August 27, 2016

avatar

Security against Election Hacking – Part 2: Cyberoffense is not the best cyberdefense!

State and county election officials across the country employ thousands of computers in election administration, most of them are connected (from time to time) to the internet (or exchange data cartridges with machines that are connected).  In my previous post I explained how we must audit elections independently of the computers, so we can trust the results even if the computers are hacked.

Still, if state and county election computers were hacked, it would be an enormous headache and it would certainly cast a shadow on the legitimacy of the election.  So, should the DHS designate election computers as “critical cyber infrastructure?”

This question betrays a fundamental misunderstanding of how computer security really works.  You as an individual buy your computers and operating systems from reputable vendors (Apple, Microsoft, IBM, Google/Samsung, HP, Dell, etc.).  Businesses and banks (and the Democratic National Committee, and the Republican National Committee) buy their computers and software from the same vendors.  Your security, and the security of all the businesses you deal with, is improved when these hardware and software vendors build products without security bugs in them.   Election administrators use computers that run Windows (or MacOS, or Linux) bought from the same vendors.

Parts of the U.S. government, particularly inside the NSA, have “cyberdefense” teams that analyze widely used software for security vulnerabilities.  The best thing they could do to enhance our security is notify the vendors immediately about vulnerabilities, so the vendors can fix the bugs (and learn their lessons).   Unfortunately, the NSA also has “cyberoffense” teams that like to save up these vulnerabilities, keep them secret, and use them as weak points to break into their adversaries’ computers.  They think they’re so smart that the Russkies, or the Chinese, will never be able to figure out the same vulnerabilities and use them to break into the computers of American businesses, individuals, the DNC or RNC, or American election administrators.  There’s even an acronym for this fallacy: NOBUS.  “NObody But US” will be able to figure out this attack.

Vulnerability lists accumulated by the NSA and DHS probably don’t include a lot of vote-counting software: those lists (probably) focus on widely used operating systems, office and word-processing, network routers, phone apps, and so on.  But vote-counting software typically runs on widely used operating systems, uses PDF-handling software for ballot printing, network routers for vote aggregation.  Improvements in these components would improve election security.

So, the “cyberdefense” experts in the U.S. Government could improve everyone’s security, including election administrators, by promptly warning Microsoft, Apple, IBM, and so on about security bugs.  But their hands are often tied by the “cyberoffense” hackers who want to keep the bugs secret—and unfixed.  For years, independent cybersecurity experts have advocated that the NSA’s cyberdefense and cyberoffense teams be split up into two separate organizations, so that the offense hackers can’t deliberately keep us all insecure.   Unfortunately, in February 2016 the NSA did just the opposite: it merged its offense and defense teams together.

Some in the government talk as if “national cyberdefense” is some kind of “national guard” that they can send in to protect a selected set of computers.  But it doesn’t work that way.  Our computers are secure because of the software we purchase and install; we can choose vendors such as Apple, IBM, Microsoft, HP, or others based on their track record or based on their use of open-source software that we can inspect.  The DHS’s cybersecurity squad is not really in that process, except as they help the vendors improve the security of their products.  (See also:  “The vulnerabilities equities process.”)

Yes, it’s certainly helpful that the Secretary of Homeland Security has offered “assistance in helping state officials manage risks to voting systems in each state’s jurisdiction.”  But it’s too close to the election to be fiddling with the election software—election officials (understandably) don’t want to break anything.

But really we should ask: Should the FBI and the NSA be hacking us or defending us?  To defend us, they must stop hoarding secret vulnerabilities, and instead get those bugs fixed by the vendors.

avatar

Security against Election Hacking – Part 1: Software Independence

There’s been a lot of discussion of whether the November 2016 U.S. election can be hacked.  Should the U.S. Government designate all the states’ and counties’ election computers as “critical cyber infrastructure” and prioritize the “cyberdefense” of these systems?  Will it make any difference to activate those buzzwords with less than 3 months until the election?

First, let me explain what can and can’t be hacked.  Election administrators use computers in (at least) three ways:

  1. To maintain voter registration databases and to prepare the “pollbooks” used at every polling place to list who’s a registered voter (for that precinct); to prepare the “ballot definitions” telling the voting machines who are the candidates in each race.
  2. Inside the voting machines themselves, the optical-scan counters or touch-screen machines that the voter interacts with directly.
  3. When the polls close, the vote totals from all the different precincts are gathered (this is called “canvassing”) and aggregated together to make statewide totals for each candidate (or district-wide totals for congressional candidates).

Any of these computers could be hacked.  What defenses do we have?  Could we seal off the internet so the Russians can’t hack us?  Clearly not; and anyway, maybe the hacker isn’t the Russians—what if it’s someone in your opponent’s political party?  What if it’s a rogue election administrator?

The best defenses are ways to audit the election and count the votes outside of, independent of the hackable computers.  For example,

[Read more…]

avatar

Election security as a national security issue

We recently learned that Russian state actors may have been responsible for the DNC emails recently leaked to Wikileaks. Earlier this spring, once they became aware of the hack, the DNC hired Crowdstrike, an incident response firm. The New York Times reports:

Preliminary conclusions were discussed last week at a weekly cyberintelligence meeting for senior officials. The Crowdstrike report, supported by several other firms that have examined the same bits of code and telltale “metadata” left on documents that were released before WikiLeaks’ publication of the larger trove, concludes that the Federal Security Service, known as the F.S.B., entered the committee’s networks last summer.

President Obama added that “on a regular basis, [the Russians] try to influence elections in Europe.” For the sake of this blog piece, and it’s not really a stretch, let’s take it as a given that foreign nation-state actors including Russia have a large interest in the outcome of U.S. elections and are willing to take all sorts of unseemly steps to influence what happens here. Let’s take it as a given that this is undesirable and talk about how we might stop it.

It’s bad enough to see foreign actors leaking emails with partisan intent. To make matters worse,  Bruce Schneier in a Washington Post op-ed and many other security experts in the past have been worried about our voting systems themselves being hacked. How bad could this get? Several companies are now offering Internet-based voting systems alongside apparently unfounded claims as to their security. In one example, Washington D.C. looked at using one such system for its local elections and had a “pilot” in 2010, wherein the University of Michigan’s Alex Halderman and his students found and exploited significant security vulnerabilities. Had this system been used in a real election, any foreign nation-state actor could have done the same. Luckily, these systems aren’t widely used.

How vulnerable are our nation’s election systems, as they’ll be used this November 2016, to being manipulated by foreign nation-state actors? The answer depends on how close the election will be. Consider Bush v. Gore in 2000. If an attacker, knowing it would be a very close election, had found a way to specifically manipulate the outcome in Florida, then their attack could well have had a decisive impact. Of course, predicting election outcomes is as much an art as a science, so an attacker would need to hedge their bets and go after the voting systems in multiple “battleground” states. Conversely, there’s no point in going after highly polarized states, where small changes will have no decisive impact. As an attacker, you want to leave a minimal footprint.

How good are we at defending ourselves? Will cyber attacks on current voting systems leave evidence that can be detected prior to our elections? Let’s consider the possible attacks and how our defenses might respond.

Voter de-registration: The purpose of a many attacks is simply to break things. Applied with partisan intent, you’d want to break things for one party more than the other. The easiest attack would be to hack a voter registration system, deleting voters who you believe are likely to support the candidate you don’t like. For voters who have registered for a political party, you know everything you need to know for who to delete. For independent voters you can probabilistically infer a their political opinions based on how their local precinct votes and on other demographic variables. (Political scientists do this sort of thing all the time.) Selectively destroying voter registration databases is likely to be recoverable. Such voters could demand to vote “provisional ballots” and those ballots would get counted as normal, once the voter registration databases were restored.

Vote flipping: A nastier attack would require an attacker to access the computers inside DRE voting systems. (“Direct recording electronic” systems are typically touch-screen computers with no voter-verifiable paper trail. The only record of a voter’s ballot is stored electronically, inside the computer.) These voting systems are typically not connected to the Internet, although they do connect to election management computers, and those sometimes use modems to gather data from remote precincts. (Details vary from state to state and even county to county.) From the perspective of a nation-state cyber attacker, a modem might as well be a direct connection to the Internet. Once you can get malware into one of these election management computers, you can delete or flip votes. If you’re especially clever, you can use the occasional connections from these election management computers to the voting machines and corrupt the voting machines themselves. (We showed how to do these sort of viral attacks as part of the California Top to Bottom Review in 2007.)

With paperless DRE systems, attacked by a competent nation-state actor, there will be no reason to believe any of the electronic records are intact, and a competent attacker would presumably also be good enough to clean up on their way out, so there wouldn’t necessarily even be any evidence of the attack.

The good news is that paperless DRE systems are losing market share and being replaced slowly-but-surely with several varieties of paper-ballot systems (some hand-marked and electronically scanned, others machine-marked). A foreign nation-state adversary can’t reach across the Internet and change what’s printed on a piece of paper, which means that a post-election auditing strategy to compare the electronic results to the paper results can efficiently detect (and thus deter) electronic tampering.

Where would an adversary attack? The most bang-for-the-buck for a foreign nation-state bent on corrupting our election would be to find a way to tamper with paperless DRE voting systems in a battleground state. So where then? Check out the NYT’s interactive “paths to the White House” page, wherein you can play “what-if” games on which states might have what impact in the Electoral College. The top battleground state is Florida, but thanks in part to the disastrous 2006 election in Florida’s 13th Congressional district, Florida dumped its DRE voting systems for optically scanned paper ballots; it would be much harder for an adversarial cyber attack to go undetected. What about other battleground states? Following the data in the Verified Voting website, Pennsylvania continues to use paperless DREs as does Georgia. Much of Ohio uses DRE systems with “toilet paper roll” printers, where voters are largely unable to detect if anything is printed incorrectly, so we’ll lump them in with the paperless states. North Carolina uses a mix of technologies, some of which are more vulnerable than others. So let’s say the Russians want to rig the election for Trump. If they could guarantee a Trump win in Pennsylvania, Georgia, Ohio, and North Carolina, then a Florida victory could put Trump over the top. Even without conspiracy theories, Florida will still be an intensely fought battleground state, but we don’t need a foreign government making it any worse.

So what should these sensitive states do in the short term? At this point, it’s far too late to require non-trivial changes in election technologies or even most procedures. They’re committed to what they’ve got and how they’ll use it. We could imagine requiring some essential improvements (security patches and updates installed, intrusion detection and monitoring equipment installed, etc.) and even some sophisticated analyses (e.g., pulling voting machines off the line and conducting detailed / destructive analyses of their internal state, going beyond the weak tamper-protection mechanisms presently in place). Despite all of this, we could well end up in a scenario where we conclude that we have unreliable or tampered election data and cannot use it to produce a meaningful vote tally.

Consider also that all an adversary needs to do is raise enough doubt that the loser has seemingly legitimate grounds to dispute the result. Trump is already suggesting that this November’s election might be rigged, without any particular evidence to support this conjecture. This makes it all the more essential that we have procedures that all parties can agree to for recounts, for audits, and for what to do when those indicate discrepancies.

In case of emergency, break glass. If we’re facing a situation where we see tampering on a massive scale, we could end up in a crisis far worse than Florida after the Bush/Gore election of 2000. If we do nothing until after we find problems, every proposed solution will be tinted with its partisan impact, making it difficult to reach any sort of procedural consensus. Nobody wants to imagine a case where our electronic voting systems have been utterly compromised, but if we establish processes and procedures, in advance, for dealing with these contingencies, such as commissioning paper ballots and rerunning the elections in impacted areas, we will disincentivize foreign election adversaries and preserve the integrity of our democracy.

(Addendum: contingency planning was exactly the topic of discussion after Hurricane Sandy disrupted elections across the Northeast in November 2012. It would be useful to revisit whatever changes were made then, in light of the new threat landscape we have today.)

Related reading:

avatar

Increasing Civic Engagement Requires Understanding Why People Have Chosen Not to Participate

Last month, I was a poll watcher for the mayoral primary in Washington, DC. My duties were to monitor several polling places to confirm that each Precinct Captain was ensuring that the City’s election laws were being followed on site; in particular, that everyone who believed that they were qualified to vote was able to do so, even if through a provisional ballot. While, thankfully, I did not witness any violations of DC law, I also did not see many voters. The turnout for the election was the lowest since 1974, the beginning of home rule in the District of Columbia. Only 27% of registered voters cast ballots.

Between conversations with friends and neighbors and reading post-mortems on the election, anecdotal evidence abounds as to why turnout was so low. [Read more…]

avatar

Information Facilitating Participation in Elections Must Be Readily Available – Principle #10 for Fostering Civic Engagement Through Digital Technologies

For the final installment of my series of blog posts outlining ten principles that governments and local communities should consider when evaluating whether they are using digital technology effectively to facilitate civic engagement, I will discuss the issue that goes to the core of democracy in our country – the public having access to information about elections. The information that facilitates participation in elections comes from a variety of sources, including local governments ensuring that people are easily able to register to vote, politicians using technology for conversations with the public during campaigns, and members of the public using e-mail, blogs and social media to discuss the candidates’ promises.

Technology as a tool for civic engagement has become an increasingly critical aspect of politics, particularly in urban areas. That’s because one of the factors that has affected political discourse, especially in urban areas – race – is diminishing in salience with the public. In a recent NY Times Op-ed, Thomas Edsall asked the question, “What if Race No Longer Matters in City Politics?” He noted the absence of race as a divisive factor in recent elections in Boston, New York, and Los Angeles. Instead, he argued that income and class shaped the mayoral contests in Boston and New York.

As cities move away from racial politics, the vacuum is being filled, at least in part, by both citizens and politicians focusing on lifestyle issues. Right now, arguably there is nothing that reflects people’s lifestyles more than the wireless devices they carry and the content they choose to consume and share through those devices. And some of that content relates to civic engagement. For example, according to a 2013 Pew study, 67% of all 18-24 year olds engaged in some social network-related political activity in the 12 months preceding the survey. Overall, 39% of adults use social media sites for political or civic activities.

Given that citizens are moving their political activities on-line, it is important that state governments make it easier for people to participate in the political process by making on-line voter registration available. Approximately 15 states currently allow on-line voter registration, while approximately 5 more have passed legislation permitting on-line registration. In addition to added convenience, according to the state of Arizona, paper registration costs 83 cents per registration while each on-line registration costs only 3 cents. To be beneficial for the public though, on-line registration must be secure. CITP Fellow J. Alex Halderman, in an interview with the National Conference of State Legislatures earlier in 2013 recommended, “ensuring that security experts are consulted during design [of an on-line registration system], adequate security testing is undertaken before the system goes live, and ongoing monitoring for threat detection efforts [takes place] while the system is being operated.”

In a recent article in Politico, Columbia University Law School professor Tim Wu suggests that voter participation in Congressional primary elections is so low because of the “convenience gap” between voting and many other modern tasks and proposes increasing participation by moving voting on-line. I disagree with Mr. Wu’s solution partially because I think technology can close the “convenience gap” that makes voting seem burdensome by keeping people connected regularly to the civic and political decision-making process. Since people have the ability through digital technology to be extremely selective about the information they choose to consume, governments and political candidates need to use more targeted methods to reach each constituent with information that’s uniquely important to that person. For example, a person who is registered for Capital Bikeshare – the bike sharing service in the Washington, DC metro area – could register to receive text message alerts about community meetings on bike lanes and transportation policy generally. If a particular series of issues is closely tied to a person’s lifestyle and interests, I think that will drive participation. There will be no need to move to on-line voting now, before the security concerns can be addressed.

People who are invested in their local communities need to continue to experiment with ways to boost civic engagement. In advance of a special election for the City Council in Washington, DC this Spring, three popular local bloggers partnered on the “Let’s Choose DC” website, which posed one question per week to all of the eligible candidates. Candidates provided longer than a sound bite answers to questions about topics such as education, crime, and affordable housing. Readers had the opportunity to vote on the responses. While turnout in the special election was disappointingly low – only 11.32% – participation still improved compared to a 2011 special election that came in at 10.30%. The more that journalists, local businesses, civic activists and government officials recognize the economic and social value of assisting citizens in using technology as a tool for building communities that reflect their members’ needs and aspirations, the stronger local communities will become.

avatar

Internet Voting Snafu at USRowing

USRowing, the governing body for the sport of rowing in the U.S., recently announced the discovery of likely fraud in one of its leadership elections.

Further investigation into this region’s voting resulted in the determination that fraudulent ballots were cast in the Mid-Atlantic election that directly affected the outcome of the Mid-Atlantic Regional Director of the Board of Directors election only. Those responsible for the fraudulent ballots have not yet been identified.

[Read more…]

avatar

Internet Voting Security: Wishful Thinking Doesn’t Make It True

[The following is a post written at my invitation by Professor Duncan Buell from the University of South Carolina. Curiously, the poll Professor Buell mentions below is no longer listed in the list of past & present polls on the Courier-Journal site, but is available if you kept the link.]

On Thursday, March 21, in the midst of Kentucky’s deliberation over allowing votes to be cast over the Internet, the daily poll of the Louisville Courier-Journal asked the readers, “Should overseas military personnel be allowed to vote via the Internet?” This happened the day before their editorial rightly argued against Internet voting at this time.

One of the multiple choice answers was “Yes, it can be made just as secure as any balloting system.” This brings up the old adage, “we are all entitled to our own opinions, but we are not entitled to our own facts.” The simple fact is that Internet voting is possible – but it is definitely NOT as secure as some other balloting systems. This is not a matter of opinion, but a matter of fact. Votes cast over the Internet are easily subject to corruption in a number of different ways.

To illustrate this point, two colleagues, both former students, wrote simple software scripts that allowed us to vote multiple times in the paper’s opinion poll. We could have done this with repeated mouse clicks on the website, but the scripts allowed us to do it automatically, and by night’s end we had voted 60,000 times. The poll vendor’s website claims that it blocks repeated voting, but that claim is clearly not entirely true. We did not break in to change the totals. We did not breach the security of the Courier-Journal’s computers. We simply used programs instead of mouse clicks to vote on the poll website itself.
[Read more…]

avatar

White House Statement on Cell Phone Unlocking: A First Step Toward DMCA Reform?

Yesterday, the White House officially responded to the online petition to “Make Unlocking Cell Phones Legal,” which garnered more than 100,000 signatures in under 30 days. The Administration’s headline was emphatic: “It’s Time to Legalize Cell Phone Unlocking.” The tech press heralded this significant but symbolic first step in addressing some of the most egregious shortcomings of the Digital Millennium Copyright Act (DMCA). I hope the White House’s response signals a new chapter in the struggle to regain the freedom to innovate, research, create, and tinker. Last week, I discussed the petition and its context with Derek Khanna, who has been a champion of the cause. You can watch the video here:

As Derek pointed out, this battle is connected to a much larger policy problem: the DMCA bans many practices that are good for society–and without clear counterbalancing benefits. Reading the White House statement, it is hard to tell whether the Administration appreciates this fact.
[Read more…]

avatar

How much does a botnet cost, and the impact on internet voting

A brief article on how much botnets cost to rent (more detail here) shows differing prices depending on whether you want US machines, European machines, etc. Interestingly, the highest prices go to botnets composed of US machines, presumably because the owners of those machines have more purchasing power and hence stealing credentials from those machines is more valuable. Even so, the value of each machine is quite low – $1000 for 10,000 infected US machines vs. $200 for 10,000 random machines around the world. [Reminds me of my youth where stamp collectors could get packets of random canceled stamps at different prices for “world” vs. specific countries – and most of the stuff in the world packets was trash.]

So what does this have to do with voting? Well, at $1000 for 10,000 infected American machines, the cost is $0.10/machine, and less as the quantity goes up. If I can “buy” (i.e., steal) votes in an internet voting scheme for $0.10 each, that’s far cheaper than any form of advertising. In a hard-fought election I’ll get a dozen fliers for each candidate on the ballot, each of which probably costs close to $1 when considering printing, postage, etc. So stealing votes is arguably 100 times cheaper (assuming that a large fraction of the populace were to vote by internet), even when considering the cost of developing the software that runs in the botnet.

Granted, not every machine in a botnet would be used for voting, even under the assumption that everyone voted by internet. But even if only 10% of them are, the cost per vote is still very “reasonable” under this scenario.

And as John Sebes responded in an earlier draft of this posting:

“You compared digital vote stealing costs to the costs of mere persuasion. What about the costs of analog vote stealing? It’s all anecdotal of course but I do hear that the going rate is about $35 from an absentee vote fraudster to a voter willing to sell a pre-signed absentee ballot kit. Even if the bad guys have to spend 100 of those dimes to get a 1-in-a-hundred machine that’s used for i-voting, that $10 is pretty good because $10 is cheaper than $35 and it and saves the trouble of paying the gatherers who are at risk for a felony.”

avatar

My NYT Op-Ed: “Beware the Smart Campaign”

I just published a new opinion piece in the New York Times, entitled “Beware the Smart Campaign”. I react to the Obama campaign’s successful use of highly quantitative voter targeting that is inspired by “big data” commercial marketing techniques and implemented through state-of-the-art social science knowledge and randomized field experiments.  In the op-ed, I wonder whether the “persuasion score” strategy championed by Jim Messina, Obama’s campaign manager, is on balance good for democracy in the long run.

Mr. Messina is understandably proud of his team, which included an unprecedented number of data analysts and social scientists. As a social scientist and a former computer programmer, I enjoy the recognition my kind are getting. But I am nervous about what these powerful tools may mean for the health of our democracy, especially since we know so little about it all.

For all the bragging on the winning side — and an explicit coveting of these methods on the losing side — there are many unanswered questions. What data, exactly, do campaigns have on voters? How exactly do they use it? What rights, if any, do voters have over this data, which may detail their online browsing habits, consumer purchases and social media footprints?

You can read the full article here.

The argument in an op-ed is necessarily concise and leaves out much of the nuance but I think this is an important question facing democracies.  The key to my argument is that big data analytics + better social science isn’t just the same old, same old but poses novel threats to healthy public discourse.  I welcome feedback and comments as we are just starting to grapple with these new developments!