system under fire - Computerworld.
National: More than 30 states offer online voting, but experts warn it isn’t secure | The Washington Post
The popularity of voting online is growing and will be in place for the presidential election in more than 30 states, primarily for voters living overseas or serving in the military. But security experts and some senior Obama administration officials fear there is not enough protection for any ballots transmitted over the Internet. They are warning states that any kind of online voting is not yet secure and most likely will not be for years to come. “We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” Neil Jenkins, an official in the Office of Cybersecurity and Communications at the Department of Homeland Security, said at a conference of the Election Verification Network this spring. … Pamela Smith, president of Verified Voting, a nonprofit organization that advocates for legislation and regulation to promote accuracy, transparency and verifiability of elections, said that at first blush, online voting seems like a good idea to many people. “Sometimes jurisdictions that are adapting something like this spin it as ‘this is very 21st century, this is the modernization of elections,” Smith said. “But it’s one of those cases where tried and true technology actually works best for elections. Paper ballots have many advantages. When something is online, you don’t have that physical record of voter intent.”Full Article: More than 30 states offer online voting, but experts warn it isn’t secure - The Washington Post.
We are the pioneers of the secret ballot electoral system, but when it comes to electronic voting, Australia has long been behind the pack. Kazakhstan, India, Brazil and Estonia are among the countries who long ago swapped pencil-and-paper ballots for e-voting at polling stations or over the internet. Meanwhile, in Australia, most of us continue to bemoan the chore of queuing for hours at the polling booth. … During the NSW state election in March, residents who were vision impaired, disabled or out of town on election day were able to cast their vote with the remote voting system, iVote, in what was the biggest-ever test of e-voting in the country. … But the success of iVote was marred by reports two security experts had exposed a major security hole that could potentially affect huge numbers of ballots and maybe even change the election outcome. University of Melbourne research fellow Vanessa Teague said she and Prof Alex Halderman from the University of Michigan found iVote had a vulnerability to what’s called a man-in-the-middle attack when they tested the system with a practice server in the lead-up to the election. “We could expose how the person intended to vote, we could manipulate that vote, and we could interfere with the return of the receipt number and thus prevent the person from logging into the verification server afterwards,” she told news.com.au.Full Article: E-voting: Why Australia isn’t voting electronically on election day | DailyTelegraph.