Posted by Taylor Armerding on November 9, 2018
Election security requires that voters trust the results. But many U.S. electronic voting systems are clearly insecure, and untrustworthy. What are we doing about it?
The original version of this article was published in Forbes.
Surely you’ve heard of “Rock the Vote.” Maybe you should be hearing about “Secure the Vote” as well. Not as catchy, but it could be more important.
Because next week’s midterm elections will be crucial not only to determine which party controls the House, Senate, and gubernatorial seats around the country.
Something else makes them crucial—credibility. If elections are to settle anything, voters have to trust the results. It’s not just a matter of convincing winners that they won—that’s easy. It’s also convincing losers, and their supporters, that they lost, fair and square.
And there are escalating concerns about that, because many U.S. electronic voting systems are demonstrably insecure.
Yes, there have always been occasional charges of electoral meddling. There is no way, in any human endeavor, to guarantee an airtight, bulletproof system of anything. But overall, the large majority of American voters have trusted that election results were credible.
That is no longer a given. And it’s not just because of efforts in 2016, allegedly by Russia, to manipulate public opinion on social media or to hack the Democratic National Committee and steal a trove of internal communications. It’s also the credibility of the digital equipment that records and tallies the votes.
So far, government officials have repeatedly said there is “no evidence” of any malicious tampering with vote counts in previous elections. But as Matt Blaze, computer science professor at the University of Pennsylvania and a voting machine security expert, told the New York Times just a week ago, that lack of evidence is “less comforting than it might sound at first glance, because we haven’t looked very hard.”
And even if experts did look very hard, “It’s possible to do a pretty good job of erasing all the forensic evidence,” he said.
Beyond that, as the Associated Press noted earlier this week, the top three vendors of electronic voting systems—ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver, Colorado; and Hart InterCivic of Austin, Texas, which collectively control more than 80% of the market—tenaciously resist transparency. They won’t allow open-ended vulnerability testing by independent, white hat hackers, and won’t make public the results of any testing they have commissioned themselves. Two of the three won’t even say who’s doing the testing.
But various “freelance” testing has revealed ominous vulnerabilities. Brian Varner, a security researcher with Symantec, wrote just this past week that he bought a couple of voting machines used in the 2016 election, and found that “tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped.”
“The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted,” he wrote.
In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure.
—Brian Varner, security researcher, Symantec
Varner said an attacker would need physical access to a machine to exploit it, and noted that there are now internal policies to inspect machines for evidence of tampering. Still, he said his team had been able to compromise a machine’s smart chip card, allowing them to vote multiple times.
“In most parts of the public and private sector, it would be unthinkable that such a sensitive process would be so insecure,” he wrote.
And government, at least so far, hasn’t forced the matter.
The Election Assistance Commission, a 30-employee agency within the Department of Homeland Security that certifies voting equipment, has multiple lists of recommended best practices, but compliance is voluntary, not mandatory. It has no oversight power and can’t sanction manufacturers for any failures.
This in spite of the fact that election systems were declared in January 2017 to be part of the nation’s critical infrastructure.
Add to that the reality that the U.S. election system is not a single entity—there are more than 10,000 voting jurisdictions. Conducting rigorous oversight of all of them calls to mind herding cats.
Also, in recent years there have been numerous reports of dysfunctions in electronic voting systems, among them the exposure by ES&S on an Amazon server of the sensitive personal data of about 1.8 million Chicago voters.
And this week brought word that 81.5 million voter records from 20 states were for sale on the dark web.
These exposures, and others, are likely due in significant measure to what experts tell the AP is “abundant evidence of sloppy software development.”
Some of that evidence comes from participants in The Voting Village at the past couple of DEF CONs in Las Vegas, who have had little trouble breaking into current electronic voting systems.
Indeed, here’s a list of just some of the things that experts told both AP and the New York Times that malicious or hostile actors could do:
Given all that, should voters trust that their votes will be counted, and counted accurately?
For Cory Doctorow, journalist, blogger, author, activist, and Internet of Things expert, the answer is an emphatic no. In a comment on Varner’s post, he wrote on his Boing Boing blog, “Voting machines are terrible in every way: the companies that make them lie like crazy about their security, insist on insecure designs, and produce machines that are so insecure that it’s easier to hack a voting machine than it is to use it to vote.”
Others are more nuanced in their criticism, but acknowledge that the problems are serious.
Thomas Richards, associate principal consultant at Synopsys, said he has two primary concerns. “First, there is no standard, either at the federal or state levels, defining what a secure voting system should be,” he said. “There are no secure coding guidelines and the system hardening guidelines are very scarce.”
And second: “From my time in the DEF CON Voting Village, to our knowledge the voting systems have not undergone a holistic security test. Individual pieces have been tested, but not all at once.
“Vendors should be required to have their entire systems, including back-end systems, undergo a thorough penetration test and security review before they can be used for capturing live votes,” he said.
And Mark Hughes, CEO Security at BT, who was a keynote speaker at Wednesday’s Securing the Enterprise conference at MIT in Cambridge, Massachusetts, agreed that there should be requirements, not voluntary “recommendations,” for third parties that are providing critical services to government.
“With any system, you have to be aware of the risk,” he said in an interview. “From that should flow a set of requirements.
“It isn’t just about technology either,” he added. “It’s people, processes, and technology that gives you your risk environment.”
Travis Biehn, technical strategist at Synopsys, cites the reality that no human system can be trusted completely. To have such a system “would involve an association of every natural person with a cryptographic identity, and relying on recording the outcomes of those,” he said, adding that a lack of certainty about the results is “nothing new.”
Still, the credibility of electronic voting systems ought to be, and could be, a lot better. “You’ve got an incumbent vendor who spent enough lobbying to stay incumbent, with no visibility,” he said.
Get the latest Software Integrity news, thought leadership, and more.