Category: Electronic Vulnerability

Letter: Focus on Russia Takes Heat Off Multitude of Election Vulnerabilities

My letter, published in the Courant today:

Many Election Security Risks

The Sept. 6 article “U.S. Fears Russia Hack” [Page 1] provides an inflammatory view of the risks to U.S. elections. Focusing on one potential risk from our current enemy of choice takes the attention off the multitude of risks…
We can do much better in the long run, if the actual risks are not forgotten after November.

A few days ago a Washington Post article, repeated in the Hartford Courant, focused on election risks from our current enemy of choice, Russia <read>.  Here is my letter, published in the Courant today:

Many Election Security Risks

The Sept. 6 article “U.S. Fears Russia Hack” [Page 1] provides an inflammatory view of the risks to U.S. elections. Focusing on one potential risk from our current enemy of choice takes the attention off the multitude of risks.

The truth is that there is no more or less risk to elections this year than in the recent past. The bad news is that the risks of election skullduggery are significant and do not come only from one adversary. A report from the Institute for Critical Infrastructure technology says it all: “Hacking Elections is Easy!” The report discusses how our election infrastructure, from voting machines to registration and reporting systems, are all at risk.

In Connecticut, like most states, a disruption in our centralized voter registration system on Election Day or its compromise before voter lists are printed, would disrupt an election. In many municipalities, voted ballots are easily accessible to multiple single individuals, “protected” only by all but useless tamper-evident seals. Partisans run our elections from top to bottom. Most are of high integrity, yet there is high motivation for manipulation.

We can do much better in the long run, if the actual risks are not forgotten after November.

Highly Recommended: Hacking Elections Is Easy!

From the Institute for Critical Infrastructure Technology: Hacking Elections Is Easy <read>. It is the most layperson accessible comprehensive overview of the problems we face protecting our elections that I have seen in a long time.  It is 23 pages yet very readable.  The main points are:

  • We face multiple risks our elections:  Registration systems, voting systems, reporting systems, and ballot security.
  • We face risks from multiple actors: Nations with interests in manipulating our elections, corporations, U.S. Government agencies, sophisticated hackers, and insiders at all levels.
  • For the unsophisticated, Hacking Is Easy.  There are simple insider attacks, simple cyber attacks, and kits on the Internet to compromise results or simply disrupt elections.
  • Most election officials are of high integrity.  Yet, blind trust in all officials, machines, and that hacking is difficult is perhaps our greatest risk.

Just a couple excerpts from the Introduction:

To hack an election, the adversary does not need to exploit a national network of election technology. By focusing on the machines in swing regions of swing states, an election can be hacked without drawing considerable notice. Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces. Yes, hacking elections is easy…

From the Institute for Critical Infrastructure Technology: Hacking Elections Is Easy <read>. It is the most layperson accessible comprehensive overview of the problems we face protecting our elections that I have seen in a long time.  It is 23 pages yet very readable.  The main points are:

  • We face multiple risks our elections:  Registration systems, voting systems, reporting systems, and ballot security.
  • We face risks from multiple actors: Nations with interests in manipulating our elections, corporations, U.S. Government agencies, sophisticated hackers, and insiders at all levels.
  • For the unsophisticated, Hacking Is Easy.  There are simple insider attacks, simple cyber attacks, and kits on the Internet to compromise results or simply disrupt elections.
  • Most election officials are of high integrity.  Yet, blind trust in all officials, machines, and that hacking is difficult is perhaps our greatest risk.

Just a couple excerpts from the Introduction:

To hack an election, the adversary does not need to exploit a national network of election technology. By focusing on the machines in swing regions of swing states, an election can be hacked without drawing considerable notice. Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces. Yes, hacking elections is easy…

Manufacturers and voting officials have constructed an illusion of security based on the semblance of complexity when, in reality, voting machines are neither secure or complex. In general, these stripped down computers utilizing outdated operating systems possess virtually every conceivable vulnerability that a device can have…

Attackers’ ability to exploit vulnerabilities in the systems that support the American democratic process is not exclusive to election machines. Catastrophically disrupting the campaign of just about any political candidate can be done with little more than a DDoS attack on fundraising links and web properties, spam widgets on social media platforms, an insider threat who delivers a malicious payload on a USB drive or unsuspectingly by clicking a link in a spear phishing email, and a ransom ware variant to encrypt important donor lists to further cripple fundraising. A pseudo tech savvy adversary could create a network of spoofed sites to confuse voters and this is just the beginning. By combining attack vectors and layering attacks, an adversary can manipulate the democratic process by inciting chaos, imbuing suspicion, or altering results.

an eighteen year-old high school student could compromise a crucial county election in a pivotal swing state with equipment purchased for less than $100, potentially altering the distribution of the state’s electoral votes and thereby influencing the results of the Presidential election…

An unskilled threat actor may begin a campaign by sending phishing emails or using free script
kiddie tools to remotely attack undefended local networks to compromise email and exfiltrate
internal documents that reveal the types of systems used in an election as well as their storage
conditions.

Hack Pointless? Or State of Denial?

Earlier this week Secretary of the State Denise Merrill, ROVAC President Melissa Russell  and the Manchester CT Registrars of voters talked to NBC Connecticut.  We add some annotation to the transcript,  in [Brackets].

Even the machines used to digitally tabulate election results aren’t connected to the internet in cities and towns. Melissa Russell, a Bethlehem Registrar of Voters, with the Registrars of Voters Association of Connecticut reiterated the point that physical record keeping in Connecticut places the state at an advantage. [Not having voting systems connected to the Internet is definitely an advantage. Yet, not so much against local insider attacks, especially when local officials and their leaders are so confident (overconfident?)]

Local registrars, like Jim Stevenson and Tim Becker in Manchester, wonder what a hacker could really get from a hack of even a local election computer. [The answer, known for years is: Even skilled amateurs could change the result printed by the scanner.  One method is the widely know Hursti Hack. UConn has articulated others.  We are left to wonder why NBC did not interview anyone with expertise to answer the registrars questions. ]

Earlier this week Secretary of the State Denise Merrill, ROVAC President Melissa Russell  and the Manchester CT Registrars of voters talked to NBC Connecticut.  We add some annotation to the transcript,  in [Brackets].

NBC Connecticut
CT Election Officials Say a Hack Nearly Pointless
By Max Reiss
CT Election Officials Say a Hack Nearly Pointless
(Published Monday, Aug. 29, 2016)

After the FBI notified election officials nationwide of a hack on election databases in Arizona and Illinois, many went on alert, on the lookout for specific IP addresses.  [A word to the wise: There are many IP addresses out there.  It is suspicious activity that needs to be guarded against, not particular IP addresses.]

In Connecticut, state election officials said the IP addresses in question haven’t yet shown up on state servers, but added that the information obtained in Illinois, a list of more than 200,000 and their voting data like addresses and phone numbers, are already publicly available in Connecticut. [Yes, but they are available at a price.  We might question if Russians or other groups outside of Connecticut asked for a copy.  Also all the risks that concern Illinois are still there, if the data are available in a legitimate way, its just a bit easier in Connecticut to obtain.]
“I think someone said it was like hacking the phone book,” quipped Secretary of the State Denise Merrill.
She explained that Connecticut has perhaps the most decentralized voting and registration system in the country with 169 cities and towns that act as their own districts. Built into that system is an entirely paper based trove of voter cards, ballots, and backups. [There are advantages to decentralization, and some downsides.  Its much harder to mount a general attack systems across the state. Yet, it is easier to compromise local systems.  Local officials are much less capable of protecting systems.  Local insider attacks are easier to accomplish.  Let us remember that partisan officials have at least as much motivation as the Russians to change results – and local officials have more opportunity.  Most election officials are of high integrity, yet they are not immune to the same forces that have landed Connecticut Governors, Mayors, Legislators, and Police in jail.]

“When you go into vote and you go to register on the list, it’s all still on paper so there is no simple database that’s containing all of the information,” Merrill said. [Actually its called the Centralized Voter Registration Database (CVRS).  It is vital on election day to accomplish Election Day Registration and check voters who might have been incorrectly registered.  That paper list in the polling place is only as good as the CVRS was a few days before the election, when the list was printed.  An attack on the CVRS could involve changing many registrations so voters are not registered on election day, or sent absentee ballots to false addresses to be voted illegally.  Addresses could have been changed without hacking the CVRS by Online Registration.  To do online registration requires a voter’s CT Driver ID.  That Driver ID could be obtained by hacking the DMV database, if it is not in the CVRS. (Has anyone checked the security of the DMV database?]

Voter lists themselves are already public records and campaigns purchase lists from the Secretary of the State every year.

Local registrars, like Jim Stevenson and Tim Becker in Manchester, wonder what a hacker could really get from a hack of even a local election computer. [The answer, known for years is: Even amateurs could change the result printed by the scanner.  One method is the widely know Hursti Hack. UConn has articulated others.  We are left to wonder why NBC did not interview anyone with expertise to answer the registrars questions, to satisfy that wonder. ]
“They would get, you know, name, address, phone number, DMV information such as license number, which is already made available if someone wanted to come in through Freedom of Information,” said Stevenson, the Democratic Registrar of Voters. [I doubt Driver ID is FOIable. If it is, we have problems for voter registration and other reasons.  Once again, NBC could/should have asked experts.]

Even the machines used to digitally tabulate election results aren’t connected to the internet in cities and towns.
Melissa Russell, a Bethlehem Registrar of Voters, with the Registrars of Voters Association of Connecticut reiterated the point that physical record keeping in Connecticut places the state at an advantage. [Not having voting systems connected to the Internet is definitely an advantage. Yet, not so much against local insider attacks, especially when local officials and their leaders are so confident (overconfident?)]
We also have the advantage of a paper ballot system, where we can look at every vote cast in the case of any discrepancy to make sure our elections equipment has performed accurately. [They CAN.  Candidates and the public cannot. The record of officials in looking carefully during post-election audits is quite questionable <See the Citizen Audit Reports> ]
Becker, the GOP registrar in Manchester, explained how state law mandates that each town keep individual paper records for voters, meaning altering results or hacking, would be a tall task.
“They would have to destroy the fire proof cabinets in 169 cities and towns to actually mess with our voter list.” [As we said before, they could alter the CVRS records and the paper records used at the polls would be wrong.  The registrar’s office usually uses the online system first, so they would have to be concerned in a particular case to check the paper voter registration record. If there was a mass attack it would disrupt the whole election day to have each polling place call the registrars office to check the paper for each  voter.  Once again, an insider attack on those paper records would be relatively simple.]
Published at 10:26 PM EDT on Aug 29, 2016
Source: CT Election Officials Say a Hack Nearly Pointless | NBC Connecticut
http://www.nbcconnecticut.com/news/local/CT-Election-Officials-Say-a-Hack-Nearly-Pointless391684361.html#ixzz4Ipw9JbFD
Follow us: @nbcconnecticut on Twitter | NBCConnecticut on Facebook

Is our election hackable or not?

We hear from Richard Clarke, President Obama, Pam Smith, and Secretary of the State Denise Merrill.  We annotate Denise Merrill’s recent press conference.

Richard Clark, former White House senior cybersecurity policy adviser via ABC News: Yes, It’s Possible to Hack the Election <read>

Those experiences confirm my belief that if sophisticated hackers want to get into any computer or electronic device, even one that is not connected to the internet, they can do so. The U.S., according to media reports, hacked in to the Iranian nuclear centrifuge control system even though the entire system was air-gapped from the internet. The Russians, according to authoritative accounts, hacked into the Pentagon’s SIPRNet, a secret-level system separate from the internet. North Koreans, computer forensics experts have told me, penetrated SWIFT, the international banking exchange system. Iranians allegedly wiped clean all software on over 30,000 devices in the Aramco oil company. The White House, the State Department and your local fast food joint have all been hacked. Need I go on?…

Some systems produce a paper ballot of record, but that paper is kept only for a recount; votes are recorded by a machine such as an optical scanner and then stored as electronic digits. The counting of the paper ballots of record — when there are such things — is exceedingly rare and is almost never done for verification in the absence of a recount demand.

President Obama via NPR: President Obama: The Election Will Not Be ‘Rigged’ <read>

“Of course the election will not be rigged! What does that mean?” Obama said at a news conference at the Pentagon. “That’s ridiculous. That doesn’t make any sense.”

The president added Americans should not take Trump’s musings on this seriously. “We do take seriously, as we always do,” the president said, “our responsibilities to monitor and preserve the integrity of the voting process.”

Pam Smith, Verified Voting via NPR: Hacking An Election: Why It’s Not As Far-Fetched As You Might Think  <read>

“Wherever there’s a fully electronic voting system, there’s potential for tampering of some kind,” said Pamela Smith, president of Verified Voting. She says her nonprofit group has been warning about such tampering for years.

Smith says the Democratic Party hacks are another red flag that someone might try to interfere with election results, and that there are many ways to do that.

“If you can get at an election management system, you could potentially alter results, or muddy up the results, or you could even just shed doubt on the outcome because you make it clear that there’s been tampering,” she says.

Denise Merrill, Connecticut Secretary of the State and President of the National Association of Secretaries of State, press conference as reported by CTNewsJunkie: Merrill Defends Integrity of Connecticut’s Voting System <read>  With our annotations in [brackets]

I think it’s highly improbable at best that a national system of elections could be hacked. First of all there is no national system of elections,” Merrill, who is president of the National Association of Secretaries of State said Wednesday. “Our election system is extremely decentralized.” [This is a strawman.  It does not take a national hack.  In a close election hacking just one or two swing states could do the job.  In fact, just a couple of polling places the winner of the Electoral College could have been changed either way in Florida alone.  A single state could have made the difference in 2004 and 1960. ]

She said there is no credible cyber security threat. [This is just plain false in the light of all the know hacks of government, election, and corporate hacks. Perhaps it is taken out of context.]

In Connecticut there is no county government, so there are 169 towns who are all in charge of running the election and none of them are connected to the Internet. [All of them are connected to the Internet.  Especially to the Central Voter Registration System, critical on election day for 5% to 10% of the vote.  Also for the new end of day Election Night Reporting System.  I applaud the Secretary for continuing to follow the recommendations of UConn implemented by the Bysiewicz administration to keep the voting machines from the Internet. Unfortunately that does not guarantee security.  a) See the Stuxnet attack, it attacked Iran’s nuclear centrifuges which were isolated from the Internet.  b) It is easy for single insider to hack the voting machines in a single town.  Sadly, officials in each of 169 towns cannot approach the levels of security of Military, Government, or Corporate installations, all of which have been hacked by insiders and outsiders.]

“The idea that somehow there could be some national system hack is very unlikely,” Merrill said. [I agree, yet it is a strawman argument]

She said different states are using different kinds of election equipment, but Connecticut is using optical scan machines, which are not connected to the Internet.

Alexander Schwarzmann, head of the University of Connecticut’s Voter Technology Research Center, said there is no possible way to connect the optical scan voting machines to the Internet.

He said Connecticut’s optical scan machines also rely on a paper ballot so those can be counted independently of technology. [As we have said many times, it depends on who wants to look. Go to your town hall and ask to see and count the ballots.]

Merrill said there’s been a lot of pressure on the state to go to some type of Internet voting, but she has resisted. The state purchased the optical scan machines about 10 years ago and have developed an auditing process for the memory cards that are inserted into the machines…[As we have told the Secretary and others several times, defending against Internet voting has been her finest hour!]

Peggy Reeves, director of elections, said most of the mistakes made in elections can be attributed to “human error.” [Unfortunately, too often the SOTS Office and registrars assume that any differences in a post-election audit, without investigation, actually are  human error in machine counts.  Sometimes the scanners have counted incorrectly in Connecticut, sometimes local official pursue the problem and determine it was not human error in the hand count, but human error in the election process that lead to an incorrect count being certified for the election.  Hacking, fraud, machine error, or errors in the process all must be investigated, resolved, and prevented in the future. ]

Merrill said she wanted to sit down with the media Wednesday to “reassure the voters” that Connecticut’s voting system is secure. [Overconfidence is a standard concern of security professionals as an indicator of security risk.]

As far as fraud is concerned, Merrill said the concern in Connecticut is whether people are appropriately filing absentee ballots. She said the law says a person must be absent from the state or unable to get to the polls from 6 a.m. to 8 p.m. [We agree absentee voting fraud should be a concern.  That is why we warn against all -mail voting, and no-excuse absentee voting.]

Also a Courant article covering the same press conference: <read>

…during a demonstration in Merrill’s office, Peggy Reeves, the state director of elections, showed how the machine is locked with a tamper-proof seal. The UConn Center for Voting Technology Research tests the memory cards the machines use before and after each election.

As we said in our comment on the article:

To be clear CT does not use “Tamper Proof” anything tape or seals. They are called “Tamper Evident”. What that means is that if officials follow good seal protocols and the seals are actually “tamper evident” as applied then officials should be able to detect if they have been tampered with.

Connecticut does not have, as far as I know, any such protocols. Many apply the seals in ways that could easily be compromised. NJ tried six times to create effective seal protocols and failed each time. Finally, seals are designed to prevent outsiders from tampering without detection by insiders. It would be much more difficult for seals to protect against insider access.

Also the Secretary of the State on Where We Live: <Listen>

We called in and discussed the Election Performance Index, areas it does not cover, and the cyber risks to our Election Day Registration System.  The Secretary stated that we “Audit all voting machines”.  That is incorrect.  We audit 5% of polling place voting machines (until July 1st we audited 10%), never audit central count absentee ballot systems, and the audit, as conducted, is insufficient to provide the credibility Connecticut voters deserve.  <See the observation reports at the Citizen Audit>

Report: Secret Ballot At Risk

A new report from the Electronic Privacy Information Center, articulates some of the risks of losing the the Secret Ballot: Secret Ballot At Risk: Recommendations for Protecting Democracy <Exec Summary> <Report>

We recommend reading the Executive Summary and at least the section of the report covering the history of and the need for the secret ballot, pages 4-9 and the section for your state, e.g. Connecticut pages 54-55.

Our only criticism is that the report does not cover the risks to the secret ballot and democracy posed by photos, most often seen in selfies of voters with the voted ballot taken in the voting booth.  Nor does it cover the risks  to the secret ballot posed by absentee voting.

A new report from the Electronic Privacy Information Center, articulates some of the risks of losing the the Secret Ballot: Secret Ballot At Risk: Recommendations for Protecting Democracy <Exec Summary> <Report>

We recommend reading the Executive Summary and at least the section of the report covering the history of and the need for the secret ballot, pages 4-9 and the section for your state, e.g. Connecticut pages 54-55.

Our only criticism is that the report does not cover the risks to the secret ballot and democracy posed by photos, most often seen in selfies of voters with the voted ballot taken in the voting booth.  Nor does it cover the risks  to the secret ballot posed by absentee voting.

From the Executive Summary:

The right to cast a secret ballot in a public election is a core value in the United States’ system of self-governance. Secrecy and privacy in elections guard against coercion and are essential to integrity in the electoral process. Secrecy of the ballot is guaranteed in state constitutions and statutes nationwide. However, as states permit the marking and transmitting of marked ballots over the Internet, the right to a secret ballot is eroded and the integrity of our elections is put at risk…

Our findings show that the vast majority of states (44) have constitutional provisions guaranteeing secrecy in voting, while the remaining states have statutory provisions referencing secrecy in voting. Despite that, 32 states allow some voters to transmit their ballots via the Internet which, given the limitations of current technology, eliminates the secrecy of the ballot. Twenty-eight of these states require the voter to sign a waiver of his or her right to a secret ballot. The remainder fail to acknowledge the issue.

From the Report:

The secret ballot reduces the threat of coercion, vote buying and selling, and tampering. For individual voters, it provides the ability to exercise their right to vote without intimidation or retaliation. The secret ballot is a cornerstone of modern democracies. Prior to the adoption of the secret ballot in the United States in the late 19th century, coercion was common place. It was particularly strong in the military…

The establishment of the secret ballot helped prevent that type of coercion in the military. It also changed coercive practices in the workplace. But has our society evolved so much that we no longer need the secret ballot?

The answer is, simply, no. The secret ballot also protects individuals from harassment as a result of their vote. In February 2009, The New York Times reported that “some donors to groups supporting [California’s “Proposition 8” re: same-sex marriage] have received death threats and envelopes containing a powdery white substance, and their businesses have been boycotted.” The Times reported that a website called “eightmaps.com” collected names and ZIP codes of people who donated to the ballot measure and overlaid the data on a map, contributing to the harassment and threats of violence.

Further, employer-employee political coercion is alive and well in the United States. A recent article in The American Prospectdocumented a number of instances of political coercion in the workplace, including:

  • An Ohio coal mining company required its workers to attend
    a Presidential candidate’s rally – and did not pay them for their time.
  • Executives at Georgia-Pacific, a subsidiary of Koch Industries which employs approximately 35,000 people, distributed a flyer and a letter indicating which candidates the firm endorsed. “The letters warned that workers might ‘suffer the consequences’ if the company’s favored candidates were not elected.”

Thanks to the secret ballot, employers cannot lawfully go so far as to “check” on how an employee actually voted. But if ballots were no longer secret, many employees would risk losing their jobs if they voted against the recommendations of management. Our democracy would no longer be free and fair. Our need for privacy protections is just as strong today as it was when the secret ballot was adopted

Connecticut Constitution and statutes:

Constitutional provision re: right to secret ballot Conn. Const. Art. 6 § 5
In all elections of officers of the state, or members of the general assembly, the votes of the  electors shall be by ballot, either written or printed, except that voting machines or other mechanical devices for voting may be used in all elections in the state, under such regulations  as may be prescribed by law. No voting machine or device used at any state or local election  shall be equipped with a straight ticket device. The right of secret voting shall be preserved

”’

Conn. Gen. Stat. Ann. § 9-366
Any person who […]does any act which invades or interferes with the secrecy of the voting
or causes the same to be invaded or interfered with, shall be guilty of a class D felony.

Book Review: Countdown to Zero Day (Stuxnet)

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, by Kim Zetter covers in detail the discovery, exposure, and detailing of the Stuxnet virus.  It is a fascinating, educational, and important read.  Relevant to anyone interested in cyber security, war, foreign affairs, and election integrity.  There is also a new documentary, ZER0DAYS.

I read the book and then watched the movie.  I recommend the book over the documentary, although it is complementary.  The book covers Stuxnet and its discovery in much more detail.  Yet, the book is accessible to everyone. After reading the book, even the non-technical reader, will have an understanding of what Stuxnet could do, its wider implications for security, and foreign affairs.  I am not convinced those that watch the movie will have an anywhere equivalent understanding.

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, by Kim Zetter covers in detail the discovery, exposure, and detailing of the Stuxnet virus.  It is a fascinating, educational, and important read.  Relevant to anyone interested in cyber security, war, foreign affairs, and election integrity.  There is also a new documentary, ZER0DAYS.

I read the book and then watched the movie.  I recommend the book over the documentary, although it is complementary.  The book covers Stuxnet and its discovery in much more detail.  Yet, the book is accessible to everyone. After reading the book, even the non-technical reader, will have an understanding of what Stuxnet could do, its wider implications for security, and foreign affairs.  I am not convinced those that watch the movie will have an anywhere equivalent understanding. Here are some of the highlights and implications:

  • Stuxnet represents the 1st documented act of cyber aggression by one nation against another.  The U.S. has unlocked Pandora’s Box as we did with nuclear weapons in 1945.  It is an actual attack, distinct from cyber spying and information theft.
  • Stuxnet was used, undetected to randomly destroy Iran’s nuclear centrifuges.  It demonstrated the capability for almost any system controlled by software to be incapacitated or destroyed by software virus alone:  Power systems, the power grid, manufacturing systems, gas lines, banking systems, refineries, elections etc.
  • At the time of Stuxnet, Iran was at minimum playing cat-and-mouse with their nuclear activities, likely they were attempting to hide their aggressive program to prepare for creating nuclear weapons. It is quite possible that is no longer true or a possibility.  Part of the U.S. goal was to hold Israel off from an actual and risky attack on Iran of questionable value.
  • Zero Day refers to holes in software/hardware security which are unknown to software vendors and anti-virus security firms.  Knowing and exploiting a zero day hole gives a powerful capability to exploit systems of those with the latest and most extensive security measures, such as sensitive/strategic government programs.
  • Stuxnet is clearly attributed to a joint effort of the U.S. and Israel.  It was very sophisticated with several zero days, complex attack mechanisms, complex virus spreading, and targeted/limited to avoid detection.  The movie does a fine job of driving this point home with insider and outsider interviews.
  • Stuxnet attacked and spread without the requirement that any equipment be connected to the Internet. Disconnected systems are safer, yet far from safe from virus or insider attack.
  • Stuxent was intended to wipe itself out and remove itself making detection more difficult. Its apparent failure to focus its spread as much as intended led to its discovery.
  • If a foreign power 0r hackers had discovered Suxtnet they could have been a long way toward attacking almost any control system.  They could attack any target, U.S., worldwide, or random; they could have easily made an error that caused a much wider, much more dangerous attack than they intended.
  • When the Government withholds publication of zero days from vendors and virus protection firms, it leaves our government and business systems open to attack through those holes.  Through disclosure to foreign governments and criminals through attack on our government and its vendors.  (Sound impossible?  The U.S. government is still at it and the World is exposed.  See <NSA hacked, exposing new hacking tools> Partially like Stuxnet this was an attack via vendor/contractor facilities. Unlike Stuxnet it could be classified as spying, not aggression.)

What this means for elections:

  • Elections can be hacked.  Any election equipment can be hacked, including proprietary equipment and equipment not connected to the Internet.
  • Hacking can go on undetected or undetected for months and years.
  • We can worry about Russia, yet we need to worry about all governments (including U.S. agencies), partisans, and insiders everywhere.
  • Elections are managed by local governments and local officials with orders of magnitude less cable, less funded, and less knowledgeable than super sensitive corporate, government, and military operations (can you say Sitting Ducks?)
  • It is more important than ever that we not remain complacent  and assume that just because we know most local officials are of high integrity that nothing can go awry.
  • We need paper ballots and sufficient ballot security, recounts. and audits of the entire election process.

What Could Elections Officials Learn From the Delta Airlines Outage

  • System failures are generally explained away as accidents, usually unique and isolated ones.
  • Human systems are vulnerable to failure, especially those dependent on computer systems, especially when there is no manual backup.
  • If businesses like airlines, banks, and Federal Government agencies cannot protect their systems, how can state, county,  and local systems be expected to be reliable?

Connecticut is not the pick of the litter here, as we said last April:

We sadly await the Election Day when the Connecticut voter registration system is down, especially with no contingency plan for Election Day Registration. Don’t say “Who Could Have Imagined”, we did.

 

This week Delta Airlines was partially down, so far, for at least three days.  Because of “computer” or “power” problems according to reports, e.g. How A Computer Outage Can Take Down An Entire Airline <read>.

Just after five in the morning on Monday, Delta sent out an alert every traveler dreads. “Delta has experienced a computer outage that has affected flights scheduled for this morning.”

Two hours later, Delta added discouraging details: The outage in Atlanta had crippled its mission control center—the NASA-inspired room that keeps Delta’s global fleet running. Soon, static check-in lanes clogged airports and gate agents started writing boarding passes by hand. Passengers slept on airport floors or sat in parked planes, even as departure boards and smartphone apps wrongly told them everything was running great. The airline canceled more than 650 flights and delayed many more in the US, Japan, Italy, and the UK…

Georgia Power, which supplies electricity to Delta, says it’s working with the airline today to fix a failed switchgear—a heavy duty version of the circuit breaker panel you’ve got in your basement. That would suggest that if an update or test is the problem, it was of hardware (perhaps, ironically, something like a new power supply), rather than of software. Georgia Power says the outage affected nobody else.

This is not the first time:

No one seems to know what went wrong, exactly—Delta’s investigating—but this is hardly the first time a computer glitch has shackled an airline’s global operations to the tarmac. So how does this keep happening?…

If you’re starting to think this kind of thing happens a lot, you’re right. In July, the failure of a single data center router forced Southwest to cancel 2,300 flights across four days, costing the airline well over $10 million. CEO Gary Kelly told The Dallas Morning News the router only partially failed, so it didn’t trigger the backup systems. In May, JetBlue had to check in customers by hand when its computer system went down. American Airlines blamed connectivity issues when it had to suspend flights last September. A year ago, United blamed a glitch for 800 flight delays.

And then there are the cases that defy contingency planning. In 1991 a farmer reportedly took 20 air traffic control centers offline when he inadvertently cut through an underground fiber optic cable while burying a cow. In 2014, an FAA contractor set fire to an air traffic control center in Chicago, disrupting travel for more than two weeks.

There are three lessons we might absorb and election officials might learn from this.  (We have to admit that we are skeptical that these lessons will be learned by the public or officials.)

  • System failures are generally explained away as accidents, usually unique and isolated ones.
  • Human systems are vulnerable to failure, especially those dependent on computer systems, especially when there is no manual backup.
  • If businesses like airlines, banks, and Federal Government agencies cannot protect their systems, how can state, county,  and local systems be expected to be reliable?

System Failures Are Generally Explained Away as Accidents

How can we be sure that a system failure is an accident, not a sabotage?   How do we know that an individual, foreign power, or business competitor did not bring down the system?  This could have been a test of a surgical strike which could be used to take down multiple airlines or other critical systems.

You maybe thinking “Conspiracy Theorist” here.  That is a good way to deflect concern, without delving deeper, without considering actually learning.  Yet, such an attack has happened.  Maybe more than one or several. The U.S. Government and Israel attacked Iranian nuclear facilities, by attacking the control system responsible for nuclear centrifuges.  The attack known as Stuxnet was designed to go undetected, and it did so for several years.

The point here is not that the Delta outage was necessarily such an attack. It is that it could have been and even with diligence that may not ever be determined.  It could also have been sabotage by a single individual.  In any case, computer attack, human attack, or accident, our infrastructure is vulnerable.

Human systems are vulnerable to failure, especially those dependent on computer systems, especially when there is no manual backup.

Without their computer system, Delta, was dead in the water (actually dead in the air, stuck on the ground), completely dependent on computer systems power, and apparently a single point of failure.

But wait.  What if Delta could have had a simple manual backup?  Would it be possible to save millions, perhapss billions of dollars, and continue most flights, with most passengers, saving them many problems?

I am not an airline expert, yet my guess is that Delta’s system is largely separate from the Air Traffic Control, TSA, and Immigration Systems.  Here is an outline of a simple backup system:

  • Every couple of hours, spreadsheets of the following are sent to a personal computer at each Delta airport:  Passengers booked for each flight for the next 24 hours.  Equipment, crew, and schedule for each flight in that period.
  • In a similar emergency all those items are printed on paper and used by personnel to create boarding passes and checkin passengers.
  • Flight crews, baggage handlers, and maintenance use that information to continue operations.

Obviously it would not work perfectly, yet it would provide for most service to continue at a considerably slower pace.

If businesses like airlines, banks, and Federal Government agencies cannot protect their systems, how can state, county and local systems be expected to be reliable?

Which brings us to our election system.  To the extent we make it an electronic election system, we are similarly dependent on systems, to the extent we have no manual backup or workable pre-planned contingencies.

How about Connecticut

One area where we are very good, is that we have paper ballots.  Even if our scanners fail due to an extended power outage we can still vote on paper ballots and count them later!

But there are other potential problems.

The current voting system is partially dependent on the availability of the online Central Voter Registration System (CVRS) and the phone system. CVRS and the phone system are also generally dependent on the availability of the Internet and the power grid.  Availability required statewide and in each town in the state.

  • The CVRS must be available in the few days before an election so that paper checkin lists can be printed, so that voters can checkin at the polls.
  • On election day, Registrars are constantly checking the system to resolve voter registration issues at polling places, perhaps 5% of voters would not be able to vote if that system were unavailable.
  • Also on election day, election day registration is currently 100% dependent on the availability of the CVRS, with no model contingency plan specified by the Secretary of the State’s Office.
  • Also the whole system is highly dependent on the phone system which is used by polling place officials to call the Registrars’ Office, and for the Registrars’ Office call other towns for Election Day Registration.

When we convert to electronic checkin, we must be careful to require paper copies of  checkin lists so that polling place voting can mostly continue in the event of power, phone, and computer outages.

Finally, a reminder that it is tough for individual industries to protect themselves, harder for state and local governments, and that Connecticut is not the pick of the litter here:

As was reported in April: Connecticut Makes National Short List – Embarrassing <read>

U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries, including transportation, retail and healthcare, according to a new report released Thursday.

The analysis, from venture-backed security risk benchmarking startup SecurityScorecard, measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network.

Educations, telecommunications and pharmaceutical industries also ranked low, the report found. Information services, construction, food and technology were among the top performers…

Other low-performing government organizations included the U.S. Department of State and the information technology systems used by Connecticut, Pennsylvania, Washington and Maricopa County, Arizona.

As we said then:

We sadly await the Election Day when the Connecticut voter registration system is down, especially with no contingency plan for Election Day Registration. Don’t say “Who Could Have Imagined”, we did.

 

 

 

 

 

How to excite the public about electronic voting: “Russia Might Hack an Election”

Apparently Donald Trump and the media have done in a few days what computer scientists, security experts, and voting integrity advocates have failed at for at least sixteen years:  Excite the public about the dangers of electronic voting.

Apparently the threat of a sophisticated Russian hack is more threatening that an election being taken by the equivalent of amateur electronic ballot stuffing.

There are a lot of articles we could site, but one of the most comprehensive comes from Politico Magazine.  It is written from the prospective of Princeton researchers, with lots of history and articulated concerns, with relatively little red baiting.  How To Hack An Election In 7 Minutes

Apparently Donald Trump and the media have done in a few days what computer scientists, security experts, and voting integrity advocates have failed at for at least sixteen years:  Excite the public about the dangers of electronic voting.

Our bad for suggesting that partisans, insiders, or domestic hackers could do the job and not emphasizing that foreign powers, including Russia could do it. Our bad for demonstrating that smart amateurs could do it without a sophisticated expert conspiracy.  Apparently the threat of a sophisticated Russian hack is more threatening that an election being taken by the equivalent of electronic ballot stuffing.

There are a lot of articles we could site, but one of the most comprehensive comes from Politico Magazine.  It is written from the prospective of Princeton researchers, with lots of history and articulated concerns, with relatively little red baiting.  How To Hack An Election In 7 Minutes  <read orig> <text>

It is a long read.  I will summarize the concerns, with my comments in brackets []:

The powers that be seem duly convinced. Homeland Security Secretary Jeh Johnson recently conceded the “longer-term investments we need to make in the cybersecurity of our election process.” A statement by 31 security luminaries at the Aspen Institute issued a public statement: “Our electoral process could be a target for reckless foreign governments and terrorist groups.” Declared Wired: “America’s Electronic Voting Machines Are Scarily Easy Targets.”

For the Princeton group, it’s precisely the alarm they’ve been trying to sound for most of the new millennium. “Look, we could see 15 years ago that this would be perfectly possible,” Appel tells me, speaking in subdued, clipped tones. “It’s well within the capabilities of a country as sophisticated as Russia.” He pauses for a moment, as if to consider this. “Actually, it’s well within the capabilities of much less well-funded and sophisticated attackers.”…

The Princeton group has a simple message: That the machines that Americans use at the polls are less secure than the iPhones they use to navigate their way there

In American politics, an onlooker might observe that hacking an election has been less of a threat than a tradition. Ballot stuffing famously plagued statewide and some federal elections well into the twentieth century…

[Apparently we are much less concerned about a domestic hack than a foreign one.  History shows there is a lot of motivation and also a lack of a strong response to domestically stolen elections]

But the tipping point came in 2006, when a major congressional race between Vern Buchanan and Christine Jennings in Florida’s 13th district imploded over the vote counts in Sarasota County—where 18,000 votes from paperless machines essentially went missing (technically deemed an “undervote”) in a race decided by less than 400 votes. Felten drew an immediate connection to the primary suspect: The ES&S iVotronic machine, one of the many ordered in Pennsylvania after they deployed their HAVA funds. Shortly after the debacle, Governor Crist announced a deadline for paper backups in every country in Florida That year, Maryland Governor Bob Erlich urged his state’s votersto cast an absentee ballot rather than put their hands on a digital touchscreen—practically an unprecedented measure. By 2007, the touchscreens were so unpopular that two senators, Florida’s Ben Nelson and Sheldon Whitehouse form Rhode Island, had introduced legislation banning digital touchscreens in time for the 2012 election.

Precincts today that vote with an optical scan machine—another form of DRE that reads a bubble tally on a large card—tend not to have this problem; simply by filling it out, you’ve generated the receipt yourself. But that doesn’t mean the results can’t still be tampered with, and Felten’s students began writing papers that advised election officials on defending their auditing procedures from attempted manipulation.

Each state bears the scars of its own story with digital touchscreens—a parabola of havoc and mismanagement that has been the fifteen-year nightmare of state and local officials…

Today, Halderman reminds me, “the notion that a foreign state might try to interfere in American politics via some kind of cyber-attack is not far-fetched anymore.”

The Princeton group has no shortage of things that keep them up at night. Among possible targets, foreign hackers could attack the state and county computers that aggregate the precinct totals on election night—machines that are technically supposed to remain non-networked, but that Appel thinks are likely connected to the Internet, even accidentally, from time to time. They could attack digitized voter registration databases—an increasingly utilized tool, especially in Ohio, where their problems are mounting—erasing voters’ names from the polls (a measure that would either cause voters to walk away, or overload the provisional ballot system). They could infect software at the point of development, writing malicious ballot definition files that companies distribute, or do the same on a software patch. They could FedEx false software to a county clerk’s office and, with the right letterhead and convincing cover letter, get it installed. If a county clerk has the wrong laptop connected to the Internet at the wrong time, that could be a wide enough window for entry of an attack.

“No county clerk anywhere in the United States has the ability to defend themselves against advanced persistent threats,” Wallach tells me…

 [We strongly doubt that many county clerks or local registrars in Connecticut has the ability to detect or defend against unsophisticated threats]

What would be the political motivation for a state-sponsored attack? In the case of Russia hacking the Democrats, the conventional wisdom would appear that Moscow would like to see President Trump strolling the Kremlin on a state visit. But the programmers also point out that other states may be leery. “China has a huge amount to lose. They would never dare do something like that,” says Wallach, who recently finished up a term with the Air Force’s science advisory board. Still, statistical threat assessment isn’t about likelihoods, they insist; it’s about anticipating unlikelihood.

[What would be the political motivation for a single insider, corporation, or a few partisans to attack an election and install their favorite President, Senator, Governor or Mayor?.  Do we really have to answer?]

The good news is that Wallach thinks we’d smell something fishy, and fairly fast: “If tampering happens, we will find it. But you need to have a ‘then-what.’ If you detect electronic tampering, then what?”

[Where there is smoke, in the U.S. it seems there are more dire warnings of “Conspiracy Theorists”. Our track record investigating and correcting suspicious elections is worse than poor. See our <Book Review of Ballot Battles>]

No one has a straight answer, except for a uniform agreement on one thing: Chaos that would make 2000 look like child’s play. (Trump aping about “rigged elections” before the vote is even underway has certainly not helped.) The programmers suggest we ought to allow, for the purposes of imagination, the prospect of a nationwide recount. Both sides would accuse the other of corruption and sponsoring the attack. And the political response to the country of origin would prove equally difficult—the White House is reported to be gauging how best to respond to the DNC attack, a question that poses no obvious answers. What does an Election Day cyber strike warrant? Cruise missiles?

The easiest and ostensibly cheapest defense—attaching a voter verified paper receipt to every digital touchscreen—presents its own problem. It assumes states audit procedures are robust. According to Pam Smith at Verified Voting, over 20 states have auditing systems that are inadequate—not using sufficient sample sizes, or auditing only under certain parameters that could be outfoxed by a sophisticated attack—states that include Virginia, Indiana and Iowa.

[And Connecticut.  We will save for another time a list of the inadequacies in our post election audit law and its implementation. We are not sure that Verified Voting includes CT in the 20, yet we point out that only about half the states have audit laws, leaving the vast majority of that half with inadequate audits.]

“There’s a very simple and old-fashioned recipe that we use in our American democracy,” Appel says. “The vote totals in each polling place are announced at the time the polls closed, in the polling place, to all observers—the poll workers, the party challengers, any citizen that’s observing the closing of the polls.” He goes on to describe how the totals in that precinct would be written on a piece of paper—pencils do just fine—then signed by the poll workers who have been operating that polling site.

“Any citizen can independently add up the precinct by precinct totals,” he continues. “And that’s a very important check. It’s way that with our precinct-based polling systems, we can have some assurance that hacked computers could not undetectably change the results of our election.”

[That is far from feasible, considering the vast number of districts and counts to be accumulated.  Go ahead and try doing that just in  Connecticut,  from the results filed in 169 town clerks offices and balance them with the totals posted for the Presidential Primary on the Secretary of the State’s website]

There could be a greater lesson in Appel’s point. Technology didn’t create the problem. Perhaps technology is intrinsic to the problem—our lack of trust that has metastasized in a surveillance culture was bound to aggrandize the problems of voting, the most trusting civic act we know. It seems unlikely to expect a singular cure to the American presidential election, not because of the incomprehensibility of cryptography or the untrustworthiness of tech companies, but because there is no such thing as the singular election: 8,000 jurisdictions in a leaky mess of federalism and poorly spent dollars. The neat results and cable announcements on election night represent an optical illusion, like a series of ones and zeroes, whizzing beyond our apprehension.

 [As we said we are far public verification of a Presidential Election, or for that matter almost any Federal, State, or Local election.]

If Russia hacked the DNC? What me worry?

Did Russia hack the DNC, DCCC, and Hillary’s Campaign.  And does it only matter who the hackers are?

With little disclosed evidence, the prime story has been the question of who hacked the sites.  That is an important aspect of the news, yet there are other important issues obscured, perhaps intentionally by the focus on that one aspect of the hacks.

Did Russia hack the DNC, DCCC, and Hillary’s Campaign.  And does it only matter who the hackers are?

This has been quite a week with for hackers and the media coverage of hacks.  With little disclosed evidence, the prime story has been the question of who hacked the sites.  That is an important aspect of the news, yet there are other important issues obscured, perhaps intentionally by the focus on that one aspect of the hacks.  Less covered are:

  • The unfair, perhaps illegal, conduct of the DNC disclosed in the emails and voice mails.
  • The possibility that elections themselves can be manipulated directly through changing results, messing with registration systems etc.
  • Is Wikileaks extra guilty for disclosing the information when they did?  Should they have held it until after the election, like the NYTimes did with James Risen’s story of a failed CIA operation?
  • Should we feel safer if the hacks are not from the Russian government, and are actually the work of foreign amateurs? Domestic amateurs? Republicans?  Business interests?  Israel? China? The CIA? The NSA?  Political Insiders? or Vendor Insiders? Which group, if any, would you rather have manipulate our elections?
  • Would we be safer if the perpetrator(s) kept the information secret?  Why would that be preferred?  What if Trump had secret information on Hillary or her campaign?  What if Democrats or their supporters have hacked similar information on Trump or the Republicans and are not disclosing it? The information disclosed obviously hurts the DNC, yet other information could be more valuable to opponents, if it were not disclosed.
  • In whose interest is the disclosure of the information? In whose interest is blaming the attack on Russia?
  • In whose interest is focusing only on determining the perpetrators? Obviously those exposed by the emails and the actual perpetrators, if not Russia.

Some articles to consider.  Bruce Schnier in the Washington Post: By November, Russian hackers could target voting machines <read>

The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so,  we have to accept that someone is attacking our nation’s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November —  that our election systems and our voting machines could be vulnerable to a similar attack.

From The Conversation by Richard Forno: How vulnerable to hacking is the US election cyber infrastructure? <read>

Of course, the desire to interfere with another country’s internal political processes is nothing new. Global powers routinely monitor their adversaries and, when deemed necessary, will try to clandestinely undermine or influence foreign domestic politics to their own benefit. For example, the Soviet Union’s foreign intelligence service engaged in so-called “active measures” designed to influence Western opinion. Among other efforts, it spread conspiracy theories about government officials and fabricated documents intended to exploit the social tensions of the 1960s. Similarly, U.S. intelligence services have conducted their own secret activities against foreign political systems – perhaps most notably its repeated attempts to help overthrow pro-communist Fidel Castro in Cuba…

One of the most obvious, direct ways to affect a country’s election is to interfere with the way citizens actually cast votes. As the United States (and other nations) embrace electronic voting, it must take steps to ensure the security – and more importantly, the trustworthiness – of the systems. Not doing so can endanger a nation’s domestic democratic will and create general political discord – a situation that can be exploited by an adversary for its own purposes…

Democracies endure based not on the whims of a single ruler but the shared electoral responsibility of informed citizens who trust their government and its systems. That trust must not be broken by complacency, lack of resources or the intentional actions of a foreign power.

 

 

 

Book Review: Down for the Count

Down for the Count: Dirty Elections and the Rotten History of Democracy in America
by Andrew Gumbel.  An updated version of Gumbel’s earlier Steal This Vote.  A lot has happened in 12 years!

I highly recommend, for an overview of the history of voting issues in the United States.. I can add a small caveat the to the description on Amazon:

Down for the Count explores the tawdry history of elections in the United States—a chronicle of votes bought, stolen, suppressed, lost, miscounted, thrown into rivers, and litigated up to the U.S. Supreme Court—and uses it to explain why we are now experiencing the biggest backslide in voting rights in more than a century…

Down for the Count: Dirty Elections and the Rotten History of Democracy in America
by Andrew Gumbel.  An updated version of Gumbel’s earlier Steal This Vote.  A lot has happened in 12 years!

I highly recommend, for an overview of the history of voting issues in the United States.. I can add a small caveat the to the description on Amazon:

Down for the Count explores the tawdry history of elections in the United States—a chronicle of votes bought, stolen, suppressed, lost, miscounted, thrown into rivers, and litigated up to the U.S. Supreme Court—and uses it to explain why we are now experiencing the biggest backslide in voting rights in more than a century. This thoroughly revised edition, first published to acclaim and some controversy in 2005 as Steal This Vote, reveals why America is unique among established Western democracies in its inability to run clean, transparent elections. And it demonstrates, in crisp, clear, accessible language, how the partisan battles now raging over voter ID, out-of-control campaign spending, and minority voting rights fit into a long, largely unspoken tradition of hostility to the very notion of representative democracy.
Andrew Gumbel has interviewed Democrats, Republicans, and a range of voting rights activists to offer a multifaceted, deeply researched, and engaging critical assessment of a system whose ostensible commitment to democratic integrity so often falls apart on contact with race, money, and power. In an age of high-stakes electoral combat, billionaire-backed candidacies, and bottom-of-the-barrel campaigning, there can be no better time to reissue this troubling and revealing book.

Some of the items that stuck out for me:

  • The problems and rigging of lever machines pp 106-108.
  • Software is not the only problem with electronic voting machines. Consider microcode.
  • Before the technical reports of the early 2000’s those suspicious of electronic voting were ‘crazies’ p155. I am not so sure that has changed in many circles.
  • Money has almost removed people from elections p 205.
  • “The less grassroots activists know, the more they think they know” p 211. Consider when that might apply to you (or to me), as well as the “others”.
  • The same set of general fixes emerge over and over p 212.

A caveat:

Near the end, the author provides a list of more detailed fixes that he recommends.  I strongly disagree with his recommendation of circumventing the Electoral College, rather than replacing it Constitutionally. Actually it requires more than a Constitutional amendment. As always I can understand that many grassroots individuals see the problems with the current system, including the Electoral College.  Yet the fixes aren’t always so clear and simple. The devil is in the details, wrapped up in the Constitution, the 12th Amendment, and the Electoral Count Act, along with the state-by-state election system we have.  The current system far from a match for a National Popular Vote scheme. They all would need to be changed significantly before we can have a National Popular vote that treats every citizen/voter equally and that can provide a trusted result.  For more on this, see past our posts <here>.

I can only suggest that this is an example for considering the book’s statement that “The less grassroots activists know, the more they think they know”.