Election Engineering: How US Experts Are Making Sure Your Vote Will Count
In February, the 2020 RSA security conference quickly settled on a cohesive narrative: America had, more or less, figured out how to do secure elections. Fears of hacked voting machines were fading away and new challenges -protecting electronic voting rolls and mass disinformation campaigns from foreign powers-were emerging.
Voting machines are now “more of a reluctant ally” than a villain, Tod Beardsley, Rapid7’s Director of Research, said at RSA. Instead, Beardsley voiced concern about ransomware locking up critical voter data and creating chaos on Election Day.
Indeed, the coming election will almost certainly face a host of threats, from foreign-sponsored disinformation campaigns to the logistics of counting the inevitable surge in COVID-driven mail-in ballots. How can Americans be sure their votes are secure and accurately counted? The nation’s top security experts have been working on that.
New Doesn’t Mean Secure
The embarrassing confusion of the 2000 US Presidential election led to some reforms in 2002 with the Help America Vote Act, which pushed states to adopt more modern methods of voting and did away with hanging chads and other grim reminders of the past.
Newer voting equipment, however, doesn’t always mean more secure equipment. When security researcher Carsten Schuermann examined WinVote voting machines, which were used in the commonwealth of Virginia from 2004 to 2014, he found a security disaster. They ran on an unpatched version of Windows XP; their wireless password was “abcde”; and, curiously, they contained audio-ripping software and a Chinese MP3.
Even so, security problems with US elections remained largely theoretical until 2016, when we experienced a massive influence campaign that would eventually be traced back to Russia. Hackers purloined emails from the Democratic National Committee and leaked them slowly for weeks via WikiLeaks, adding fuel to an already contentious election. Other Russian elements engaged in a massive campaign primarily through social media that fed bogus information to voters and widened societal rifts.
Less well-known was an effort by Russia to attack election infrastructure. The Senate’s Select Committee on Intelligence determined that, “The Russian government directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against US election infrastructure at the state and local level.”
The Senate report defines the attacked infrastructure as more than just voting machines: “storage facilities, polling places, and centralized vote tabulation locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
Attacks are suspected to have happened against all 50 states, although the consensus is that no votes were changed.
The Senate report speculated that Russia may have been probing for vulnerabilities to exploit later-but also may have aimed to undermine confidence in the election results. Whether an effort at fraud was defeated or it was simply meant as a shot across the bow, our democracy was cut open and laid bare.
In 2018, Congress appropriated $380 million in grant money for the states to bolster cybersecurity and replace voting machines that were believed vulnerable to manipulation. But armed with a Congressional mandate and solid solutions to secure elections, getting those changes implemented would have been a daunting task-even without a global pandemic.
Can Paper Ballots Save the Election?
The solution to secure elections has two parts, according to Matt Blaze, the McDevitt Chair in Computer Science and Law at Georgetown University.
The first half is software independence, which means an undetected change or error in the software of a voting machine shouldn’t cause an undetectable change or outcome in the final vote cast. In practice, this means paper ballots or some kind of auditable trail.
How widespread paper ballots will be in 2020 is complicated by the fact that individual jurisdictions within the same state can have different voting systems. According to Verified Voting, 65.5 percent of registered voters will hand-mark a paper ballot, and only 14 percent of voters will use a voting machine that’s entirely electronic, although some may produce paper trails. And 20.5 percent of voters will use a digital machine to mark a paper ballot.
At this year’s virtual Black Hat security conference, Blaze pointed to Florida’s hand recount and hanging chads in the 2000 Presidential election. At the time, it was embarrassing, but Blaze said those notorious ballots could at least be examined by humans who could better discern something about the voter’s intent than an optical machine.
It might be easy to dismiss any computerized presence in voting as too dangerous, but doing so isn’t helpful. For instance, electronic voting machines can make it much easier for disabled and elderly voters to cast their ballots. While there are many issues with digital election security, the benefits cannot be ignored.
The Easiest Way to Detect Irregularities
The second critical improvement to elections that Blaze described at Black Hat is the risk-limiting audit, originally developed by Philip Stark. This builds from the idea of software independence and paper ballots. Once you have that paper trail, you need an effective means of confirming the outcome of an election.
Stark’s risk-limiting audit allows for the outcome of the election to be verified without the labor-intensive process of counting every single ballot. Instead, a subset of the votes are sampled using a statistical method and then compared to the final outcome. “If they’re the same, and if you do this enough, you can have very high confidence-that can be mathematically quantified-that your reported election results are the same results as you get hand-counting all the ballots,” said Blaze.
Because risk-limiting audits don’t require the Herculean effort of a total recount, they can be used to detect irregularities in the final count. Every voting jurisdiction could run a risk-limiting audit as standard procedure to double-check the vote count. If the audit matches the outcome, people can be assured that the results are sound. If the audit doesn’t match, a recount on the comparably small portion of the ballots can be initiated. Securing voting machines is important, but using risk-limiting audits is a critical (if less exciting) endeavor.
“We are supportive of any kind of post-election audit,” said Geoff Hale, Director of the Election Security Initiative at the Cybersecurity and Infrastructure Security Agency (CISA).
The agency, perhaps best known for its US-CERT alerts, is organized under the Department of Homeland Security and is charged with understanding and managing cyber and physical risk to critical infrastructure. It released an open-source, risk-limiting audit tool and is seeking to make audits more efficient over the next decade.
“The first step is to get the stakeholders bought in on the idea of audits,” Hale said. “Any of them are better than none, and we’ll look to continue to improve on that.”
The Cyber Risks in US Voting Infrastructure
In the world of election cybersecurity, voting machines have sucked up a lot of the oxygen for several years. But the voting machine is just a small part of any election. To Hale and CISA, the riskiest elements of a US election are the bits that connect to the internet. This includes voter-registration databases, websites with important information on how and where to vote, as well as election-night reporting systems. CISA has been pushing for investment in intrusion detection but also for offline backups, Hale said.
J.J. Thompson, senior director of managed threat response at cybersecurity company Sophos, emphasized the wide range of potential targets for attack. “The opportunity to strike with ransomware touches everything,” he said, highlighting malicious software that encrypts victims’ data and holds it hostage for ransom. “The registration systems; the networks of contractors involved; the people building the voting systems, shipping them, and managing the e-poll books locally; associated cloud infrastructures; vendor infrastructures; associated mobile devices; each candidate’s campaign; and countless other independently managed systems.”
Ransomware can tie up systems and has an obvious profit motive that could hide even more sinister intentions. In 2017, the NotPetya ransomware seized control of computers across the globe, demanding cash in return for freeing the machines. This was eventually linked to the Russian military, with the apparent target being Ukrainian industrial and government systems.
“NotPetya in 2017 was made to look like a standard ransomware attack, when in fact its objective was an attempt to disrupt the political environment in Ukraine,” said Thompson. “These attacks have significant nuance and layers, but we cannot forget our priority-mitigating any and all potential threats.”
Attacks on these systems wouldn’t necessarily have to change votes directly to swing an election. A denial of service (DoS) attack against reporting systems could delay results. Attacks against poll-book systems could create massive delays, perhaps convincing people it would be better just to head home. Defacing official websites and sending bogus tweets can trick some voters into thinking the day or place of the election has changed or that they can vote by text (they can’t). These attacks could cause chaos, and if strategically targeted districts see enough depressed turnout, that could have an outsize effect on America’s increasingly close elections.
Sam Curry, CSO of cybersecurity company Cybereason, spends a lot of time thinking strategically. He and his team have carried out several election tabletop wargames: One team takes on the role of aggressors and attacks a hypothetical local election with the goal of casting doubt on its outcome. The other team plays as defenders who must think fast to outwit the attack. These games cover enormous ground-attackers wage online influence campaigns but also take action against the less obvious supporting infrastructure of elections. Causing a traffic jam, for example, can depress turnout just as effectively as a direct attack on election systems.
Curry has overseen attack after attack on US democracy-safely simulated, of course. He’s observed numerous strategies and has advice on how best to protect an election. The people playing the role of defenders, usually given the role of law enforcement, “must create open lines of communication between government departments and also media sources and social media companies,” said Curry. Knowing who to call and when to call them and having a reliable back-up system in case one fails (or is intentionally sabotaged) are all critical.
Voting by Snail Mail
Before COVID-19 hit, the use of paper ballots was already becoming more widespread as part of the effort to secure American elections. The coronavirus outbreak means even more voters will probably use paper ballots-roughly 80 million, according to the New York Times -but they’ll be delivered through the mail.
Every state allows for mail-in ballots for absentee voting, but how that works varies. Five states rely primarily on voting by mail (Colorado, Hawaii, Oregon, Utah, and Washington). Some states allow voters to request an absentee ballot for any reason. Others require voters explain why they need an absentee ballot, such as illness or travel outside the country.
A mail-in ballot has most of the security advantages of a paper ballot cast in person. It can be counted by machine but verified by hand. There are also unique security features to mail ballots-for one, some mail ballots may use ultraviolet inks, making them harder to counterfeit.
But the sheer volume of mail-in ballots cast this year will present new challenges. Mail ballots require greater investment to ensure they are handled correctly on every step of their journey. The logistics of paper and envelopes could also pose a major hurdle, as states scale up their mail-in voting operations to meet demand. It’s also an open question as to whether the US Postal Service can guarantee that ballots will be delivered and received in time to be counted. The issue recently became a political hot potato, but even when ballots are sent and received on time, there are challenges to getting them counted.
Some regions may not have enough ballots, enough machines to count those ballots (a critical point, as the machines for counting absentee ballots are generally not the same as those that count in-person ballots), or even enough envelopes for mailing in the ballots. “It’s likely that most jurisdictions will not have the funding to do this,” according to Blaze.
Thankfully, the work to secure elections from 2016 to today hasn’t been wasted. “When we assess risk [for] the sector, we think it’s quite similar between in-person voting and mail-in voting,” said Hale. “All that effort before COVID is still reaping rewards.”
While no one can know for certain what Election Day 2020 will look like, an increase in mail-in voting will almost certainly mean that Americans will wake up on Nov. 4 and not know who won the election-not because of chicanery but simply because voting by mail is an entirely different process from voting in person. When a mail-in ballot is received from a voter, it’s generally in two envelopes. The outer envelope contains information about the voter as well as a signature. That signature is usually compared to one on file, and if it’s a match, the outer envelope is discarded and the ballot is sent to be batch-scanned by machines. If the signature on the outer envelope is not a match, it’s set aside for “curing.” That means reaching out to the voter and verifying that the ballot is legitimate.
On top of all that, some states require that votes received by mail may not be allowed to count mail-in ballots before Election Day, preventing them from getting a head start. Combine that with the need to cure ballots and the fact that many states will likely be counting more mail-in votes than ever before, and complete election-night results may not be available. A representative from a technology company with knowledge of election infrastructure told us that counting votes would probably take longer than normal. But they stressed that this is not something people should be alarmed about; it should be taken as a sign that the system is working as intended to produce results voters can trust.
Hale isn’t convinced that Americans will see massive delays in results, though. “Five states already vote primarily by mail, and we get election-night reporting from those states already.”
The Threat of Disinformation
In 2020, disinformation is the biggest wildcard. Vulnerable machines can be patched, systems backed up, and new technology deployed to better detect a cyberattack. None of that works to protect the minds of the US electorate. The task of battling false narratives across numerous platforms and potentially from several foreign actors (not just Russia) expands the election battlefield by an order of magnitude.
Some quick vocab: misinformation is information that is incorrect but by accident. It’s a mistake. Disinformation is information that is incorrect, but is constructed in spread with the intent to deceive. It’s de ception.
Unfortunately, many social media platforms work well as disinformation machines. Cybereason’s Sam Curry said, “The ad-purchasing platforms built into Facebook and other platforms are tailor-made for quickly pushing disinformation and misinformation to receptive audiences. It’s also extremely affordable.” In 2019, researchers at ZeroFOX, which specializes in social media and digital protection, used some back-of-the-napkin math and estimated that it would cost only around $77 to target enough votes to swing a tightly contested state-assuming voters all followed the disinformation.
Social networks have made some changes. Twitter has outright banned political advertising, while Facebook won’t accept new ads in the last week of the campaign. Both have also taken steps to curb disinformation. But tracking users and targeting them with specific messaging is precisely what social networks do. It is fundamental to the business model for Facebook, Google, Twitter, and others. It is the system working as designed.
How to vote is often a target of disinformation at election time, although typically it comes from domestic actors looking to swing the vote through dubious means. And this year, many voters will use a different system than they have before, creating confusion that attackers can exploit.
CISA’s approach, Hale explained, was built around putting out as much factual information as possible, as a kind of inoculation against disinformation: “If the first thing they encounter is disinformation, it’s that much harder to dissuade them.”
Despite those efforts, Curry views the US as still vulnerable to disinformation campaigns. “This notion of fake news has not been put to rest,” he said. In his election simulations, disinformation is a primary tool for those playing the aggressors, and countering it effectively is critical for the defenders.
Americans may now be more familiar with the idea of disinformation, but the average American may not know what to look for. Recall that the only difference between disinformation and misinformation is the intent behind it, and intent can’t be discerned just by looking at information.
Renée DiResta of the Stanford Internet Observatory explained the full scope of Russia’s disinformation operation in her Black Hat 2020 talk: Much of it revolved around packaging content to be consumable and even burying it among humorous memes and other content to make the groups sharing it seem more trustworthy. American voters might be able to judge the veracity of a candidate’s claims in a campaign ad, but a humorous meme could slip by.
Disinformation can also involve cyberattacks. DiResta pointed to the DNC emails leaked in 2016 and other incidents. Recall there was evidence that Russian hackers attacked election infrastructure in all 50 states. Yet since it appears that no votes were changed, and the voter information that was obtained in the attacks was sometimes already publicly available, DiResta suggested that the attack itself may have been the goal.
“Even if not a single vote is changed, releasing the information that you hacked the voting machines will cause havoc,” said DiResta.
Are We Ready?
When asked whether US elections are more secure now than in 2016, Curry pointed out that four years is a long time. “The hope isn’t to be more secure than 2016; that’s like preparing for the last war,” said Curry. “The goal is to have an election whose authenticity isn’t in doubt and where no one who wants to vote is denied the ability to do so.”
This echoed Curry’s stance before the pandemic. In late February, Curry said that the solution to election security and disinformation campaigns is simple: more voters and fewer hurdles to voting. Considering the precariousness of some swing districts, the close calls in recent elections, and a disconnect between the popular vote and the Electoral College, more voters would make it harder for small nudges from foreign powers to result in huge consequences.
Thompson is more circumspect: “From an infrastructure point of view, we’re in relatively the same position. But it’s tough to make sweeping statements because of the way elections are administered differently across each state and local district.”
Hale is another optimist, though. “I would say that this would be the most secure election in modern history,” Hale said. “At this time in 2016, [advanced hackers] were acting against our election infrastructure, against political campaigns, and conducting influence operations on social media, but the federal government was not having the conversations with those stakeholders that they are now.
“We don’t fully know the threats we’ll face in November,” said Hale. “But we’re more ready to face them in 2020 than we were in 2016.”
Originally published at https://www.pcmag.com.