Election Engineering: How US Cybersecurity Experts Are Making Sure Your Vote Will Count
PC Magazine|September 2020
Election Engineering: How US Cybersecurity Experts Are Making Sure Your Vote Will Count
In 2016, we saw how foreign powers could affect US elections. Now the nation is scrambling to secure the system in the midst of a pandemic.
MAX EDDY

In February, the 2020 RSA security conference quickly settled on a cohesive narrative: America had, more or less, figured out how to do secure elections. Fears of hacked voting machines were fading away, with new challenges such as protecting electronic voting rolls and mass disinformation campaigns from foreign powers taking up far more airtime.

The problem this year will not be voting machines, at least not according to Tod Beardsley, Rapid7’s Director of Research. “They’re no longer the villain; more of a reluctant ally,” said Beardsley. “If that were the attack we had to worry about, we’d be so far ahead of the game.”

Beardsley is more concerned about the possibility of ransomware locking up critical voter data and creating chaos on Election Day. Indeed, the coming election will almost certainly face a host of threats, from foreign-sponsored disinformation campaigns to the logistics of counting the inevitable surge of pandemic-driven mail-in ballots. How can Americans be sure their votes are secure and accurately counted? The nation’s top security experts have been working on that.

WHERE WE COULD BE VULNERABLE

The embarrassing confusion of the 2000 US Presidential election led to some reforms in 2002 with the Help America Vote Act, which pushed states to adopt more modern methods of voting and did away with hanging chads and other grim reminders of the past. Newer voting equipment, however, doesn’t always mean more secure equipment. When researcher Carsten Schuermann examined WinVote voting machines, which were used in the commonwealth of Virginia from 2004 to 2014, he found a security disaster. They ran on an unpatched version of Windows XP; its wireless functionality’s password was “abcde”; and, curiously, they contained audio-ripping software and a Chinese MP3.

Even so, security problems with US elections remained largely theoretical until 2016, when we experienced a massive influence campaign that would eventually be traced back to Russia. Hackers purloined emails from the Democractic National Committee and leaked them slowly for weeks, adding fuel to an already contentious election. Other Russian elements engaged in a massive campaign primarily through social media that fed bogus information to voters and widened societal rifts.

Less well known was an effort by Russia to attack election infrastructure. The Senate’s Select Committee on Intelligence determined that “The Russian government directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against U.S. election infrastructure at the state and local level.”

The Senate report defines the attacked infrastructure as more than just voting machines: “storage facilities, polling places, and centralized vote tabulation locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.” Attacks are suspected to have happened against all 50 states, although the consensus is that no votes were changed.

The Senate report speculated that Russia may have been probing for vulnerabilities to exploit later—but also may have aimed to undermine confidence in the election results. Whether an effort at fraud was defeated or it was simply meant as a shot across the bow, our democracy was cut open and laid bare.

In 2018, Congress appropriated $380 million in grant money for the states to bolster cybersecurity and replace voting machines they believed were vulnerable to manipulation. But even with a Congressional mandate and solid solutions to secure elections, getting those changes implemented would have been a daunting task—even without a global pandemic.

CAN PAPER BALLOTS SAVE THE ELECTION?

Under normal circumstances, Matt Blaze would have taken to the August 2020 Black Hat stage in Las Vegas, surrounded by lasers and fog machines, in front of a crowd of thousands. But Black Hat was held remotely this year. Blaze, the McDevitt Chair in Computer Science and Law at Georgetown University, laid out the “gold standard” for election security in his keynote address.

According to Blaze, the solution to secure elections has two parts. The first half is software independence, which means an undetected change or error in the software of a voting machine shouldn’t cause an undetectable change or outcome in the final vote cast. In practice, this means paper ballots or some kind of auditable trail.

How widespread paper ballots will be in 2020 is complicated by the fact that individual jurisdictions within the same state can have different voting systems. According to Verified Voting, 65.5 percent of registered voters will hand-mark a paper ballot, and only 14 percent of voters will use an entirely electronic voting machine, although some may produce paper trails. And 20.5 percent of voters will use a digital machine to mark a paper ballot.

In his speech, Blaze pointed to Florida’s hand recount and hanging chads in the 2000 Presidential election. At the time, it was embarrassing, but Blaze pointed out that those notorious ballots could be examined by humans who were able to discern something about the voter’s intent that the optical machine reading the ballot failed to understand.

It might be easy to dismiss any computerized presence in voting as too dangerous, but doing so isn’t helpful. For instance, electronic voting machines can make it much easier for disabled and elderly voters to cast their ballots. While there are many issues with digital election security, the benefits cannot be ignored.

RISK-LIMITING AUDITS CAN AID THE COUNT

The second critical improvement to elections that Blaze described at Black Hat is the risk-limiting audit, originally developed by Philip Stark. This builds from the idea of software independence and paper ballots. Once you have that paper trail, you need an effective means of confirming the outcome of an election.

articleRead

You can read up to 3 premium stories before you subscribe to Magzter GOLD

Log in, if you are already a subscriber

GoldLogo

Get unlimited access to thousands of curated premium stories, newspapers and 5,000+ magazines

READ THE ENTIRE ISSUE

September 2020