November 23, 2017

Lessons of 2016 for U.S. Election Security

The 2016 election was one of the most eventful in U.S. history. We will be debating its consequences for a long time. For those of us who pay attention to the security and reliability of elections, the 2016 election teaches some important lessons. I’ll review some of them in this post.

First, though, let’s review what has not changed. The level of election security varies considerably from place to place in the United States, depending on management, procedures, and of course technology choices. Places that rely on paperless voting systems, such as touchscreen voting machines that record votes directly in computer memories (so-called DREs), are at higher risk, because of the malleability of computer memory and the lack of an auditable record of the vote that was seen directly by the voter. Much better are systems such as precinct-count optical scan, in which the voter marks a paper ballot and feeds the ballot through an electronic scanner, and the ballot is collected in a ballot box as a record of the vote. The advantage of such a system is that a post-election audit that compares a random sample of paper ballots to the corresponding electronic records can verify with high confidence that the election results are consistent with what voters saw. Of course, you have to make the audit a routine post-election procedure.

Now, on to the lessons of 2016.

The first lesson is that nation-state adversaries may be more aggressive than we had thought. Russia took aggressive action in advance of the 2016 U.S. election, and showed signs of preparing for an attack that would disrupt or steal the election. Fortunately they did not carry out such an attack–although they did take other actions to influence the election. In the future, we will have to assume the presence of aggressive, highly capable nation-state adversaries, which we knew to be possible in principle before, but now seem more likely.

The second lesson is that we should be paying more attention to attacks that aim to undermine the legitimacy of an election rather than changing the election’s result. Election-stealing attacks have gotten most of the attention up to now–and we are still vulnerable to them in some places–but it appears that external threat actors may be more interested in attacking legitimacy.

Attacks on legitimacy could take several forms. An attacker could disrupt the operation of the election, for example, by corrupting voter registration databases so there is uncertainty about whether the correct people were allowed to vote. They could interfere with post-election tallying processes, so that incorrect results were reported–an attack that might have the intended effect even if the results were eventually corrected. Or the attacker might fabricate evidence of an attack, and release the false evidence after the election.

Legitimacy attacks could be easier to carry out than election-stealing attacks, as well. For one thing, a legitimacy attacker will typically want the attack to be discovered, although they might want to avoid having the culprit identified. By contrast, an election-stealing attack must avoid detection in order to succeed. (If detected, it might function as a legitimacy attack.)

The good news is that steps like adopting auditable paper ballots and conducting routine post-election audits are useful against both election-stealing and legitimacy attacks. If we have strong evidence of voter intent, this will make election-stealing harder, and it will make falsified evidence of election-stealing less plausible. But attacks that aim to disrupt the election process may require different types of defenses.

One thing is certain: election workers have a very difficult job, and they need all of the help they can get, from the best technology to the best procedures, if we are going to reach the level of security we need.

Comments

  1. Joanna Bryson says:

    Thanks Ed. I have two questions that I’m not sure whether you’d like to contact with.

    1) One thing that I’ve been worrying about particularly with nation-state hackers is that rather than hacking the election directly they could hack parties’ internal databases on which they base their decisions about election spends. This could cause both over and under expenditure. For an example of over expenditure, some of the UK Conservative backers of Brexit have said that they were just trying to make the election close, not win, in order to get concessions from the EU. For an example of underspend, see Clinton in Wisconsin.

    2) I was wondering what your opinion of the Guardian’s allegations against Mercer, which affect both the US & Brexit election, e.g. https://www.theguardian.com/technology/2017/may/07/the-great-british-brexit-robbery-hijacked-democracy

    • Ed Felten says:

      Joanna,

      On question 1, this is a threat to worry about. Major parties and campaigns need to have world-class security from now on. In general, we should worry more about intruders tampering with data, and not only about the sorts of data leaks that have gotten most of the attention so far.

      On question 2, I don’t currently have an informed opinion. There is a tendency, after an election, to decide that everything the winners did was shrewd and effective, and everything the losers did was wrong. What I don’t know at present is whether the talk about Cambridge Analytica and its tactics is an example of that exaggeration, or if it is instead a new and powerful type of force in politics.

  2. Choi M Jin says:

    This is a good piece, in theory. Practice is, well, very different for variety of reasons. Justified or not. We have learnt programing and enabled its distribution across the globe. So far so good. We have done to countries what now we are accusing Russia of doing to us. Well, that’s not an excuse to not doing anything. But something we should be aware of internally and tell others what it feels like.

  3. C. Scott Ananian says:

    I believe this election also revealed the vulnerability of several pre-election processes, like voter registration (and targeting, as Joanna mentioned). Previous work like EIRS focused on *detecting* these sorts of attacks, since they were a favorite of voter suppression efforts historically. But voter verifiable paper ballots don’t provide any effective remedy if long lines or registration confusion cause a voter to give up and go home. We can’t correct the record of those who never made it inside the voting booth. (EIRS tried to dispatch election observers to reported trouble spots in real time, but the time constraints of election day make this extremely difficult.)

    Further, a significant attack on a town or city’s voter registration rolls would quickly exhaust the limited resources available to clerks to correct the record and tally the vote, even if all voters did eventually cast a ballot.

    Perhaps our voter-verifiable ballots and auditing schemes need to be extended back in time. To some degree registration status is voter-verifiable, although in the case of attack, more precision is necessary wrt verifying against the database to be used on election day, not just the information stored somewhere in town hall.

    But perhaps auditing of registration could also be extended backward. There are tricky issues here, since if you allow the results of the audit to modify the rolls you’re opening another opportunity for an attacker to remove folks by tampering with the process; but a public read-only review of the diff between previous year’s registration and the current year might provide the opportunity for public spirited auditors to gain advance warning if something is awry.

  4. C. Scott Ananian says:

    Briefly, regarding targeting: my conversations with local elected officials (state level and below) indicate that most of them *prefer* low-turnout elections, because it allows them to more accurately target their publicity and GOTV and thus allows a lower-cost race. I explored the issue of consolidating the various state and local elections in MA on a single November date, and most felt it would be anti-democratic, since it would effectively shut out from the race anyone without deep enough pockets to reach all the possible voters in their district. (As opposed to just the 10% who show up to arbitrarily scheduled small elections.) “And good luck getting money from the party: it all goes to the top of the ticket” in a high-turnout race.

    This underscores the effect that these targeting databases have on even the smallest local elections. One could argue that targeting databases even “promote democracy” by effectively lowering the cost of running a campaign.

  5. Anonymous says:

    Yes, we need to pay more attention to computer security and safeguarding registration databases. But it would be even better if all states adopted the system of conducting elections by mail that we’ve been using in Oregon for years. In my experience there have been zero problems with voter fraud. Each voter gets a pamphlet with candidate statements and biographical information, endorsements, e.g. by the League of Women Voters, Chamber of Commerce, unions, etc. We could forget bothering with Russian cyber attacks. There would be a paper trail for recounts. No worries about insufficient voting places in minority neighborhoods or insufficient opening times or long lines or hacking voting machines. And I’d guess that a vote-by-mail system would cost a whole lot less than investing in electronic voting machines, maintaining and updating them and hiring armies of computer security consultants.

  6. Gordon Mohr says:

    Mass campaigns are difficult to defend. Party and candidate systems are soft. Media orgs can be manipulated. Scandal can be manufactured – or obscured.

    The electorate can be misled – *especially* the ‘marginal voter’, who decides to vote at all, or decides among candidates, at the last minute, based on some transient appeal, propaganda, or ‘momentum’ factor that will be reversed in a few days’ or weeks’ time.

    A ‘defense-in-depth’ strategy might include moving more decisions to representative processes that aren’t as subject to volatile or external influences. That is: reduce the perimeter that needs to be defended.

    How about randomly empaneling a tiny representative subset of voters to participate in each election – electoral juries – instead?

    Once they know their special role, the motivation to be informed, and vote, will be quite large. You could even award them a generous stipend for showing up, and investigate individually any allegations of suppression or corruption.

    Yes, it superficially disconnects those-not-chosen from the rituals of voting, and from any duties to be-informed or cast-ballots. But it’s possible people would see the empaneling-process as fair and representative – indeed more inclusive of ‘people like them’ than voluntary voting, with all its vagaries of voting-rates and costs-of-informed-participation.

    The process of influencing the panel could involve far more sophisticated discussion than mass-media campaigning around 30-second TV ads and engineered news-hooks or propaganda – but at far less cost. It might thus create a process even more interesting and inspiring to the general public – less repetition and pandering, but still with compelling, gradually-unfolding discourse/narratives. The panel, specifically, could be straw-polled in the lead-up to the binding poll. The panel could use more sophisticated preference-ranking methods that are hard to scale. The exact panel could also be polled later, on questions of continuing confidence in their decisions or “if we knew then what we know now” hypotheticals – or about their seasoned perspective on new questions, contrasted with those of other panels chosen for later elections.