Electronic Vulnerability | CTVotersCount.org

Electronic Vulnerability

What we don’t understand seems all but impossible and fictional

Like you I don’t know a lot about brain surgery, flying a jet, or hacking a cell-phone. Off-hand I often think of all of those somewhere on a spectrum from taking years to learn, to almost impossible, fictional or magical.  Yet the evidence is different. People learn brain surgery, perform it regularly and well. Just this week we saw a mechanic take-off and fly a jumbo jet, apparently with only some video game experience. Which brings me to my newest proverb:

What we don’t understand seems all but impossible and fictional.

But that is not true. Case in point, DEFCON.

Georgia: New information enhance title as a Most Vulnerable State

article from McClatchy: Georgia election officials knew system had ‘critical vulnerabilities’ before 2016 vote

Georgia election officials got a friendly warning in August 2016 that their electronic voting system could be easily breached.

But less than a month before the November election, a state cybersecurity official fretted that “critical vulnerabilities” persisted, internal emails show.

The emails, obtained through a voting security group’s open records request, offer a glimpse into a Georgia election security team that appeared to be outmatched even as evidence grew that Russian operatives were seeking to penetrate state and county election systems across the country…

The disclosures add to alarms about the security of Georgia’s elections — not only in 2016, but also heading into this fall’s midterm elections.

Top voting vendor, ES&S, admits lying to public and election officials for years

Article from Mother Board by Kim Zetter: Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States <read>

Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner.”

I would add that lying about ballot boxes being left on a Moscow street corner is equivalent to flat out lying about the software installed on your products. We should expect more from companies whose hands and integrity upon which our elections depend.

Election Vulnerability: What we can learn from Ed Snowden and the NSA.

Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:

Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.

Life on the Internet “Frontier”

Today we all live on the Internet Frontier. Many of us in Connecticut had a reminder yesterday from our major communication provider Frontier Communications Corp.  As reported in the Hartford Courant: Customers Blast Frontier After Internet Outage

Customers of Frontier Communications Corp. in Connecticut complained Tuesday about lost internet service that the telecommunications company said was due to a software update…

What might we learn?

  • We are very dependent on a very risky infrastructure.
  • This is costly.

Testimony to the Connecticut Cybersecurity Task Force – UPDATED

I testified in my capacity as Executive Director of the Connecticut Citizen Election Audit. I was the only member of the public providing testimony.

Why are post-election audits and paper ballots a critical component of protecting our elections?  “[D}data protection involves prevention, detection, and recovery”.  Cybersecurity and other measures protecting voting equipment and voting systems are primarily prevention measures and to a lesser degree detection measures. No matter how much effort we put into cybersecurity, software testing, and hardware maintenance there will always be a significant level of vulnerability.

Paper ballots, sufficient post-election audits, and recounts provide a primary means of detecting cyber, software, human, and hardware failures. They also provide a means of recovery. They provide for, so called, software independent verification of election results, resulting in justified public confidence.

America is still unprepared for a Russian attack on our elections

Washington Post: America is still unprepared for a Russian attack on our elections

Though these machines are not routinely connected to the Internet, NYU’s Lawrence Norden warns that there are nonetheless ways to infiltrate them…

Having paper-friendly machines is hardly enough.

Officials don’t get risks of election hacking

There is no panacea. As we have been saying all along, nothing can fully protect us from hacking, fraud, and errors.  Maximum election security means Prevention, Detection, and Recovery.  For vote totals that means that we need to protect our paper ballots and then exploit them with sufficient audits and recounts.

New Yorker: America Continues to Ignore the Risks of Election Hacking

How Could CT Spend New Federal Election Security Money?

Connecticut will have available somewhere around $5 million to spend on election security in the new “omnibus” appropriations bill. Woefully inadequate for states that should be replacing touch-screen voting with all paper ballots.  etc., for a state that already has paper ballots, a lot can be accomplished.

Denise Merrill is already thinking about how to spend it: CTMirror: Omnibus has millions to strengthen CT voting system against cyber attacks.

Secretary Merrill asked me for suggestions in a brief conversation a couple of weeks ago. At the time, off the top of my head, I suggested and we briefly discussed three things. After consideration I would suggest some more things. Security is not just cyber security and training officials. It also requires physical protection of ballots, physical protection of voting machines, and understanding the situation before determining the training needed.

Do you need a blockchain? (Probably not!)

Blockchains are the latest technology to enter the mainstream.  A blockchain powers and makes BitCoin possible. Many are treating blockchains as the next big breakthrough in technology. There is even a Blockchain Caucus in Congress.

Do not get your hopes up or bet your retirement savings on blockchains, they are definitely not the next Internet or Hula Hoop.  Most importantly they will not transform elections or solve the challenges of online voting.

From IEEE Do You Need a Blockchain?

“I find myself debunking a blockchain voting effort about every few weeks,” says Josh Benaloh, the senior cryptographer at Microsoft Research. “It feels like a very good fit for voting, until you dig a couple millimeters below the surface.”

Page 1 of 2412345...1020...Last »