Securing the 2020 Election Process (Part 1)

“Did the Russians hack the 2016 U.S. election?”

On the face, that is a seemingly simple question. But it turns out to be a very difficult question to answer. You can see this problem play out in two Passcode opinion pieces by Niloofar Razi Howe (“No, Russia didn’t hack the election”), followed by Anup Ghosh (“Russia did hack the US election”), where the two commenters make similar foundational observations and strong conclusory calls to action.

The difficulty stems from the use of two extremely vague terms: “hack” and “the election.” What does it mean to “hack?” What exactly is “the election?” More importantly, what needs to be done to mitigate the threat in future elections? (Spoiler alert: I will be presenting my own proposal for addressing a gap that I have observed in the other proposals cited in this article.)

Elections in the United States are complicated, and a Presidential election is the most complicated of all due to the intermediary role played by the Electoral College. The writers of the Constitution purposefully created a complicated system with numerous checks and balances, though they never envisioned the Internet, social media, or the kind of vulnerable information and communication technology (ICT) systems we use today. (The legal rules for Presidential elections are codified in U.S. Code Title 3 Chapter 1, which were updated most recently in 2012.)

To more accurately describe how the 2016 election outcome was likely influenced and what needs to be done to mitigate a repeat in 2018 or 2020, I believe it is necessary to start out by taking a closer look at the stakeholders involved in an election and then map the set of threats to these stakeholders before jumping to conclusions about what needs to be done. (The stakeholder analysis methodology here follows that described in the Menlo Report and its Companion report. It divides stakeholders into key, primary, and secondary, and further divides these groups into positively inclined, or beneficent actors, and negatively inclined, or malevolent actors.)

We can divide the stakeholders into four groups: Elections Officials, The Electorate, Political Parties and Candidates, and Self-interested Parties. Each of these stakeholder groups can have positively inclined and negatively inclined members, which is important to understand and address in securing the complete system. (I should note that while this article describes law and process in terms of the United States of America, the issues of election security in general apply to other countries. Ideally, the technology and processes that will be described herein could be adapted and applied to other countries as well.)

The Elections Officials

This group comprises the Secretaries of State of the fifty United States and the thousands of County Elections Boards and district-level elections officials who are responsible for the purchase and administration of voting tabulation equipment, voter registration rolls, voter sign-in or accounting (in the case of mail-in voting), and vote recording and tabulation during an active election.

The two separate but related systems of voter registration/voter sign-in and vote recording and tabulation both may have different ICT systems and different vulnerabilities. When many people hear the phrase “hack the election,” it is the vote recording and tabulation systems they have in mind. But one thing is clear in the U.S. elections system: The final vote total is what matters, so there is not much difference at the end of the election between changing votes from Candidate A to Candidate B or preventing voters from voting for Candidate A or B. This means that the focus on only one aspect of even this one category is not enough, let alone focusing just on the voting process itself and ignoring the Electorate and the Political Parties and Candidates stakeholders groups.

The Electorate

In Menlo Report terms, the voting public are the key stakeholders. They are ones who are represented in our form of representational democracy. They chose, based on educated analysis of the candidates and issues, or by emotion and gut instinct, blind partisanship, and sometimes as a form of protest (by not voting, or voting for a specific candidate who they think will get a result they want). They can be swayed by opinions of fellow voters and by clever (or devious) political advertisements. Or, on the flip side, their votes can be suppressed by a number of means: through gerrymandering districts; “poll taxes”; voter literacy tests; requirements for difficult to obtain forms of identification; or compromise of the integrity of voter registration roles or availability of voter sign-in systems!

The Political Parties and Candidates

The candidates for election, their staff, the party volunteers who canvas the streets ringing doorbells and talking with potential voters to turn them into votes for their candidate, and paid pollsters and spokespeople try to sell the candidates’ messages and get affirmative votes at election time. Their messages, both positive and negative, weigh into voters’ opinions. When any of them are shown to be morally flawed, hypocritical, or otherwise distasteful to the electorate, voters may turn away from a candidate and seek alternatives. As pointed out by Ghosh and Howe, the electronic communications of candidates in the 2016 election cycle were targeted specifically to help color voters’ views of candidates and party officials to turn voters away from Hillary Clinton.

I will separately call out a sub-group here, namely the “dirty-tricks” wings of political parties. The Nixon era “plumbers,” for example, colluded to actively subvert their opponents (that is, they acted “in secret or illegal cooperation or conspiracy, especially in order to cheat or deceive others”). These negatively inclined stakeholders may work in concert with negatively inclined Self-interested Parties to achieve mutual objectives.

Self-interested Parties

A final stakeholder group is made up of special interest groups, political action committees (PACs), extremely wealthy individuals (a.k.a., “the donor class”), intelligence services of nation states, criminal organizations such as narcotics gangs, and even terrorist organizations. In some cases, these groups have First Amendment rights to voice their opinions about candidates or issues (even though they may be concealed behind blind PAC structures opened up by the Citizens United Supreme Court of the United States decision). In other cases, direct or indirect funding or participation by foreign entities in U.S. elections is a criminal act (e.g., see 52 U.S. Code § 30121).

How do I corrupt thee[’s votes]? Let me count the ways.

Now that the various stakeholder groups have been identified we can look at how they are targeted.

In January 2016, the Directory of National Intelligence released an unclassified report Assessing Russian Activities and Intentions in Recent US Elections describing activities attributed by the U.S. Intelligence Community to entities directly or indirectly controlled by the Russian government. Outside the Intelligence Community, other groups have been looking at similar influence operations in other countries beyond the United States.

Richard Clarke and Robert Knake echo statements of James Comey and others that the Russians are still here and will continue to be active in future elections, concluding that steps must be taken now to prepare for this eventuality. They suggest the federal government has a role to play, in both standards (they point to work in this area by the National Institute of Standards and Technology, or NIST) and in providing funding to the States. “Here, the federal government has a carrot to offer, as Senator Angus King (I-Maine) has proposed: federal funding for some aspects of administering elections, which could be tied to states adhering to new nationwide election standards.”

Combined with the influence operation is the possibility of suppression of votes in key districts resulting from the disruption of voter sign-in systems. The New York Times reported on the intrusions into voter registration roles and disruption to voter sign-in systems:

Intelligence officials in January reassured Americans that there was no indication that Russian hackers had altered the vote count on Election Day, the bottom-line outcome. But the assurances stopped there.”

Susan Greenhalgh of the Verified Voting Foundation told the Times:

“What people focus on is, ‘Did someone mess with the vote totals?’ she said. ‘What they don’t realize is that messing with the e-poll books to keep people from voting is just as effective.’”

Greenhalgh and her group raise many process-related issues that have negative effects during an election. She has also been interviewed on the Rachel Maddow show and National Public Radio.

On the Rachel Maddow show (9/1/2017, @ 09:04 in video below), she describes a number of the problems resulting from compromise of the voter sign-in systems, which caused delays and disruption in many mostly-Democratic voting precincts.

These problems cropped up when voters attempted to sign in to vote. Many were told they were not registered, were at the wrong polling location, or had votes already recorded in early voting or by an absentee ballot. So many of these discrepancies showed up that all electronic poll book systems were taken off-line, preventing everyone from voting and causing long lines to start backing up. They were not prepared to fall-back to paper registration, only having a small number of paper sign-in forms available. They had to send election workers off to find a Kinkos where they could copy more forms.

Ms. Greenhalgh suggests the way to deal with this is to have very strong contingency plans prepared ahead of time, such as backup poll books that they can use if the electronic systems are not working properly.

Commenters have identified a number of ways that an adversary can affect a national election. These include (in no particular order):

  1. Manipulating public opinion using bots to seed fake news stories, flood social network timelines and event feeds, sway opinions through positive or negative comments, and drive partisan wedges into public discourse.
  2. Breaking into email accounts (often through targeted social engineering to steal login name and password) to obtain non-public communications for the purpose of disclosing them publicly for negative effect or using them for further targeted social engineering to dig more deeply into communications channels.
  3. Breaking into county or state election commission and/or their vendors’ systems to disrupt voter sign-in operations as a means of targeted suppression of votes.
  4. Breaking into local government elections records systems to steal voter records to narrowcast fake news and target users for tasks #1, #2, and #3.
  5. Breaking into electronic election systems owned and operated by local government elections offices for the purpose of manipulating voting tallies.

According to the multiple reports cited within this article, all of the above except the last were discovered during the 2016 election cycle in the United States. There has been no public evidence of direct manipulation of vote tallies, but is doesn’t really matter if the other less direct mechanisms achieve the desired effect of suppressing votes or changing pivotal voters’ minds in key districts that affect the limited Electoral College votes.

Direct manipulation of the voting tallies by compromising electronic voting machines is the attack vector that attracts the most attention in organized public discussions to date. For example, more than two dozen pieces of voting equipment were collected in a room called the “Voting Village” at the DEFCON 25 computer security convention. The vulnerabilities identified focused primarily on the voting machines themselves, with a general acknowledgement of physical security and other broader “infrastructure” security needs (e.g., security on the networks hosting the tabulation servers and “poll book” systems).

The results were sobering. By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems…The DEFCON Voting Village showed that technical minds with little or no previous knowledge about voting machines, without even being provided proper documentation or tools, can still learn how to hack the machines within tens of minutes or a few hours.
DEFCON 25 Voting Machine Hacking Village: Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure,” September 2017

Another 141 page report entitled “The Secret Ballot at Risk: Recommendations for Securing Democracy” focuses exclusively on voting machines.

Alex Halderman of the University of Michigan recommends the following steps be taken:

  • Bring back paper. It provides a record that can’t be compromised, Halderman said. Replace obsolete and vulnerable voting machines — such as paperless systems — with optical scanners and paper ballots. Thirty-six states already use this technology.
  • Conduct routine statistical spot-checking of the paper trail. “By manually checking a relatively small random sample of the ballots, officials can quickly and affordably provide high assurance that the election outcome was correct. Optical scan ballots paired with risk-limiting audits provide a practical way to detect and correct vote-changing cyberattacks. They may seem low-tech, but they are a reliable, cost-effective defense.”
  • Assess threats and follow cybersecurity best practices when designing voting equipment and managing elections.

A report by the Brennan Center for Justice makes similar recommendations, with one addition:

  • Replace old, paperless machines that are still used in 14 states with new, auditable systems that have backup paper records of an individual’s vote.
  • Conduct audits of paper ballots to ensure machines are accurately recording votes.
  • Regularly assess vulnerabilities in and fortify cyber defenses of computerized voter registration systems.
  • Support efforts to upgrade or replace IT infrastructure, especially at the local level where systems often run on discontinued software like Windows XP and 2000 that is more vulnerable to cyberattacks.

Going beyond just the voting machines

The National Security Agency (NSA) and NIST describe three core objectives underlying Information Assurance, which are the integrity, availability and confidentiality of information and information systems. Using this as a model, and applying it to the stakeholders previously listed, at least these four clear categories can be identified for improvement in resilience and defensibility in future election cycles: The integrity of voter perceptions, the integrity of the election results, the availability of your ballot, and the confidentiality of party communications.

The integrity of voter perceptions

The manipulation of voters’ perceptions, emotions, and opinions through targeted ads, “fake news” stories (the real fake news, not just facts that one group does not like), bots manipulating the popularity of stories by up-ranking them in news feeds, the exploitation of compromised communications, were all used to try to affect how people vote. In some cases, these are done to get someone to vote for a desired candidate, against another candidate, or even for a third party candidate to split the vote.

The integrity of the election results

The way that someone votes on an electronic voting machine, preventing alteration of those votes after cast (but before uploading), preventing insertion of fake votes, or manipulation of the aggregate vote totals (while or after uploading), all fall under this category which is focused on the vote recording and tabulation devices.

The availability of your ballot

Some actions to suppress or manipulate who can vote are arguably lawful and enacted in policy by politicians under their constitutional authorities. This includes: gerrymandering voting districts to ensure partisan victories; limitations on early voting access to minimize the amount of time when votes can be cast (often on a working Tuesday, when corporations do not allow their employees to have time off to vote); requiring a form of identification that may be difficult to obtain by voters who predominately register to one party, such as state ID cards for non-drivers, while allowing the use of identification likely to be predominantly held by voters registered to another party, such as concealed weapons permits. It also includes manipulation of voter registration roles so that voters trying to sign up to vote are turned away, being told they already voted, are not registered at the precinct where they have always voted, or disruption of the the sign-in systems prevents the voters from being identified at all. The stakeholders who must be involved in solving the latter issues are the state and county election offices (typically state, local, territorial, or tribal government entities.)

The confidentiality of party communications

WikiLeaks was mentioned prominently in hundreds of Trump campaign rallies, owing to internal communications stolen from the DNC, the DCCC, and members of the Clinton campaign that were leaked to that group. This included an opposition research report on Donald Trump, donor lists, reports, memos, briefings, and emails from people as high up as Clinton campaign chairman John Podesta. Not only were national DNC and DCCC officials targeted, but also candidates in key Congressional districts in contested electoral college states like Florida.


The New York Times goes into some depth into the latter threat category, that of political party communications. When these stolen communications are selectively leaked and amplified by bots, they can be “weaponized” to affect voter perceptions.

Social engineering — forged emails with links to a site that steals passwords, or email attachments containing malicious software that enables remote control of computers or mobile devices by a hostile actor — is perhaps the easiest and most common first-order attack mechanism that leads to deeper penetration of an organization over time. Sometimes the victim detects these intrusion attempts, but often an outside entity (another victim, or law enforcement agents) makes the victim aware they have been compromised.

Yared Tamene, the tech-support contractor at the D.N.C. who fielded the call, was no expert in cyberattacks. His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion. By his own account, he did not look too hard even after Special Agent Hawkins called back repeatedly over the next several weeks — in part because he wasn’t certain the caller was a real F.B.I. agent and not an impostor.
“I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I.

The D.N.C.’s fumbling encounter with the F.B.I. meant the best chance to halt the Russian intrusion was lost. The failure to grasp the scope of the attacks undercut efforts to minimize their impact.

The New York Time article includes a screen shot of the March 19, 2016 email from Charles Delevan to Sarah Latham and Shane Hable that urgently advises that John Podesta’s email password be changed and “ensure that second two-factor authentication is turned on his account [sic].”

This isn’t just a problem for Democrats, however. Anyone can be the target of social engineering and vulnerability isn’t distributed based on party affiliation.

“Democrats and Republicans must work together, and across the jurisdictional lines of the Congress, to examine these recent incidents thoroughly and devise comprehensive solutions to deter and defend against further cyberattacks,” said Senators John McCain, Lindsey Graham, Chuck Schumer and Jack Reed.
“This cannot become a partisan issue,” they said. “The stakes are too high for our country.”
“Russia’s success in sowing discord perhaps makes it harder for the US to focus on and fight the cyber intrusion that officials say stole Democratic Party emails and planted false news stories about the election. The purpose of this operation was to amplify division and turmoil in US politics. Well, mission accomplished.”
Peter Grier and Jack Detsch

Twitter, Facebook, Google, and other groups, are all looking at ways to minimize this exploitation of voter perceptions (or at least ways to limit their legal liability while executing business strategies to maximize shareholder value on profit-driven content distribution platforms capable of exploiting users’ perceptions). There is little that the general public can do when it comes to being manipulated by content on social media, beyond being responsible consumers of news and open minded enough to seek corroborating or refuting evidence and changing their opinions based on evaluation of facts and truth. (This problem of potential voters being swayed by emotional appeals artificially promoted through social media is a larger social problem that is just beginning to be fully exposed and understood.)

The Secret Ballot at Risk report is exclusively focused on the balloting itself. Halderman’s recommendations are almost exclusively focused at electronic voting machines. The Brennan Center’s report includes a general description of the larger system, including registration systems and IT infrastructure.

Ben Buchanan and Michael Sulmeyer expand a bit on what Halderman and the Brennan Center cover, looking more deeply at threats to the larger election system.

First, the federal government should designate election systems as critical infrastructure, catalyzing additional federal and state attention to improving cybersecurity. Second, backed by federal funding, states should purchase and deploy voting machines that generate a voter-verifiable paper audit trail. Third, states should expand their use of pre-election security audits to identify and remediate vulnerabilities. Fourth, states should establish or improve their post-election audit procedures, applying statistically rigorous methods to increase confidence in the reported results. Lastly, the United States should outline a clear policy on the seriousness of electoral interference as a means of deterring foreign adversaries.

In their paper, Buchanan and Sulmeyer list a series of threats that is very close to the list I included at the start of this blog.

  • Making public damaging confidential information obtained via network intrusions.
  • Influencing voters by manipulating not just the confidentiality but also the integrity of information.
  • Manipulate a voting machine so that a vote for one candidate counts for someone else.
  • Target the availability of key parts of the voting infrastructure.
  • Target the verification systems used to ensure that individuals are eligible to vote, frustrating voters and forcing the use of provisional ballots.
  • Modify voting data to impact the tabulation mechanisms during an election.
  • Disrupt the distribution of timely and credible election results to undercut trust in the media or to sow false impressions about results to sway votes in districts were polls are still open.

While these authors do list two threats directed at the votes themselves (manipulation of votes cast and of tabulating results), the remainder of the threats are against the larger election system, including the communications of political parties themselves and/or the media for the manipulation of voters’ perceptions, emotions, and opinions.

“The paper’s goal is neither to catalogue every possible danger, nor to provide a technical roadmap of solutions. Instead, this paper seeks to frame this issue and elevate it as a topic of importance. The risk simply isn’t going away.”

The report produced by Buchanan and Sulmeyer goes into some depth in explaining how Russian espionage operations are carried out, including pointing out the time necessary to perform penetration and exploration of compromised networks in order to gather the necessary intelligence for use at a later time. Their recommendations include investing efforts in the areas of defense, detection, and deterrence, but as they admit themselves their recommendations are more aspirational than grounded in technology that could be implemented for use. In other words, they help guide the way towards what to do, but not how to do it.

“The standard of baseline defenses must improve, both in government networks and in privately operated critical infrastructure. Network defenders should prioritize deploying audited code — software that has been checked for vulnerabilities — and applying security updates in order to minimize the opportunities for intrusion as much as possible. Ideally, such efforts will minimize the percentage of successful intrusion attempts, enabling defenders to focus their time on more sophisticated threats, such as those potentially posed by Russia. This will likely involve replacing older so-called legacy systems that were not built with security in mind.“
Buchanan and Sulmeyer

Congressional Representatives are taking this issue seriously. In July 2017, House Democratic Leader Nancy Pelosi, Committee on Homeland Security Ranking Member Bennie G. Thompson (D-MS), and Committee on House Administration Ranking Member Robert Brady (D-PA) formed a Task Force between their respective Committees to seek input from experts in cybersecurity and election infrastructure to “identify policy recommendations […] that can help ensure the integrity of our election systems and guard against future attacks.”

Impediments to hardening our election system

Creating a more resilient and well-hardened system is not going to be easy, and some of the road-blocks are as much political or financial as they are technical. Since free and fair elections are the foundation of our 240+ year experiment in small “d” democracy and “critical infrastructure,” we had best be prepared to pay the price in whatever form it takes.

While computer security researchers have found vulnerabilities in electronic voting systems every time they look at them, disclosing these vulnerabilities and saying “these need to be replaced” does not go far enough. Making the vulnerabilities public two to three months prior to an election is not enough time to mitigate the risks, and may actually decrease public trust in the integrity of the ballot if not handled carefully. Katherine Carpenter and I examined the larger issue of replacing these systems in a paper presented at the 1st Digital Ethics Symposium, showing that the process is neither as simple nor as quick as many portray it to be. It will involve funding battles, layers of government certification and purchasing processes, and implementation (including training those who will use the new systems). We believe that two to three years is a more realistic timeframe. In other words, it is already too late to accomplish this on a nation-wide basis by the the time the 2018 (or possibly even the 2020) election takes place.

An article in Wired magazine lists many of the issues that must be addressed, some of which are more political or social than they are technical.

Elections for Representatives in the House are held at the Congressional district level within each state, with Senators being elected state-wide. These elections are physically held at the local district level, which is broken down by county, borough or parish, by city, or even by school district. Presidential elections occur within this “all votes are local” model, with the responsibility for the voting tallies taking place at the lower level of government and the Electoral College being the indirect mechanism for translating these local votes to the national level.

“Our election process is governed and administered by state and local election officials in thousands of jurisdictions across the country. These officials manage election infrastructure and ensure its security on a day-to-day basis. State and local election officials across the country have a long-standing history of working both individually and collectively to reduce risks and ensure the integrity of their elections. In partnering with these officials through both new and existing, ongoing engagements, DHS is working to enhance efforts to secure their election systems.”
Dr. Samuel Liles

As a result of this local vs. federal relationship, tensions can be high when it comes to questions of voting integrity.

I experienced this first hand during the 2004 election cycle, when I was asked by someone concerned about election integrity to look at documents obtained through a public records request and code for the voting machines used in the district. While presenting our recommendations to the elections officials, it became clear from their responses that they were positioning us as though we were the threat and firmly denying any problems with votes in the past. I was later told that county elections officials were very afraid of having the federal government hear about any potential problems with voting, as the FBI would then descend on the county officials and all political hell would break loose.

A Georgia-based computer security researcher Logan Lamb similarly found major vulnerabilities in an election system used in the State of Georgia, reported the problem to elections officials who said they would fix them. As Ars Technica reports:

Lamb disclosed the vulnerability to CES Director Merle King immediately, and King told him that the misconfigured Web server would be fixed. Nearly a year later, the security gap was still there, so Lamb went public with his findings, which had never been reported to Georgia’s secretary of state. The researcher was rewarded with a visit from the FBI, a meeting he recounted at DEFCON.

These are just two examples of the “contentious relationship over voter protection dating to the post-Civil War era, if not earlier,” raised by Clarke and Knake. “Doubtless there will be others who oppose election-security reforms out of legitimate concerns about federal interference in state responsibilities,” they point out.

As to funding, Clarke and Knake point out that the designation by DHS of the election system as a critical infrastructure can unlock some funding. But other parts of the larger election process (like operations of political parties and candidates) would likely not be included. For example, the New York Times reported:

The D.N.C. was a nonprofit group, dependent on donations, with a fraction of the security budget that a corporation its size would have.
“There was never enough money to do everything we needed to do,” Mr. Brown said.
The D.N.C. had a standard email spam-filtering service, intended to block phishing attacks and malware created to resemble legitimate email. But when Russian hackers started in on the D.N.C., the committee did not have the most advanced systems in place to track suspicious traffic, internal D.N.C. memos show.

The systemic improvements suggested by everyone cited herein (and my own proposal) will be costly. But how costly, compared with other expenditures? Using the Taxpayers for Common Sense Database of Unclassified Federal Cyber Spending, a comparison of the three agencies responsible for securing the United States (Department of Defense, Department of Homeland Security, and Department of Justice) shows a 10:1 spending ratio to DoD vs. to DHS or DoJ.

Taxpayers for Common Sense Database of Unclassified Federal Cyber Spending (amounts in thousands of US dollars)

Of course those are gross amounts that include all kinds of IT costs, but keep in mind that DoD does not have authorities under Title 10 of the U.S. Code to be securing or defending local elections or political party operations. Those responsibilities would likely fall mainly to DHS under its National Protection and Programs Directorate and/or to DoJ and the FBI to investigate criminal acts under its Title 18 U.S.C. authorities.

“[G]iven that election security has now become a pressing national security issue, [the Brennan Center’s Lawrence Norden] argues that the costs of these upgrades (one-time costs in the tens of millions of dollars, and yearly maintenance in the millions or less) are minuscule compared to other types of national security spending.”
Securing Elections Remains Surprisingly Controversial

To be continued…

We’ve examined the election stakeholders, election process vulnerabilities and threats that could leverage those vulnerabilities to affect the outcome of a federal election, and some impediments to change. In the second part of this two-part article, we will look at the proposals for ensuring these vulnerabilities and threats don’t impact future elections.


Thanks to Cere Davis, Rik Farrow, Jim Poland and others for their comments and suggestions.