Electronic Vulnerability | CTVotersCount.org

New Paper: Evidence Based Elections

A new paper by Andrew Appel and Philip Stark: EVIDENCE-BASED ELECTIONS:CREATE A MEANINGFUL PAPER TRAIL,THEN AUDIT Provides a thorough description of how the public can be assured of election outcomes, in spite of hack-able voting equipment.

The bottom line: The only reliable method available is Voter-Marked Paper Ballots, with strong security for the ballots, followed by sufficient post-election audits. Other technologies, including Ballot Marking Devices and Internet voting are insufficient.

Anyone interested in trustworthy elections should read this paper – especially those who think that expensive Ballot Marking Devices should be trusted. And those who think it is impossible to use technology to count votes accurately.

A new paper by Andrew Appel and Philip Stark: EVIDENCE-BASED ELECTIONS:CREATE A MEANINGFUL PAPER TRAIL,THEN AUDIT <read> Provides a thorough description of how the public can be assured of election outcomes, in spite of hack-able voting equipment.

Anyone interested in trustworthy elections should read this paper – especially those who think that expensive Ballot Marking Devices should be trusted.

The vulnerability of computers to hacking is well understood. Modern computer systems, including voting machines, have many layers of software, comprising millions of lines of computer code; there are thousands of bugs in that code. Some of those bugs are security vulnerabilities that permit attackers to modify or replace the software in the upper layers,so we can never be sure that the legitimate vote-counting software or the vote-marking user interface is actually the software running on election day. One might think, “our voting machines are never connected to the Internet, so hackers cannot get to them.” But all voting machines need to be programmed for each new election: They need a “ballot-definition file” with the contests and candidate names for each election, and lists of the contests different voters are eligible to vote in. This programming is typically done via removable media such as a USB thumb drive or a memory card. Vote-stealing malware can piggyback on removable media and infect voting machines—even machines with no network connection. There is a way to count votes by computer and still achieve trustworthy election outcomes. A trustworthy paper trail of voter selections can be used to check, or correct, the electoral outcomes of the contest in an election…

If a BMD is hacked and systematically steals 5% of the votes in one contest and only 7% of voters inspect their ballots carefully enough to notice, then the effective rate of vote-theft is5% ?93% ,or 4.65%;this is enough to change the outcome of a moderately close election. The same analysis applies to a DRE+VVPATsystem.One might think:“not everyone needs to carefully verify their ballots;” if only 7% of voters carefully inspect their ballots, they can serve as a kind of “random audit” of the BMDs. But this sentiment fails to hold up under careful analysis…

in our hypothetical scenario in which a hacked BMD steals 5% of the votes, and 7% of voters carefully inspect their ballots (and know what to do when they see a mistake), then7% ?5% ofvoters will alert a pollworker; that is, 1 in every 285 voters will claim their paper ballot was mismarked—if the voters do not assume it was their own error. The BMD would successfully steal “only” 4.65% of the votes.One might think:“but some voters caught the BMD cheating, red-handed.” But nothing can be done. It is a rare election official who would invalidate an entire election because 1 out of 285 voters complained.

New report articulates, electronics much more vulnerable than we think

Those who understand Turing’s Theorem know that computers are ultimately all vulnerable to virtually undetectable errors and fraud. A new report reminds us just how much worse it is than we think: Wired: Hundreds of Millions of PC Components Still Have Hackable Firmware

That laptop on your desk or that server on a data center rack isn’t so much a computer as a network of them. Its interconnected devices—from hard drives to webcams to trackpads, largely sourced from third parties—have their own dedicated chips and code. That represents a serious security problem: Despite years of warnings, those computers inside your computer remain disturbingly unprotected, offering an insidious and nearly undetectable way for sophisticated hackers to maintain a foothold inside your machine.

That laptop on your desk or that server on a data center rack isn’t so much a computer as a network of them. Its interconnected devices—from hard drives to webcams to trackpads, largely sourced from third parties—have their own dedicated chips and code. That represents a serious security problem: Despite years of warnings, those computers inside your computer remain disturbingly unprotected, offering an insidious and nearly undetectable way for sophisticated hackers to maintain a foothold inside your machine.

That’s the helpful reminder provided by new research from security firm Eclypsium, which today released a report on components and PC peripherals connected to and inside of hundreds of millions of computers around the world. Eclypsium researchers found that a slew of network cards, trackpads, Wi-Fi adapters, USB hubs, and webcams all had firmware that could be updated with “unsigned” code that lacks any cryptographic verification. In other words, it could be rewritten without any security check.

You should be aware and concerned with you phone, laptop, camera, car, or basically anything that has software, firmware, or is connected to the Internet.

But what about, for instance, Connecticut’s AccuVoteOS voting machines and risks beyond the supply chain. Many tout that our machines are simple, do not use Windows, and therefor not subject to well-known vulnerabilities. Yet they do contain a computer, internal firmware, and are used with programmable memory cards. Known vulnerabilities such as the Hursti Hack. That simplicity and rare, obscure programming makes them hackable, simply hackable, and makes the expertise to hack them seemingly rare as well.

We doubt election officials in Connecticut observe closely when the machines are serviced by the vendor. We know that physical security for our machines (and ballots) is weak, very weak. In most towns, multiple lone individuals can access them for hours undetected. In a few seconds firmware can be swapped, that looks just like the original.

Many argue that expertise to modify that firmware is rare in election officials, perhaps in vendor staff. That is far from true. All that is needed is one individual with that expertise (I guarantee there are many, and its easy for many more to learn that skill.). The person with access does not need that skill. All they need are the compromised chips, or memory cards. If they have evil intent or are threatened they can do they deed, if necessary get one of those jobs.

Early Returns from Iowa: Losers and Potential Winners

We may not know who won Iowa, yet we know the losers: Internet Voting, Caucusing, and Immediate Gratification.

NYTimes article: 2020 Iowa Caucus Updates: Delayed Results Lead to Confusion

““This is an embarrassment but it shouldn’t shake people’s confidence in the results,” Mr. Halderman said. “If this had been an election conducted by phone, or online, that would have been a major disaster. We might never know the results and would have had to re-run the entire contest.”

“This is an urgent reminder,” Mr. Halderman said, “of why online voting is not ready for prime time.”

Editorial: Potential Winners…

We may not know who won Iowa, yet we know the losers: Internet Voting, Caucusing, and Immediate Gratification.

NYTimes article: 2020 Iowa Caucus Updates: Delayed Results Lead to Confusion <read>

“This app has never been used in any real election or tested at a statewide scale and it’s only been contemplated for use for two months now,” said Mr. Jefferson, who also serves on the board of Verified Voting, a nonpartisan election integrity organization.

“This is an embarrassment but it shouldn’t shake people’s confidence in the results,” Mr. Halderman said. “If this had been an election conducted by phone, or online, that would have been a major disaster. We might never know the results and would have had to re-run the entire contest.”

“This is an urgent reminder,” Mr. Halderman said, “of why online voting is not ready for prime time.”

A detail that emphasizes how ridiculous caucuses can be: Count Bernie 101, Mayor Pete: 66. Result after a coin-toss: 2 delegates each. That is actually mathematically defensible, yet unsettling. The whole process from beginning to end seems like that.

Editorial: Potential Winners…

Picking up where Dr. Halderman left off: Perhaps tomorrow, we will be able to declare two winners: Paper Records and Publicly Verifiable Elections

Too early to tell. If there are good paper records and they were displayed and photographed or otherwise verified by candidate supporters, both of those ideas will prove their value. On the other hand, even so, will those lessons actually be learned?

Iowa Democratic Party to use risky smartphone method for reporting results

From NPR: Despite Election Security Fears, Iowa Caucuses Will Use New Smartphone App

Cybersecurity experts interviewed by NPR said that the party’s decision to withhold the technical details of its app doesn’t do much to protect the system — and instead makes it hard to have complete confidence in it.

“The idea of security through obscurity is almost always a mistake,” says Doug Jones, a computer science professor at the University of Iowa and a former caucus precinct leader. “Drawing the blinds on the process leaves us, in the public, in a position where we can’t even assess the competence of the people doing something on our behalf.”…

When initial results point to an apparent winner, then the assumption is any other person is trying to overturn the result, rather than insisting that it be accurate.

From NPR: Despite Election Security Fears, Iowa Caucuses Will Use New Smartphone App <read>

Iowa’s Democratic Party plans to use a new Internet-connected smartphone app to help calculate and transmit results during the state’s caucuses next month, Iowa Public Radio and NPR have confirmed.

Party leaders say they decided to opt for that strategy fully aware of three years’ worth of warnings about Russia’s attack on the 2016 presidential election, in which cyberattacks played a central role…

In an interview, Price declined to provide more details about which company or companies designed the app, or about what specific measures have been put in place to guarantee the system’s security.

Cybersecurity experts interviewed by NPR said that the party’s decision to withhold the technical details of its app doesn’t do much to protect the system — and instead makes it hard to have complete confidence in it.

“The idea of security through obscurity is almost always a mistake,” says Doug Jones, a computer science professor at the University of Iowa and a former caucus precinct leader. “Drawing the blinds on the process leaves us, in the public, in a position where we can’t even assess the competence of the people doing something on our behalf.”…

When initial results point to an apparent winner, then the assumption is any other person is trying to overturn the result, rather than insisting that it be accurate. Remember Gore v. Bush when the Supreme Court was worried that Bush would be harmed by a delay to recount FL? Or in 2010 when one town in Connecticut erroneously reported thousands of extra votes for candidate Foley for Governor, bringing extra concerns that uncounted votes in Bridgeport might erroneously elect candidate Malloy?

“Once you report something, it’s really hard to undo it, no matter how many retractions you print, no matter how many apologies you say, it’s too late,” Jones says. “From that point of view, someone hacking the reporting process, even though its purpose is entirely informal, not intended to have any permanent importance, is something that could be very disruptive.”

Kim Zetter investigates NC pollbook for Russian hack — And additional FL incidents!

From Politico: How Close Did Russia Really Come to Hacking the 2016 Election?

Why does what happened to a small Florida company and a few electronic poll books in a single North Carolina county matter to the integrity of the national election? The story of Election Day in Durham—and what we still don’t know about it—is a window into the complex, and often fragile, infrastructure that governs American voting…

The fact that so many significant questions about VR Systems remain unanswered three years after the 2016 election undermines the government’s assertions that it’s committed to providing election officials with all of the timely information they need to secure their systems in 2020. It also raises concerns that the public may never really know what occurred in 2016.

From Politico: How Close Did Russia Really Come to Hacking the 2016 Election? <read>

Why does what happened to a small Florida company and a few electronic poll books in a single North Carolina county matter to the integrity of the national election? The story of Election Day in Durham—and what we still don’t know about it—is a window into the complex, and often fragile, infrastructure that governs American voting…The infrastructures around voting itself—from the voter registration databases and electronic poll books that serve as gatekeepers for determining who gets to cast a ballot to the back-end county systems that tally and communicate election results—are provided by a patchwork of firms selling proprietary systems, many of them small private companies like VR Systems. But there are no federal laws, and in most cases no state laws either, requiring these companies to be transparent or publicly accountable about their security measures or to report when they’ve been breached. They’re not even required to conduct a forensic investigation when they’ve experienced anomalies that suggest they might have been breached or targeted in an attack.

And yet a successful hack of any of these companies—even a small firm—could have far-flung implications.

But VR Systems doesn’t just make poll book software. It also makes voter-registration software, which, in addition to processing and managing new and existing voter records, helps direct voters to their proper precinct and do other tasks. And it hosts websites for counties to post their election results. VR Systems software is so instrumental to elections in some counties that a former Florida election official said that 90 percent of what his staff did on a daily basis to manage voters and voter data was done through VR Systems software…

The company’s expansive reach into so many aspects of election administration and into so many states—and its use of remote access to gain entry into customer computers for troubleshooting—raises a number of troubling questions about the potential for damage if the Russians (or any other hackers) got into VR Systems’ network The company’s expansive reach into so many aspects of election administration and into so many states—and its use of remote access to gain entry into customer computers for troubleshooting—raises a number of troubling questions about the potential for damage if the Russians (or any other hackers) got into VR Systems’ network —either in 2016, or at any other time. Could they, for example, alter the company’s poll book software to cause the devices to malfunction and create long delays at the polls? Or tamper with the voter records downloaded to poll books to make it difficult for voters to cast ballots—by erroneously indicating, for example, that a voter had already cast a ballot, as voters in Durham experienced? Could they change results posted to county websites to cause the media to miscall election outcomes and create confusion? Cybersecurity experts say yes. In the case of the latter scenario, Russian hackers proved their ability to do precisely this in Ukraine’s results system in 2014.

Apparently NC is not the only suspicious incident related to VR Systems, and perfect for one Russian M.O.:

An incident in Florida in 2016 shows what this kind of Election Day confusion might look like in the U.S. During the Florida state primary in August 2016—just six days after the Russians targeted VR Systems in their phishing operation—the results webpage VR Systems hosted for Broward County, a Democratic stronghold, began displaying election results a half hour before the polls closed, in violation of state law. This triggered a cascade of problems that prevented several other Florida counties from displaying their results in a timely manner once the election ended…

If an attacker is inside VR Systems’ network or otherwise obtains the VPN credentials for a VR Systems employee, he can potentially remotely connect to customer systems just as if he were a VR Systems employee. When it comes to Russian hacking, this threat is not theoretical: It is precisely how Russian state hackers tunneled into Ukrainian electric distribution plants in 2015 to cause a power outage to more than 200,000 customers in the middle of winter.

VR systems was likely successfully hacked:

The Mueller report goes a step further. It says that not only did Russian hackers send phishing emails in August 2016 to employees of “a voting technology company that developed software used by numerous U.S. counties to manage voter rolls,” but the hackers succeeded in installing malware on the unidentified company’s network. The Mueller investigators write: “We understand the FBI believes that this operation enabled the GRU [Russia’s military intelligence service] to gain access to the network of at least one Florida county government.”… Since the Mueller report was published earlier this year, it has been confirmed that two Florida counties were hacked by the Russians after receiving phishing emails…

It is possible that the reports from Mueller and the NSA are wrong, and that their authors—with no firsthand knowledge of events and with limited details about what occurred—mistakenly concluded that the phishing campaign against VR Systems was successful…

The fact that so many significant questions about VR Systems remain unanswered three years after the 2016 election undermines the government’s assertions that it’s committed to providing election officials with all of the timely information they need to secure their systems in 2020. It also raises concerns that the public may never really know what occurred in 2016.

Its a long article, well worth reading. There are many details supporting and going beyond what we have highlighted here.

*****Update from Kim Zetter 1/02/2020 Election probe finds security flaws in key North Carolina county but no signs of Russian hacking <read>

“Absence of evidence shouldn’t be mistaken for evidence of absence,” said Susan Greenhalgh, vice president of policy and programs for National Election Defense Coalition. “I would hope the lesson learned here is that we need to be vigilant about irregularities from their onset … and promptly initiate investigations to rule out malicious cyber events.”

BMD’s are dangerous to democracy

One of the key issues this year is the purchase of Ballot Marking Devices (BMDs) for all voters vs. Voter Marked Paper Ballots. In recent weeks, two board members have resigned from Verified Voting over a perception that VV is doing too much to tout Risk Limiting Audits (RLAs) of BMDs to the detriment of secure, evidence based elections. An extensive article in the NY Review of Books highlights the issues with BMDs: How New Voting Machines Could Hack Our Democracy. By mid-week Verified Voting had issued a clarification that states its general opposition to BMDs.

Editorial: We should not be wasting Federal and state money on BMDs except for those with disabilities. Instead, we should be using a portion of the savings on developing better BMDs that better serve those with disabilities.

The problem cited by the two board members, Philip Stark and Rich DeMillo, was VV touting RLAs of BMDs, with that publicity used as evidence in court by vendors refuting claims of the inadequacy of BMDs.

By mid-week Verified Voting had issued a clarification that states its general opposition to BMDs: Verified Voting Blog: Verified Voting Statement on Ballot Marking Devices and Risk-limiting Audits <read>

Verified Voting strongly advocates for best practices, including hand-marked paper ballots (with some judicious use of BMDs), careful voter verification of machine-marked ballots, strong chain of custody for all paper ballots, proper ballot accounting, and risk-limiting audits to verify tabulations of paper ballots.

We have one nit with VVs position, when they say: “Verified Voting recommends that any electronic tabulation of paper ballots be checked by a risk-limiting audit.” We say that RLA, better described as Risk Limiting Tabulation Audits, are unsuitable for small contests. They are excellent for Statewide and Federal contests, yet at some point between that size and contests with a few thousand ballots the only actual RLA would be more costly or always degrade into a full recount.

From the Review of Books article:

Most leading election security experts instead recommend hand-marked paper ballots as a primary voting system, with an exception for voters with disabilities. These experts include Professor Rich DeMillo of Georgia Tech, Professor Andrew Appel of Princeton University, Professor Philip Stark of the University of California at Berkeley, Professor Duncan Buell of the University of South Carolina, Professor Alex J. Halderman of the University of Michigan, and Harri Hursti, who is “considered one of the world’s foremost experts on the topic of electronic voting security” and is “famously known for his successful attempt to demonstrate how the Diebold Election Systems’ voting machines could be hacked.” These scholars warn that even a robust manual audit, known as a Risk Limiting Audit, cannot detect whether a BMD-marked paper ballot has been hacked. BMDs instead put the burden on voters themselves to detect whether such ballots include fraudulent or erroneous machine marks or omissions—even though studies already show that many voters won’t notice.

For this reason, many analysts have cautioned against acquiring these new ballot-marking machines for universal use, but election officials in at least 250 jurisdictions across the country have ignored their advice. Georgia (all one hundred and fifty-nine counties), South Carolina (all forty-six counties), and Delaware (all three counties) have already chosen these systems for statewide use in 2020. At least one or more counties in the following additional states have done the same: Pennsylvania (for the most populous county, plus at least four more), Wisconsin (for Waukesha, Kenosha, Chippewa and perhaps more), Ohio (for the most populous county and others), Tennessee (for at least ten counties), North Carolina (for the most populous county), West Virginia (for the most populous county and at least one other), Texas (for at least Dallas and Travis counties), Kentucky (for the most populous county), Arkansas (at least four counties), Indiana (for the most populous county and at least eight others), Kansas (for the first and second most populous counties), California (again, for the most populous county), Montana (at least one county, though not until 2022), and Colorado (for early voting). New York state has certified (that is, voted to allow) one such system as well.

Editorial: We should not be wasting Federal and State money on BMDs except for those with disabilities. Instead, we should be using a portion of the savings on developing better BMDs that better serve those with disabilities.

The arguments for and against BMDs go on, amidst expensive problems in PA

From Bloomberg Expensive, Glitchy Voting Machines Expose 2020 Hacking Risks

Paper ballots may be safer and cheaper, but local officials swoon at digital equipment…

Cybersecurity experts are baffled by local election officials choosing the computerized voting machines. “It’s a mystery to me,” said Rich DeMillo, a Georgia Tech computer science professor and former Hewlett-Packard chief technology officer. “Does someone have 8 x 10 glossies? No one has been able to figure out the behavior of elections officials. It’s like they all drink the same Kool-Aid.”

The animus is mutual. At conferences, election administrators swap complaints about cyber experts treating them like idiots, said Dana DeBeauvoir, head of elections in Travis County, Texa

We have long agreed with all those calling for Voter Marked Paper Ballots. Paying double or more for machines that are risky and lead to long lines can most easily be explained by the extensive lobbying of election officials and legislative bodies.

From Bloomberg Expensive, Glitchy Voting Machines Expose 2020 Hacking Risks <read>

Paper ballots may be safer and cheaper, but local officials swoon at digital equipment…

Her experience Nov. 5 was no isolated glitch. Over the course of the day, the new election machinery, bought over the objections of cybersecurity experts, continued to malfunction. Built by Election Systems & Software, the ExpressVote XL was designed to marry touchscreen technology with a paper-trail for post-election audits. Instead, it created such chaos that poll workers had to crack open the machines, remove the ballot records and use scanners summoned from across state lines to conduct a recount that lasted until 5 a.m.

In one case, it turned out a candidate that the XL showed getting just 15 votes had won by about 1,000. Neither Northampton nor ES&S know what went wrong…

But now, the machinery that was supposed to be the solution has spawned a whole new controversy, this time with national security at stake—the prospect of foreign states disrupting American elections…

Yet many state and local jurisdictions, like Northampton County, are buying a new generation of computerized voting machines ahead of the 2020 presidential election that security experts say are less secure and cost more—about $24 per voter, compared with $12 per voter in jurisdictions using a mix of the two systems, according to the University of Pittsburgh, which analyzed costs in Pennsylvania…

Cybersecurity experts are baffled by local election officials choosing the computerized voting machines. “It’s a mystery to me,” said Rich DeMillo, a Georgia Tech computer science professor and former Hewlett-Packard chief technology officer. “Does someone have 8 x 10 glossies? No one has been able to figure out the behavior of elections officials. It’s like they all drink the same Kool-Aid.”

The animus is mutual. At conferences, election administrators swap complaints about cyber experts treating them like idiots, said Dana DeBeauvoir, head of elections in Travis County, Texas, whose office purchased a computerized system DeMillo deplores. Hand-marked ballots are “a supremely horrible idea” cooked up by people in Washington “who have never had to really conduct an election,” she said.

John Oliver on election integrity

You may not believe Scientists, yet John Oliver does…

Reminder, Cybersecurity will never be enough

States and the Federal Government are pumping millions into cybersecurity and new voting systems. That is all good, especially when the new systems are for Voter Marked Paper Ballots and Ballot Marking Devices for those with disabilities. Yet ultimately, it can provide a false sense of security. No matter how strong the cybersecurity and the quality of software, based on Turing’s Halting Problem, it is impossible to secure a computer system from errors and hacking. it is also impossible to secure systems from insiders and others with physical access.

Today’s stories at The Voting News provide a reminder of current vulnerabilities:

How state election officials are contributing to weak security in 2020 | Joseph Marks/The Washington Post
Cyber firm examines supply-chain challenge in securing election ecosystem | Charlie Mitchell/InsideCyberSecurity.com
Editorials: Cyber attacks threaten security of 2020 election | Ray Rothrock/San Jose Mercury-News
Arizona: Is Arizona doing enough to protect 2020 elections? Computer security experts weigh in | Andrew Oxford/Arizona Republic
Georgia: Check-in computers stolen in Atlanta hold statewide voter data | Mark Niesse and Arielle Kass/The Atlanta Journal-Constitution
(PS: Instead stealing these computers they could have hacked them or the voting machines.)
Louisiana: New Louisiana election, same old voting machines | Melinda DeSlatte/Associated Press
New Jersey: Activists press for federal support to upgrade New Jersey’s vulnerable voting machines | Briana Vannozzi/NJTV News
North Carolina: Experts Warn of Voting Machine Vulnerabilities in North Carolina | Nancy McLaughlin/Greensboro News & Record
North Carolina: Voting equipment approval didn’t follow law | Jordan Wilkie/Carolina Public Press
Pennsylvania: Elections officials touted new electronic poll books. Now the city says they don’t work right. | Jonathan Lai/Philadelphia Inquirer

That is why we need:

Voter Marked Paper Ballots that can be audited and recounted to verify the machine results
Strong physical security and chain-of-custody for ballots
Best is publicly scanned and reported machine totals compared to the physical ballots

Op-Ed: Election Security Isn’t That Hard

Op-Ed in Politico by two former secretaries of state, one D and one R: Election Security Isn’t That Hard

First, we need to dispel one misconception. Many people (including many election officials) believe that if a voting system or scanner is never connected to the internet, it will always be safe. Alas, that’s not the case…

What this means is that while we must make our election infrastructure as secure as possible, we need to accept that it is essentially impossible to make those systems completely secure.

Overall, we agree as far as this op-ed goes. Yet, Risk Limiting Tabulation Audits alone are not sufficient. We need additional audits to check the rest of the process, “process audits” e.g. chain-of-custody/ballot security audits, check-in process audits (appropriate voters allowed or excluded from voting?), accuracy of the voter registration database and lists etc. Like many officials the authors focus on cyber attack, yet we must also protect our systems from insider attack. Connecticut has a way to go to meet these standards. We do have voter marked paper ballots and air-gaped systems. Yet we have insufficient protection of those paper ballots and insufficient election audits.

Op-Ed in Politico by two former secretaries of state, one D and one R: Election Security Isn’t That Hard <read>

That’s not to say that it’s easy, particularly given the decentralized nature of our election administration system. Most states administer elections locally and only a few states have uniform equipment in each locality. For many years, election administration has been woefully underfunded, leading to wide variability in capacity and resources. But, as long as the equipment incorporates a voter-marked paper ballot, officials can adjust existing processes to instill confidence in elections, regardless of the equipment in place.

First, we need to dispel one misconception. Many people (including many election officials) believe that if a voting system or scanner is never connected to the internet, it will always be safe. Alas, that’s not the case…

What this means is that while we must make our election infrastructure as secure as possible, we need to accept that it is essentially impossible to make those systems completely secure.

We completely agree. Its important to take strong security measures to protect election systems – voting systems, registration systems – yet that can never be sufficient. We need systems, manual, and computer that are not dependent of electronics. Paper voter lists at every polling place to backup electronic pollbooks and online voter databases. Paper ballots to vote on when the systems fail or the power goes out. Independent audits and recounts of the paper to detect problems and to recover from errors, fraud, and disasters.

The three parts work together. Voter-verifiable paper ballots are required as a check on the computers that tabulate the ballots. The strong chain of custody prevents ballot box stuffing, as well as the theft or alteration of voted ballots. And ballot audits, known as Risk-Limiting Audits (RLAs), make it possible to recover from an attack, or even from malware or unintended mistakes, by randomly selecting ballots and using them to check the accuracy and correctness of the scanner.

It’s not enough to just have paper ballots – it’s also important that they be checked by voters. If a voter makes a mistake while marking her ballot or if a machine that marks a paper ballot for the voter misrecords the voter’s selections, then the voter’s choices will not be correctly counted. This is an important step to raise confidence in the validity of any system. A strong chain of custody also increases confidence.

Overall, we agree as far as this goes. Yet, Risk Limiting Tabulation Audits alone are not sufficient. We need additional audits to check the rest of the process, “process audits” e.g. chain-of-custody/ballot security audits, check-in process audits (appropriate voters allowed or excluded from voting?), accuracy of the voter registration database and lists etc. Like many officials the authors focus on cyber attack, yet we must also protect our systems from insider attack.

Connecticut has a way to go to meet these standards. We do have voter marked paper ballots and air-gaped systems. Yet we have insufficient protection of those paper ballots and insufficient election audits.