June 21, 2017
One key bit from the Senate hearing on Russian Interference in U.S. Elections
Senator Richard Burr:
When you and your colleagues hacked election systems, did the administrators see your intrusion into their systems?
"The one instance when I was invited to hack a real voting system while people were watching was in Washington, DC, in 2010. In that instance, it took less than 48 hours for us to change all the votes and we were not caught."
— Computer Security Researcher, J. Alex Halderman
For the Video clip of the above: www.c-span.org/...
If a group of college hackers can get in and change votes, with no one noticing (even with prior warning given) — what’s to say that America’s enemies (who provide no warnings) cannot exploit those same weaknesses — and get away with it, undetected …?
No one apparently can say, except for Colorado and New Mexico, who currently have robust enough “audit routines” to actually detect such a cyber-intrusion … were one to occur, merely by chance of course — since “we all know” that Russia was “simply probing” our Voting Infrastructure in 2016, doing “reconnaissance” (aka ‘casing the joint’). They had “no intention” of actually changing any Votes … because?
… Because Vlad said as much to Donald at their first G20 meeting. Scout’s honor.
… Because we would have “seen them” change actual Votes, if they had.
Oh really?
This cyber-security expert however, dares to differ with those ‘see-nothing’ assessments. First hand experience, tells him exactly what’s possible for determined hackers … and what’s “detectable” too — once officials are actually informed and enabled to do the necessary Quality Control audits ...
J. Alex Halderman, opening Testimony:
I am a professor of computer science and have spent the last 10 years studying the electronic voting systems are nation relies on. My conclusion from that work is that our highly computerized election infrastructure is vulnerable to sabotage and even to cyber attacks that could change votes.
These realities risk making our election results more difficult for the American people to trust. I know America's voting machines are vulnerable because my colleagues and I have hacked to them repeatedly as part of a decade of research stating that technology that operates in elections. We have created attacks that can spread from machine like a computer virus, and silently change outcomes.
We have studied touch-screen and optical scan systems. In every single case, we found ways for attackers to sabotage machines and to steal votes. These capabilities are certainly within reach for America's enemies.
As you know, states use their own voting technology, and while some states are doing well, others are alarmingly vulnerable. This puts the entire nation at risk. In close elections, an attacker can probe the most important swing states or swing counties, find areas with the weakest protection, and strike there. In a close election year, changing a few votes in a few localities could tip national results.
The key lesson from 2016 is that these threats are real. We have heard that Russian efforts to target voter registration systems struck 21 States, and have seen reports detailing efforts to spread an attack from an election technology vendor to local offices. Attacking vendors and municipalities could put Russia in the position to sabotage equipment on election day, causing voting machines or electronic poll books to fail, and causing long lines or disruption. They could have engineered this chaos to have a partisan affected by striking places that lean heavily towards one candidate.
Some say the fact that voting machines aren't directly connected to the internet makes them secure. Unfortunately, this is not true. Voting machines are not as distant from the internet as they seem. Before every election, they have to be programmed with races and candidates. That programming is created on a desktop computer then transferred to voting machines. If Russia infiltrated these Election Management computers, it could spread an attack to vast numbers of machines.
I don't know how far Russia got or whether they managed to interfere with equipment on election day, but there is no doubt that Russia has the technical ability to commit widespread attacks against our voting system, as do other hostile nations. I agree with James Comey when he warned here two weeks ago, “We know they are coming after America, and they will be back.” We must start preparing now.
Fortunately there is a broad consensus among cyber security experts about measures that would make America's election infrastructure much harder to attack. I have cosigned a letter that I entered into the record from over 100 leading computer scientists, security experts, and election officials, that recommends three essential steps:
• First, we need to upgrade obsolete and vulnerable machines and replace them with optical scanners that count paper ballots. This is a technology that 36 states already use. Paper provides a physical record of the vote that simply can't be hacked. President Trump made this point well on Fox News the morning of the election. He said, “There is something really nice about the old paper ballot system. You don't worry about hacking.”
• Second, we need to use the paper to make sure the computer results are right. This is a common sense quality control. It should be routine. Using what’s known as a risk-limiting audit, officials can check a small random sample of the ballots, to quickly and affordably provide high assurance that the election outcome was correct. Only two states, Colorado and New Mexico, currently conduct audits that are robust enough, to reliably detect cyber attacks.
• Lastly, we need to harden our systems against sabotage and raise the bar for attacks of all sorts, by conducting comprehensive threat assessments and applying cyber security best practices to the design of voting equipment and to the management of elections.
These are affordable fixes. Replacing insecure paperless voting machines nationwide, would cost $130 million to $400 million dollars. Running risk-limiting audits nationally for Federal elections would cost less than $20 million a year. These amounts are vanishingly small compared to the national security improvement they buy.
State and local officials have been extremely difficult job, even without having to worry about cyber-attacks by hostile governments. But the federal government can make prudent investments to help them secure elections and uphold voter confidence. We all want election results we can trust.
If Congress works closely with the States, we can upgrade our election infrastructure, in time for 2018 and 2020. But if we fail to act, I think it’s only a matter of time, until a major election is disrupted or stolen in a cyber-attack.
Thank you for the opportunity to testify today, and for you leadership on this critical matter. I look forward to answering any questions.
That was a corrected and annotated version of the C-Span auto-generated (error-laden) transcript [with emphasis added].
For the Video clip of the above: www.c-span.org/…
For a more substantive written-version, with footnotes, of that Testimony: verifiedvoting.org
Question 1) Why aren’t all states, doing these “risk-limiting audits” to detect Cyber-Vote-Theft?
Question 2) Why aren’t all states, using paper ballots, which minimize the risk, and enable robust enough Auditing, to detect Vote-flipping?
These common-sense precautions may not have been needed in the “good old days” of “who would do such a thing” — violate the sanctity of our Votes?
But guess what, those “theft protection” precautions are sure the hell needed now, in this cyber-age where demographic Voter manipulation, and foreign hackers “casing the joint” for vulnerabilities — seem to have become a routine matter of course.
Also from VerifiedVoting.org here a helpful list for developing “robust audit trails”, and less hackable Voting systems. It would be nice if Congress could implement some of this, before another Putin-like character can put their big-fat thumbs, on our “scales” of Democracy:
Any new voting system should conform to the following principles:
1. It should use human-readable marks on paper as the official record of voter preferences and as the official medium to store votes.1
2. It should be usable by all voters; accessible to all voters, including those with disabilities; and available in all mandated languages.2
3. It should provide voters the means and opportunity to verify that the human-readable marks correctly represent their intended selections, before casting the ballot.3
4. It should preserve vote anonymity: it should not be possible to link any voter to his or her selections, when the system is used appropriately. It should be difficult or impossible to compromise or waive voter anonymity accidentally or deliberately.4 No voter should be able to prove how he or she voted.5
5. It should export contest results in a standard, open, machine-readable format.6
6. It should be easily and transparently auditable at the ballot level. It should:
export a cast vote record (CVR) for every ballot,
in a standard, open, machine-readable format,
in a way that the original paper ballot corresponding to any CVR can be quickly and unambiguously identified, and vice versa.7
7. It should use commercial off-the-shelf (COTS) hardware components and open-source software (OSS) in preference to proprietary hardware and proprietary software, especially when doing so will reduce costs, facilitate maintenance and customization, facilitate replacing failed or obsolete equipment, improve security or reliability, or facilitate adopting technological improvements quickly and affordably.8
8. It should be able to create CVRs from ballots designed for currently deployed systems9 and it should be readily configurable to create CVRs for new ballot designs.10
9. It should be sufficiently open11 to allow a competitive market for support, including configuration, maintenance, integration, and customization.
10. It should be usable by election officials: they should be able to configure, operate, and maintain the system, create ballots, tabulate votes, and audit the accuracy of the results without relying on external expertise or labor, even in small jurisdictions with limited staff.
Download Voting System Principles in PDF Format
Free and Open Elections matter.
Preventing hostile cyber-forces from altering those Elections SHOULD matter too.
Hey Republicans, those geeks, and hackers, and cyber-criminals, and international spies, may choose to “help” the “other side” the next time around … the next time they find “the opportunity” — that back-door left open (to the voting infrastructure), with nobody home.
Or maybe that “next time” they actually decide to ‘wreck the joint’ instead … you know, just for “fun”.
Something like that, could ruin your whole Quadrennial. And they’d probably “get away with it” too — a certain professor, who has just testified to the Senate, has. Gotten away with it.
What’s to stop them — the black-hat hackers? The underwhelming murmur of congressional-crickets?
With the foot-dragging going on at the DHS, it could be another decade, before our Voting Defenses catches up with the Cyber-times, in which we live. SAD. So very sad.
It can happen here. It already has.