Apparently Donald Trump and the media have done in a few days what computer scientists, security experts, and voting integrity advocates have failed at for at least sixteen years: Excite the public about the dangers of electronic voting.
Our bad for suggesting that partisans, insiders, or domestic hackers could do the job and not emphasizing that foreign powers, including Russia could do it. Our bad for demonstrating that smart amateurs could do it without a sophisticated expert conspiracy. Apparently the threat of a sophisticated Russian hack is more threatening that an election being taken by the equivalent of electronic ballot stuffing.
There are a lot of articles we could site, but one of the most comprehensive comes from Politico Magazine. It is written from the prospective of Princeton researchers, with lots of history and articulated concerns, with relatively little red baiting. How To Hack An Election In 7 Minutes <read orig> <text>
It is a long read. I will summarize the concerns, with my comments in brackets []:
The powers that be seem duly convinced. Homeland Security Secretary Jeh Johnson recently conceded the “longer-term investments we need to make in the cybersecurity of our election process.” A statement by 31 security luminaries at the Aspen Institute issued a public statement: “Our electoral process could be a target for reckless foreign governments and terrorist groups.” Declared Wired: “America’s Electronic Voting Machines Are Scarily Easy Targets.”
For the Princeton group, it’s precisely the alarm they’ve been trying to sound for most of the new millennium. “Look, we could see 15 years ago that this would be perfectly possible,” Appel tells me, speaking in subdued, clipped tones. “It’s well within the capabilities of a country as sophisticated as Russia.” He pauses for a moment, as if to consider this. “Actually, it’s well within the capabilities of much less well-funded and sophisticated attackers.”…
The Princeton group has a simple message: That the machines that Americans use at the polls are less secure than the iPhones they use to navigate their way there…
In American politics, an onlooker might observe that hacking an election has been less of a threat than a tradition. Ballot stuffing famously plagued statewide and some federal elections well into the twentieth century…
[Apparently we are much less concerned about a domestic hack than a foreign one. History shows there is a lot of motivation and also a lack of a strong response to domestically stolen elections]
But the tipping point came in 2006, when a major congressional race between Vern Buchanan and Christine Jennings in Florida’s 13th district imploded over the vote counts in Sarasota County—where 18,000 votes from paperless machines essentially went missing (technically deemed an “undervote”) in a race decided by less than 400 votes. Felten drew an immediate connection to the primary suspect: The ES&S iVotronic machine, one of the many ordered in Pennsylvania after they deployed their HAVA funds. Shortly after the debacle, Governor Crist announced a deadline for paper backups in every country in Florida That year, Maryland Governor Bob Erlich urged his state’s votersto cast an absentee ballot rather than put their hands on a digital touchscreen—practically an unprecedented measure. By 2007, the touchscreens were so unpopular that two senators, Florida’s Ben Nelson and Sheldon Whitehouse form Rhode Island, had introduced legislation banning digital touchscreens in time for the 2012 election.
Precincts today that vote with an optical scan machine—another form of DRE that reads a bubble tally on a large card—tend not to have this problem; simply by filling it out, you’ve generated the receipt yourself. But that doesn’t mean the results can’t still be tampered with, and Felten’s students began writing papers that advised election officials on defending their auditing procedures from attempted manipulation.
Each state bears the scars of its own story with digital touchscreens—a parabola of havoc and mismanagement that has been the fifteen-year nightmare of state and local officials…
Today, Halderman reminds me, “the notion that a foreign state might try to interfere in American politics via some kind of cyber-attack is not far-fetched anymore.”
The Princeton group has no shortage of things that keep them up at night. Among possible targets, foreign hackers could attack the state and county computers that aggregate the precinct totals on election night—machines that are technically supposed to remain non-networked, but that Appel thinks are likely connected to the Internet, even accidentally, from time to time. They could attack digitized voter registration databases—an increasingly utilized tool, especially in Ohio, where their problems are mounting—erasing voters’ names from the polls (a measure that would either cause voters to walk away, or overload the provisional ballot system). They could infect software at the point of development, writing malicious ballot definition files that companies distribute, or do the same on a software patch. They could FedEx false software to a county clerk’s office and, with the right letterhead and convincing cover letter, get it installed. If a county clerk has the wrong laptop connected to the Internet at the wrong time, that could be a wide enough window for entry of an attack.
“No county clerk anywhere in the United States has the ability to defend themselves against advanced persistent threats,” Wallach tells me…
[We strongly doubt that many county clerks or local registrars in Connecticut has the ability to detect or defend against unsophisticated threats]
What would be the political motivation for a state-sponsored attack? In the case of Russia hacking the Democrats, the conventional wisdom would appear that Moscow would like to see President Trump strolling the Kremlin on a state visit. But the programmers also point out that other states may be leery. “China has a huge amount to lose. They would never dare do something like that,” says Wallach, who recently finished up a term with the Air Force’s science advisory board. Still, statistical threat assessment isn’t about likelihoods, they insist; it’s about anticipating unlikelihood.
[What would be the political motivation for a single insider, corporation, or a few partisans to attack an election and install their favorite President, Senator, Governor or Mayor?. Do we really have to answer?]
The good news is that Wallach thinks we’d smell something fishy, and fairly fast: “If tampering happens, we will find it. But you need to have a ‘then-what.’ If you detect electronic tampering, then what?”
[Where there is smoke, in the U.S. it seems there are more dire warnings of “Conspiracy Theorists”. Our track record investigating and correcting suspicious elections is worse than poor. See our <Book Review of Ballot Battles>]
No one has a straight answer, except for a uniform agreement on one thing: Chaos that would make 2000 look like child’s play. (Trump aping about “rigged elections” before the vote is even underway has certainly not helped.) The programmers suggest we ought to allow, for the purposes of imagination, the prospect of a nationwide recount. Both sides would accuse the other of corruption and sponsoring the attack. And the political response to the country of origin would prove equally difficult—the White House is reported to be gauging how best to respond to the DNC attack, a question that poses no obvious answers. What does an Election Day cyber strike warrant? Cruise missiles?
The easiest and ostensibly cheapest defense—attaching a voter verified paper receipt to every digital touchscreen—presents its own problem. It assumes states audit procedures are robust. According to Pam Smith at Verified Voting, over 20 states have auditing systems that are inadequate—not using sufficient sample sizes, or auditing only under certain parameters that could be outfoxed by a sophisticated attack—states that include Virginia, Indiana and Iowa.
[And Connecticut. We will save for another time a list of the inadequacies in our post election audit law and its implementation. We are not sure that Verified Voting includes CT in the 20, yet we point out that only about half the states have audit laws, leaving the vast majority of that half with inadequate audits.]
“There’s a very simple and old-fashioned recipe that we use in our American democracy,” Appel says. “The vote totals in each polling place are announced at the time the polls closed, in the polling place, to all observers—the poll workers, the party challengers, any citizen that’s observing the closing of the polls.” He goes on to describe how the totals in that precinct would be written on a piece of paper—pencils do just fine—then signed by the poll workers who have been operating that polling site.
“Any citizen can independently add up the precinct by precinct totals,” he continues. “And that’s a very important check. It’s way that with our precinct-based polling systems, we can have some assurance that hacked computers could not undetectably change the results of our election.”
[That is far from feasible, considering the vast number of districts and counts to be accumulated. Go ahead and try doing that just in Connecticut, from the results filed in 169 town clerks offices and balance them with the totals posted for the Presidential Primary on the Secretary of the State’s website]
There could be a greater lesson in Appel’s point. Technology didn’t create the problem. Perhaps technology is intrinsic to the problem—our lack of trust that has metastasized in a surveillance culture was bound to aggrandize the problems of voting, the most trusting civic act we know. It seems unlikely to expect a singular cure to the American presidential election, not because of the incomprehensibility of cryptography or the untrustworthiness of tech companies, but because there is no such thing as the singular election: 8,000 jurisdictions in a leaky mess of federalism and poorly spent dollars. The neat results and cable announcements on election night represent an optical illusion, like a series of ones and zeroes, whizzing beyond our apprehension.
[As we said we are far public verification of a Presidential Election, or for that matter almost any Federal, State, or Local election.]
