Security Theater: Scary! Expert Outlines Physical Security Limitations

Back in January, we covered reports on six failed attempts by New Jersey to successfully secure voting machines with “security” seals – seals like those used in Connecticut to “protect” our ballots and voting machines. A computer expert and a security expert provided reports outlining the ease with which those seals can be compromised by an amateur and an expert.

“Security” seals can be compromised, undetected in seconds. That is only the tip of the iceberg. Full security often involves a lot more, locks, vaults, chain-of-custody, alarms, video surveillance, and guards. Unfortunately, most physical security can also be easily defeated, according to one of the experts, Roger Johnston of the Argonne National Lab Vulnerability Assessments Team.

Last week I was fortunate to hear Dr. Johnston speak at a voting integrity conference in Chicago. Although I don’t have his slides or a video from that conference, I do have video’s of a short appearance on NBC and a longer talk he gave last year:

  • Getting paid to break into things: Argonne’s Roger Johnston on NBC <watch 4min>
  • Proving Voltaire Right: Security Blunders Dumber Than Dog Snot <watch 127min>

What I found most enlightening last week was a slide showing fifteen characteristic attributes of “Security Theater” (you can see it at about 5 min into the second video). Some of the attributes we often observe in Connecticut ballot security are:

  • “Sense of urgency”
    Urgency can be seen and felt on election night as officials are rushing to finalize results, complete paperwork, and complete a seventeen hour day. Is the seal applied correctly to prevent access without tampering? Do two officials check the seal number on the ballot case and the moderator’s return? Is the return completed in ink or pencil? Are the ballots under observation by at least two officials until they are locked in town hall?  Is the seal number on the bag checked against the moderator’s return when the ballots are locked in town hall? Officials complain that may take days for both registrars to be available to checking ballots and sealed paper work after an election.
  • A very difficult security problem
    Budgets are tight. Very few towns keep their ballots in vaults or securely locked facilities. We observe weak single locks or padlocks, ballots stored in isolated storage rooms with weak building security. Or no locks at all.
  • Involves fad and/or pet technology
    We have seen seals made by with office printer labels with no numbers and seals that are entirely written by hand.
  • Questions, concerns, & dissent are not welcome or tolerated
    Any suggestion that someone might compromise security is instead defensively interpreted as an accusation against the integrity of a registrar or all registrars. We are told that Connecticut towns cannot afford to improve security. Security does cost money, yet there are economical alternatives to dramatically increase ballot security. Can we afford to leave our democracy conveniently vulnerable?
  • Strong emotion, over confidence, arrogance, ego, and/or pride related to security
    (see above)
  • Conflicts of Interest
    Most registrars and election officials are closely aligned with parties – that is why we have at least two registrars in each town, of opposing interests. Everyone in town hall is dependent on the outcome of budget referendums and the plans of those elected. (as a counter example, the owner of a jewelry store, bank president, or jail guard normally has little conflict of interest in security)
  • No well-defined adversary
    Most individuals, election officials, candidates, candidate supporters, and town employees are honest. Yet, almost every person, agency, or business has stakes in election outcomes.
  • No well-defined use protocol
    Our statutes are on ballot security are weak and ambiguous, it is unlikely that the pending technical bills will change that. Towns follow (or don’t follow) a variety of procedures, mostly unpublished, vulnerable, and unverifiable.
  • No effective [vulnerability assessments]; no devil’s advocate
    You could say that CTVotersCount and the Coalition have been devil’s advocates, yet so far to little avail.
  • People who know little about security or the technology are in charge
    Many of our registrars and their staff demonstrate and will admit lack of knowledge of our voting technology. How many actually understand security? How many understand security technology such as the vulnerability of seals, locks, and the lack of security in a chain-of-custody filled out using an “honor system”? What security is there when most towns provide access with a single key and many provide access to that key for anyone working in the registrars office? How secure is access to the key or to the ballot storage by other means?

Forget those Dracula movies. Contemplate the value of ballots to our democracy while watching the Dog Snot video.

Not up for a scary movie? Here is a recent interview of Dr. Johnston on Op-News.  He provides suggestions for improving voting security. <read> Here the context is voting machines but the same considerations also apply to ballots. How many of these are in effect in your town?

Suggestions for better election security:

1.  Let’s try to separate concerns, questions, and criticisms about election security from political attacks on election officials (who are often elected themselves).  Security should be controversial and we need to listen to all input about it.

2.  Election officials need to think like the bad guy.  How would you cheat?

3.  Establish a health security culture and climate, where security is constantly on everybody’s mind and open for discussion and debate and review and outside analysis.

4.  Ironically (and counter-intuitively), the best security is usually transparent.

5.  Security is hard work, so expect to put in hard work.

6.  Do periodic background checks on people who move and maintain the voting machines.

7.  Somebody has to sign for the machines when they reach the polling place prior to the election (there can’t be a delay in delivery), and at least semi-watch them.  Use custodians, teachers, secretaries, and school kids (a great civics lesson!) to keep an eye on the machines if you can’t lock them up.

8.  Consider escorting the machines to and from the polling places.

9.  Lean on manufacturers of voting machines to get serious about security.

10.  Have a real, secure chain of custody, not bureaucratic forms to sign or initial purporting to be a chain of custody.

11.  Try bribing your people, then make them public heroes and let them keep the money if they decline.  (Wait at least one day, though.)  Word will get around it isn’t a good idea to accept a bribe.

12.  Form a pro bono citizens panel with local security experts to provide guidance.

13.  You must randomly select some machines before, during, and after the election to completely tear apart, examine, and reverse engineer.  Just seeing if they appear to run correctly is not good enough!  It’s too easy to turn cheating on and off.

14.  If you are going to use seals, provide at least a few hours of training in how to spot attacked seals.  Give lots of examples of attacked seals.  Discuss how the seals will likely be attacked.


Leave a Reply

You must be logged in to post a comment.