September 27, 2017 —
Main point: Public officials must keep the public both safe and calm.
The danger is when election officials’ goal is reassurance, not safety.
Yesterday’s Wisconsin Elections Commission (WEC) meeting was packed with more cameras than I’d ever seen there. A few days earlier, the federal Department of Homeland Security announced that Russian-government backed hackers had tested the security of Wisconsin’s online voter registration system. They hadn’t gotten in. The ‘attack’ was, the computer experts say, like jiggling a locked door knob.
What voters get: “As you can see, it’s a beautiful day, the beaches are open and people are having a wonderful time.” – Mayor Vaughn, to a reporter.
“I don’t get it.” I told a reporter as the meeting got under way. “What’s the news here? Hackers are continuously testing every computer system. The Russian government is known for cybercrime. It would be news if they were not testing the security of our elections systems.”
I don’t remember his response, other than it wasn’t convincing. I fear the real answer is that his editors know which stories get the web clicks.
The facts that WEC shared were as I expected. State officials from the WEC and the Wisconsin Division of Enterprise Technology (DET) explained their system of continuous defense against hacking of our voter registration system (which is separate from the tabulation system, also known as the voting machines). Millions of efforts to get into the registration system are detected every week, from anonymous Internet addresses all over the world. Unrecognized addresses are locked out and if that fails, any unauthorized changes will be promptly noticed and reversed. If that fails, daily backups are made so that if some malicious code ever causes the system suddenly to garble or erase our voter registrations on election morning, a correct version can be quickly brought up. If that fails, paper backups are printed immediately before each Election Day.
State officials were convincingly competent and straightforward. The story that later appeared in the paper made the federal officials, not the state ones, look like the Keystone Cops.
WEC and DET took the opportunity to explain the security of our voter registration system to the press—while the press was willing to listen. When officials are keeping us safe, reassuring the public is usually as easy and effective as just telling the truth.
The officials’ explanation about our voter registration system confirmed my trusting assumptions about its security.
But the security of our vote-counting software is a completely different story.
Our election officials’ silence about security for that system should be a dead giveaway there’s a shark in the water.
Like ‘baby’ in a pop song, election officials’ yesterday continuously repeated “We’re talking about the voter-registration system, not the vote-counting systems.” The reporters’ keyboards clicked along to the beat. Yeah, yeah, yeah. None seemed to notice the story within that silence on the vote-counting software.
Here’s why we don’t get convincing, impressive descriptions of the security system for our voting machines: Because it doesn’t exist. At least when sharks are eating tourists, someone notices. But if anyone is hacking our voting machines, their crimes would go undetected as we swear their chosen victors into office.
Reassuring spin: “We’ve seen no evidence of tampering with the vote-counting system.” The furor about Russian testing of our voter-registration system’s security was made possible by federal officials’ looking for it. No one–local, state, or federal–reviews Wisconsin’s election results to make sure they are accurate. None of them make any efforts to detect any doorknob jiggling of our vote-counting software, which is proprietary and controlled by the voting-machine companies.
Reassuring spin: “Our decentralized vote-counting system makes hacking unlikely.” After the vote-counting software is produced at the companies, it’s downloaded to the dozens of computers that will be used to design the ballots for each election and to tell the voting machines how to read those ballots. These are the ‘election management systems’ that reside at the vendor’s regional offices, the voting-machine service companies like Command Central, and in the offices of county election officials.
When election officials talk about the security of the vote-counting systems, they often refer to this decentralization. They say it makes the system harder to hack.
But they cannot possible imagine that, to tip a statewide race, a hacker would need to design a hack specifically for every type of voting machine used in Wisconsin and alter the results in every county. You can see the silliness of that–What’s Russian for “Darn it, we missed Forest County. Well, maybe next year.”? There are enough votes in Milwaukee County alone, or a few other counties, to control the outcome of most statewide races.
Not only does the decentralization provide little protection, it multiplies the possible entry points and places them in the physical control of an army of people with no particular IT security expertise, and often no access to any.
After the software is downloaded to the local election-management computers, it’s revised for each new election and then copied onto removable drives–typically, the same sort of USB drive you can buy at the drugstore. The drives are then handed off to the municipal clerks, who load the software onto each voting machine.
On Election Day, it’s in the physical control of the poll workers. At this point, we should probably be hoping that the possessors of the software have no IT expertise, rather than wishing that they did.
Between elections, the vote-counting computers are stored in very town, village, and city in the state, under conditions that the election officials themselves don’t always control.
No one exercises any oversight of this disjointed system. Computer security expert Bruce Schneier told NPR’s Science Friday that federal voting-system security standards were outdated long ago, and no one is now exercising any oversight even if the standards were current. Vendors can coach county clerks on how to maintain security, but they have no way of knowing whether the clerks follow their instructions. To my knowledge (and I asked when I can), no state or local official ever attempts to oversee or even ask about voting-machine company security. They wouldn’t know how to evaluate it if they did, or any authority to force corrections.
Johns Hopkins University Computer Security Professor Aviel Rubin made a point of contacting the major voting-machine companies who count America’s votes. He reported “I have yet to meet an American voting system manufacturer that employs even one full-time trained expert in computer security.”
Reassuring spin: “Our voting machines are never connected to the Internet.” This used to be true, but there’s no machine on the market anymore without the capability of electronically transmitting results after the polls close. That, however, is not and never was the big risk. Connecting a voting machine to the Internet or to a cell phone tower after the polls close doesn’t give a hacker any opportunity to alter a hard-copy poll tape you’ve already printed. Having observed more poll-closings than I can count and several canvass meetings, I can vouch for the fact that is the one hack our election officials would likely detect and could easily correct.
The vulnerability comes before the votes are counted, not after. The big risk of manipulation–in fact the one that forensic IT security experts deem the greatest–doesn’t come from the Internet at all, but from insiders with authorized access to the software. Because no state or local election officials have the authority or ability to inspect the vote-tabulating software for integrity, even lightly sophisticated individuals–at the voting machine company, the service company, the local official’s office, or anywhere along the chain of custody–could alter the software and not be noticed. Thousands of people have authorized access to our vote-counting software or hardware between every election. Many of them, in the testing laboratories, voting-machine companies and service companies, understand the code. Many of the others likely can be bought–they are humans.
But hackers without authorized access can get in. The vote-counting software is created, updated, and maintained not on each individual voting machine, but on computers that are almost certainly, at some time, connected to the Internet.
And local election officials have no way to tell whether and when the individual voting machines are communicating with other machines. Wireless communications capability can be installed inside any computer or voting machine–antenna and all–without their knowledge and controlled by anyone within transmission range. Local election officials never inspect the insides of the voting machines for surreptitiously installed wireless cards, and few would know what to look for if they did.
Reassuring spin: “No election has ever been hacked.” The truth is, our election officials wouldn’t know if one had. They don’t use the one practical opportunity–checking the results against the paper ballots–to check the system’s integrity. If any election ever has been hacked, it’s likely no one noticed.
What voters need: “Smile, you son of a bitch.” – Martin Brody, to the shark.
Yet despite the widespread concern about the security of last year’s presidential election, not a single state had routine procedures in place to verify an accurate statewide vote count. Michigan, Pennsylvania, and Florida proved unable to document accuracy even when directly challenged, unable to get a recount even started.
Wisconsin did best. Every county at least double-checked things like the handling of absentee ballots, but only half of the vote totals were checked for accuracy. The other half were just run back through the same computers, so any electronic miscounts would have just been repeated. We know that some were miscounted twice.
State officials in Wisconsin recently scored a first, when in January they detected a few miscounting computers—after the winners from the previous November were already sworn into office. To their credit, they decertified the machines. They are still are not sure what caused the miscounts—they know ink color on the ballots contributed, and that from their size and randomness, the miscounts seem unlikely to be even a trial-run hack.
What to do?
Face it: State and local election officials will never have the authority, skill, or money to maintain strong IT security for our vote-counting software. It’s just not going to happen. Elections are too intermittent, the workforce too temporary, the property taxpayers too stingy to make good security possible.
Our only hope for protecting our election results from hackers–and from malfunctions, glitches, and human operator error–is to notice and correct any miscounts before results are certified.
If the polls opened and voter registrations were garbled, we would notice. Perhaps that’s why those responsible for the software are so vigilant–they know any laxity will get found out.
But we cannot sit by the television on Election Night and say “Hey! That’s not how we voted!” Voters have no way to tell honest election results from false ones. And maybe that’s why checking accuracy is such a low priority for our election officials. If they don’t detect the miscounts, they can keep saying–honestly–“We’ve never known an election to be hacked.”
Most states now have paper ballots, or at least paper audit trails, that could be used to check the accuracy of the computer output. National election authorities have developed, and national officials endorsed, efficient methods that don’t require a full hand count.
Every other public official takes responsibility for the accuracy of their work product. It’s long past time for voters to insist their election officials do the same.