Is our election hackable or not?

Richard Clark, former White House senior cybersecurity policy adviser via ABC News: Yes, It’s Possible to Hack the Election <read>

Those experiences confirm my belief that if sophisticated hackers want to get into any computer or electronic device, even one that is not connected to the internet, they can do so. The U.S., according to media reports, hacked in to the Iranian nuclear centrifuge control system even though the entire system was air-gapped from the internet. The Russians, according to authoritative accounts, hacked into the Pentagon’s SIPRNet, a secret-level system separate from the internet. North Koreans, computer forensics experts have told me, penetrated SWIFT, the international banking exchange system. Iranians allegedly wiped clean all software on over 30,000 devices in the Aramco oil company. The White House, the State Department and your local fast food joint have all been hacked. Need I go on?…

Some systems produce a paper ballot of record, but that paper is kept only for a recount; votes are recorded by a machine such as an optical scanner and then stored as electronic digits. The counting of the paper ballots of record — when there are such things — is exceedingly rare and is almost never done for verification in the absence of a recount demand.

President Obama via NPR: President Obama: The Election Will Not Be ‘Rigged’ <read>

“Of course the election will not be rigged! What does that mean?” Obama said at a news conference at the Pentagon. “That’s ridiculous. That doesn’t make any sense.”

The president added Americans should not take Trump’s musings on this seriously. “We do take seriously, as we always do,” the president said, “our responsibilities to monitor and preserve the integrity of the voting process.”

Pam Smith, Verified Voting via NPR: Hacking An Election: Why It’s Not As Far-Fetched As You Might Think  <read>

“Wherever there’s a fully electronic voting system, there’s potential for tampering of some kind,” said Pamela Smith, president of Verified Voting. She says her nonprofit group has been warning about such tampering for years.

Smith says the Democratic Party hacks are another red flag that someone might try to interfere with election results, and that there are many ways to do that.

“If you can get at an election management system, you could potentially alter results, or muddy up the results, or you could even just shed doubt on the outcome because you make it clear that there’s been tampering,” she says.

Denise Merrill, Connecticut Secretary of the State and President of the National Association of Secretaries of State, press conference as reported by CTNewsJunkie: Merrill Defends Integrity of Connecticut’s Voting System <read>  With our annotations in [brackets]

I think it’s highly improbable at best that a national system of elections could be hacked. First of all there is no national system of elections,” Merrill, who is president of the National Association of Secretaries of State said Wednesday. “Our election system is extremely decentralized.” [This is a strawman.  It does not take a national hack.  In a close election hacking just one or two swing states could do the job.  In fact, just a couple of polling places the winner of the Electoral College could have been changed either way in Florida alone.  A single state could have made the difference in 2004 and 1960. ]

She said there is no credible cyber security threat. [This is just plain false in the light of all the know hacks of government, election, and corporate hacks. Perhaps it is taken out of context.]

In Connecticut there is no county government, so there are 169 towns who are all in charge of running the election and none of them are connected to the Internet. [All of them are connected to the Internet.  Especially to the Central Voter Registration System, critical on election day for 5% to 10% of the vote.  Also for the new end of day Election Night Reporting System.  I applaud the Secretary for continuing to follow the recommendations of UConn implemented by the Bysiewicz administration to keep the voting machines from the Internet. Unfortunately that does not guarantee security.  a) See the Stuxnet attack, it attacked Iran’s nuclear centrifuges which were isolated from the Internet.  b) It is easy for single insider to hack the voting machines in a single town.  Sadly, officials in each of 169 towns cannot approach the levels of security of Military, Government, or Corporate installations, all of which have been hacked by insiders and outsiders.]

“The idea that somehow there could be some national system hack is very unlikely,” Merrill said. [I agree, yet it is a strawman argument]

She said different states are using different kinds of election equipment, but Connecticut is using optical scan machines, which are not connected to the Internet.

Alexander Schwarzmann, head of the University of Connecticut’s Voter Technology Research Center, said there is no possible way to connect the optical scan voting machines to the Internet.

He said Connecticut’s optical scan machines also rely on a paper ballot so those can be counted independently of technology. [As we have said many times, it depends on who wants to look. Go to your town hall and ask to see and count the ballots.]

Merrill said there’s been a lot of pressure on the state to go to some type of Internet voting, but she has resisted. The state purchased the optical scan machines about 10 years ago and have developed an auditing process for the memory cards that are inserted into the machines…[As we have told the Secretary and others several times, defending against Internet voting has been her finest hour!]

Peggy Reeves, director of elections, said most of the mistakes made in elections can be attributed to “human error.” [Unfortunately, too often the SOTS Office and registrars assume that any differences in a post-election audit, without investigation, actually are  human error in machine counts.  Sometimes the scanners have counted incorrectly in Connecticut, sometimes local official pursue the problem and determine it was not human error in the hand count, but human error in the election process that lead to an incorrect count being certified for the election.  Hacking, fraud, machine error, or errors in the process all must be investigated, resolved, and prevented in the future. ]

Merrill said she wanted to sit down with the media Wednesday to “reassure the voters” that Connecticut’s voting system is secure. [Overconfidence is a standard concern of security professionals as an indicator of security risk.]

As far as fraud is concerned, Merrill said the concern in Connecticut is whether people are appropriately filing absentee ballots. She said the law says a person must be absent from the state or unable to get to the polls from 6 a.m. to 8 p.m. [We agree absentee voting fraud should be a concern.  That is why we warn against all -mail voting, and no-excuse absentee voting.]

Also a Courant article covering the same press conference: <read>

…during a demonstration in Merrill’s office, Peggy Reeves, the state director of elections, showed how the machine is locked with a tamper-proof seal. The UConn Center for Voting Technology Research tests the memory cards the machines use before and after each election.

As we said in our comment on the article:

To be clear CT does not use “Tamper Proof” anything tape or seals. They are called “Tamper Evident”. What that means is that if officials follow good seal protocols and the seals are actually “tamper evident” as applied then officials should be able to detect if they have been tampered with.

Connecticut does not have, as far as I know, any such protocols. Many apply the seals in ways that could easily be compromised. NJ tried six times to create effective seal protocols and failed each time. Finally, seals are designed to prevent outsiders from tampering without detection by insiders. It would be much more difficult for seals to protect against insider access.

Also the Secretary of the State on Where We Live: <Listen>

We called in and discussed the Election Performance Index, areas it does not cover, and the cyber risks to our Election Day Registration System.  The Secretary stated that we “Audit all voting machines”.  That is incorrect.  We audit 5% of polling place voting machines (until July 1st we audited 10%), never audit central count absentee ballot systems, and the audit, as conducted, is insufficient to provide the credibility Connecticut voters deserve.  <See the observation reports at the Citizen Audit>


Leave a Reply

You must be logged in to post a comment.