October 23, 2017

Election security as a national security issue

We recently learned that Russian state actors may have been responsible for the DNC emails recently leaked to Wikileaks. Earlier this spring, once they became aware of the hack, the DNC hired Crowdstrike, an incident response firm. The New York Times reports:

Preliminary conclusions were discussed last week at a weekly cyberintelligence meeting for senior officials. The Crowdstrike report, supported by several other firms that have examined the same bits of code and telltale “metadata” left on documents that were released before WikiLeaks’ publication of the larger trove, concludes that the Federal Security Service, known as the F.S.B., entered the committee’s networks last summer.

President Obama added that “on a regular basis, [the Russians] try to influence elections in Europe.” For the sake of this blog piece, and it’s not really a stretch, let’s take it as a given that foreign nation-state actors including Russia have a large interest in the outcome of U.S. elections and are willing to take all sorts of unseemly steps to influence what happens here. Let’s take it as a given that this is undesirable and talk about how we might stop it.

It’s bad enough to see foreign actors leaking emails with partisan intent. To make matters worse,  Bruce Schneier in a Washington Post op-ed and many other security experts in the past have been worried about our voting systems themselves being hacked. How bad could this get? Several companies are now offering Internet-based voting systems alongside apparently unfounded claims as to their security. In one example, Washington D.C. looked at using one such system for its local elections and had a “pilot” in 2010, wherein the University of Michigan’s Alex Halderman and his students found and exploited significant security vulnerabilities. Had this system been used in a real election, any foreign nation-state actor could have done the same. Luckily, these systems aren’t widely used.

How vulnerable are our nation’s election systems, as they’ll be used this November 2016, to being manipulated by foreign nation-state actors? The answer depends on how close the election will be. Consider Bush v. Gore in 2000. If an attacker, knowing it would be a very close election, had found a way to specifically manipulate the outcome in Florida, then their attack could well have had a decisive impact. Of course, predicting election outcomes is as much an art as a science, so an attacker would need to hedge their bets and go after the voting systems in multiple “battleground” states. Conversely, there’s no point in going after highly polarized states, where small changes will have no decisive impact. As an attacker, you want to leave a minimal footprint.

How good are we at defending ourselves? Will cyber attacks on current voting systems leave evidence that can be detected prior to our elections? Let’s consider the possible attacks and how our defenses might respond.

Voter de-registration: The purpose of a many attacks is simply to break things. Applied with partisan intent, you’d want to break things for one party more than the other. The easiest attack would be to hack a voter registration system, deleting voters who you believe are likely to support the candidate you don’t like. For voters who have registered for a political party, you know everything you need to know for who to delete. For independent voters you can probabilistically infer a their political opinions based on how their local precinct votes and on other demographic variables. (Political scientists do this sort of thing all the time.) Selectively destroying voter registration databases is likely to be recoverable. Such voters could demand to vote “provisional ballots” and those ballots would get counted as normal, once the voter registration databases were restored.

Vote flipping: A nastier attack would require an attacker to access the computers inside DRE voting systems. (“Direct recording electronic” systems are typically touch-screen computers with no voter-verifiable paper trail. The only record of a voter’s ballot is stored electronically, inside the computer.) These voting systems are typically not connected to the Internet, although they do connect to election management computers, and those sometimes use modems to gather data from remote precincts. (Details vary from state to state and even county to county.) From the perspective of a nation-state cyber attacker, a modem might as well be a direct connection to the Internet. Once you can get malware into one of these election management computers, you can delete or flip votes. If you’re especially clever, you can use the occasional connections from these election management computers to the voting machines and corrupt the voting machines themselves. (We showed how to do these sort of viral attacks as part of the California Top to Bottom Review in 2007.)

With paperless DRE systems, attacked by a competent nation-state actor, there will be no reason to believe any of the electronic records are intact, and a competent attacker would presumably also be good enough to clean up on their way out, so there wouldn’t necessarily even be any evidence of the attack.

The good news is that paperless DRE systems are losing market share and being replaced slowly-but-surely with several varieties of paper-ballot systems (some hand-marked and electronically scanned, others machine-marked). A foreign nation-state adversary can’t reach across the Internet and change what’s printed on a piece of paper, which means that a post-election auditing strategy to compare the electronic results to the paper results can efficiently detect (and thus deter) electronic tampering.

Where would an adversary attack? The most bang-for-the-buck for a foreign nation-state bent on corrupting our election would be to find a way to tamper with paperless DRE voting systems in a battleground state. So where then? Check out the NYT’s interactive “paths to the White House” page, wherein you can play “what-if” games on which states might have what impact in the Electoral College. The top battleground state is Florida, but thanks in part to the disastrous 2006 election in Florida’s 13th Congressional district, Florida dumped its DRE voting systems for optically scanned paper ballots; it would be much harder for an adversarial cyber attack to go undetected. What about other battleground states? Following the data in the Verified Voting website, Pennsylvania continues to use paperless DREs as does Georgia. Much of Ohio uses DRE systems with “toilet paper roll” printers, where voters are largely unable to detect if anything is printed incorrectly, so we’ll lump them in with the paperless states. North Carolina uses a mix of technologies, some of which are more vulnerable than others. So let’s say the Russians want to rig the election for Trump. If they could guarantee a Trump win in Pennsylvania, Georgia, Ohio, and North Carolina, then a Florida victory could put Trump over the top. Even without conspiracy theories, Florida will still be an intensely fought battleground state, but we don’t need a foreign government making it any worse.

So what should these sensitive states do in the short term? At this point, it’s far too late to require non-trivial changes in election technologies or even most procedures. They’re committed to what they’ve got and how they’ll use it. We could imagine requiring some essential improvements (security patches and updates installed, intrusion detection and monitoring equipment installed, etc.) and even some sophisticated analyses (e.g., pulling voting machines off the line and conducting detailed / destructive analyses of their internal state, going beyond the weak tamper-protection mechanisms presently in place). Despite all of this, we could well end up in a scenario where we conclude that we have unreliable or tampered election data and cannot use it to produce a meaningful vote tally.

Consider also that all an adversary needs to do is raise enough doubt that the loser has seemingly legitimate grounds to dispute the result. Trump is already suggesting that this November’s election might be rigged, without any particular evidence to support this conjecture. This makes it all the more essential that we have procedures that all parties can agree to for recounts, for audits, and for what to do when those indicate discrepancies.

In case of emergency, break glass. If we’re facing a situation where we see tampering on a massive scale, we could end up in a crisis far worse than Florida after the Bush/Gore election of 2000. If we do nothing until after we find problems, every proposed solution will be tinted with its partisan impact, making it difficult to reach any sort of procedural consensus. Nobody wants to imagine a case where our electronic voting systems have been utterly compromised, but if we establish processes and procedures, in advance, for dealing with these contingencies, such as commissioning paper ballots and rerunning the elections in impacted areas, we will disincentivize foreign election adversaries and preserve the integrity of our democracy.

(Addendum: contingency planning was exactly the topic of discussion after Hurricane Sandy disrupted elections across the Northeast in November 2012. It would be useful to revisit whatever changes were made then, in light of the new threat landscape we have today.)

Related reading:

Increasing Civic Engagement Requires Understanding Why People Have Chosen Not to Participate

Last month, I was a poll watcher for the mayoral primary in Washington, DC. My duties were to monitor several polling places to confirm that each Precinct Captain was ensuring that the City’s election laws were being followed on site; in particular, that everyone who believed that they were qualified to vote was able to do so, even if through a provisional ballot. While, thankfully, I did not witness any violations of DC law, I also did not see many voters. The turnout for the election was the lowest since 1974, the beginning of home rule in the District of Columbia. Only 27% of registered voters cast ballots.

Between conversations with friends and neighbors and reading post-mortems on the election, anecdotal evidence abounds as to why turnout was so low. [Read more…]

Information Facilitating Participation in Elections Must Be Readily Available – Principle #10 for Fostering Civic Engagement Through Digital Technologies

For the final installment of my series of blog posts outlining ten principles that governments and local communities should consider when evaluating whether they are using digital technology effectively to facilitate civic engagement, I will discuss the issue that goes to the core of democracy in our country – the public having access to information about elections. The information that facilitates participation in elections comes from a variety of sources, including local governments ensuring that people are easily able to register to vote, politicians using technology for conversations with the public during campaigns, and members of the public using e-mail, blogs and social media to discuss the candidates’ promises.

Technology as a tool for civic engagement has become an increasingly critical aspect of politics, particularly in urban areas. That’s because one of the factors that has affected political discourse, especially in urban areas – race – is diminishing in salience with the public. In a recent NY Times Op-ed, Thomas Edsall asked the question, “What if Race No Longer Matters in City Politics?” He noted the absence of race as a divisive factor in recent elections in Boston, New York, and Los Angeles. Instead, he argued that income and class shaped the mayoral contests in Boston and New York.

As cities move away from racial politics, the vacuum is being filled, at least in part, by both citizens and politicians focusing on lifestyle issues. Right now, arguably there is nothing that reflects people’s lifestyles more than the wireless devices they carry and the content they choose to consume and share through those devices. And some of that content relates to civic engagement. For example, according to a 2013 Pew study, 67% of all 18-24 year olds engaged in some social network-related political activity in the 12 months preceding the survey. Overall, 39% of adults use social media sites for political or civic activities.

Given that citizens are moving their political activities on-line, it is important that state governments make it easier for people to participate in the political process by making on-line voter registration available. Approximately 15 states currently allow on-line voter registration, while approximately 5 more have passed legislation permitting on-line registration. In addition to added convenience, according to the state of Arizona, paper registration costs 83 cents per registration while each on-line registration costs only 3 cents. To be beneficial for the public though, on-line registration must be secure. CITP Fellow J. Alex Halderman, in an interview with the National Conference of State Legislatures earlier in 2013 recommended, “ensuring that security experts are consulted during design [of an on-line registration system], adequate security testing is undertaken before the system goes live, and ongoing monitoring for threat detection efforts [takes place] while the system is being operated.”

In a recent article in Politico, Columbia University Law School professor Tim Wu suggests that voter participation in Congressional primary elections is so low because of the “convenience gap” between voting and many other modern tasks and proposes increasing participation by moving voting on-line. I disagree with Mr. Wu’s solution partially because I think technology can close the “convenience gap” that makes voting seem burdensome by keeping people connected regularly to the civic and political decision-making process. Since people have the ability through digital technology to be extremely selective about the information they choose to consume, governments and political candidates need to use more targeted methods to reach each constituent with information that’s uniquely important to that person. For example, a person who is registered for Capital Bikeshare – the bike sharing service in the Washington, DC metro area – could register to receive text message alerts about community meetings on bike lanes and transportation policy generally. If a particular series of issues is closely tied to a person’s lifestyle and interests, I think that will drive participation. There will be no need to move to on-line voting now, before the security concerns can be addressed.

People who are invested in their local communities need to continue to experiment with ways to boost civic engagement. In advance of a special election for the City Council in Washington, DC this Spring, three popular local bloggers partnered on the “Let’s Choose DC” website, which posed one question per week to all of the eligible candidates. Candidates provided longer than a sound bite answers to questions about topics such as education, crime, and affordable housing. Readers had the opportunity to vote on the responses. While turnout in the special election was disappointingly low – only 11.32% – participation still improved compared to a 2011 special election that came in at 10.30%. The more that journalists, local businesses, civic activists and government officials recognize the economic and social value of assisting citizens in using technology as a tool for building communities that reflect their members’ needs and aspirations, the stronger local communities will become.