The past few days have revealed that the New York Times, Wall Street Journal, and Washington Post have all been hacked by Chinese government-affiliated organizations, for the purpose of spying on reporters. The Washington Post says that the attacks were detected over a year ago, and had been going on for at least a year before that. Commercial security products like anti-virus did not detect the malware, which isn’t surprising to anyone who is familiar with signature-based schemes. The attacks on major newspapers were significant enough that Krebs on Security quotes Gunnar Petersen saying it would be “more surprising would be a major newspaper outlet that wasn’t hacked by the Chinese”. (This in turn reminded me of the Nixon enemies list, where being omitted from the list was a sign that one was unimportant, and “Newsman Daniel Schorr and [actor] Paul Newman stated, separately, that inclusion on the list was their greatest accomplishment.”.)
So what does this have to do with voting? The NY Times story appeared on Jan 30. On Jan 29, I testified to the Virginia Senate Committee on Privileges and Elections hearing in opposition to SB 830 and 874. These two bills would require the Virginia State Board of Elections to allow military voters to cast their votes via the Internet. (The Patron (sponsor) of 874 said that it was not internet voting, but rather returning the ballot via electronic format, which is to say by email or web site. I fail to see the a meaningful difference between that an internet voting.)
In my testimony, I explained that internet voting is harder than almost any other kind of activity on the internet including banking – and that the only reason we can do banking and other activity online is because of cross-checks and the willingness to accept a level of fraud that’s not possible with voting.
In response to my testimony, representatives of the State Board of Elections were asked by the senators whether they were confident that the system was secure. The SBE representative assured the senators that the system was secure. Unfortunately I was not permitted to respond to that assertion, and the SBE wasn’t challenged why they believe that they can provide the necessary protection.
I continue to be amazed that elected officials can read constant articles about hacking, and yet readily accept the assurances that there will be no problems with internet voting. If the SBE is so good at stopping attacks, perhaps they should supplement their paltry budget by providing security for banks, Federal government agencies like DOD, and the nation’s leading newspapers!
[Errata 4 Feb 2013: Correct SB 984 to be SB 874.]