Internet Security Issues

Merrill: “likely to increase audits”

Merrill said her office will likely also increase its audits. Currently it randomly selects voting precincts to have primary results audited following elections; five percent of polling places that use optical scan machines are subject to the audit, as prescribed by Connecticut General Statutes 9-320f. Those counts are then matched against vote totals from optical scan machines.

 

the Myth of “Secure” Blockchain Voting

From David Jefferson at Verified Voting: Verified Voting Blog: The Myth of “Secure” Blockchain Voting <read>

Internet voting has been studied by computer security researchers for over twenty years. Cyber security experts universally agree that no technology, including blockchains, can adequately secure an online public election. Elections have unique security and privacy requirements fundamentally different from and much more stringent than those in other applications, such as e-commerce. They are uniquely vulnerable because anyone on Earth can attack them, and a successful cyberattack might go completely undetected, resulting in the wrong people elected with no evidence that anything was amiss….

Election security is a matter of national security. Blockchains, despite all the hype surrounding them, offer no defense against any of these well-known threats to which all online elections are vulnerable.

Israeli Firm Proves Our Point: Fax is as risky as Online Voting

As we have been saying for years, Online/Internet voting risks include email and fax voting.
<Since 2008>

Story today in the Washington Post:
Report: Hackers Target Fax Machines
Phone Line Connected To Computer Network Can Offer Access

Georgia: New information enhance title as a Most Vulnerable State

article from McClatchy: Georgia election officials knew system had ‘critical vulnerabilities’ before 2016 vote

Georgia election officials got a friendly warning in August 2016 that their electronic voting system could be easily breached.

But less than a month before the November election, a state cybersecurity official fretted that “critical vulnerabilities” persisted, internal emails show.

The emails, obtained through a voting security group’s open records request, offer a glimpse into a Georgia election security team that appeared to be outmatched even as evidence grew that Russian operatives were seeking to penetrate state and county election systems across the country…

The disclosures add to alarms about the security of Georgia’s elections — not only in 2016, but also heading into this fall’s midterm elections.

VoteAllegheny Analysis of Election Risks in One County

VoteAllegheny presents a report by Carnegie-Mellon researchers on the vulnerabilities in a single county in a swing state. The biggest takeaway for us is understanding that a top-down analysis of vulnerabilities can yield the most cost-effective areas to focus on preventing election fraud. Where we spend our resources can make a difference in the results!

Book Review: Reporter: A Memoir by Seymour Hersch

If you think it’s unfair to Hersh to reveal all his secrets in a review, don’t worry — this is not even 1/100 of what his book contains…

“Reporter” provides detailed explications of how Hersh has used these lessons [about investigated journalism], making it one of the most compelling and significant books ever written about American journalism. Almost every page will tell you something you’ve never heard before about life on earth. Sometimes it’s Hersh elaborating on what he’s already published; sometimes it’s new stories he felt he couldn’t write about when he first learned of them; and sometimes it’s the world’s most intriguing, peculiar gossip.

There is an excellent interview with Sy Hersh just released as an Intercepted podcast

Starting at about 10min in to the interview, Sy provides his take on the evidence that Russians accessed the DNC emails in the run-up to the Nov 2016 election…

Election Vulnerability: What we can learn from Ed Snowden and the NSA.

Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:

Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.

Testimony to the Connecticut Cybersecurity Task Force – UPDATED

I testified in my capacity as Executive Director of the Connecticut Citizen Election Audit. I was the only member of the public providing testimony.

Why are post-election audits and paper ballots a critical component of protecting our elections?  “[D}data protection involves prevention, detection, and recovery”.  Cybersecurity and other measures protecting voting equipment and voting systems are primarily prevention measures and to a lesser degree detection measures. No matter how much effort we put into cybersecurity, software testing, and hardware maintenance there will always be a significant level of vulnerability.

Paper ballots, sufficient post-election audits, and recounts provide a primary means of detecting cyber, software, human, and hardware failures. They also provide a means of recovery. They provide for, so called, software independent verification of election results, resulting in justified public confidence.

Do you need a blockchain? (Probably not!)

Blockchains are the latest technology to enter the mainstream.  A blockchain powers and makes BitCoin possible. Many are treating blockchains as the next big breakthrough in technology. There is even a Blockchain Caucus in Congress.

Do not get your hopes up or bet your retirement savings on blockchains, they are definitely not the next Internet or Hula Hoop.  Most importantly they will not transform elections or solve the challenges of online voting.

From IEEE Do You Need a Blockchain?

“I find myself debunking a blockchain voting effort about every few weeks,” says Josh Benaloh, the senior cryptographer at Microsoft Research. “It feels like a very good fit for voting, until you dig a couple millimeters below the surface.”

American Progress Report: State Election Security Readiness

American Progress Report: Election Security in All 50 States

The report gives every state grades based on some detailed criteria. Connecticut was graded ‘B’, which it shared with several other states as the highest grade awarded. Yet there are problems and limitations with such reports. We would give Connecticut lower grades in some areas, higher in others, and are uncomfortable with other grades.

The report is useful and provides directions for improvement in many areas in every state. Election officials, legislators, and voters should act to improve our voting systems and laws in the near term.  We would give the authors A+ for effort and the report a grade of B.