The Vulnerability Of U.S. Voting Systems
Recently, Homeland Security Secretary Jeh Johnson said the government was considering classifying voting systems part of the nation’s “critical infrastructure,” a designation currently held by systems such as the electric grid and banking networks.
The announcement comes on the heels of reports of a vast infiltration of Democratic Party servers.
“Everything we know about voting machines — electronic ones, computerized ones, is they’re not very secure,” says tech security expert Bruce Schneier. “They are not tested, they are not designed rigorously and in many cases there’s no way to detect or recover from fraud. So there really is a disaster waiting to happen.”
Aviel Rubin, a professor of computer science at the Johns Hopkins University, agrees.
“Unfortunately, I think the thing that’s improved the most in the last 10 years is the sophistication of the hackers and the number of incidents that we see that are occurring daily. If you look at the news you see that ransomware is becoming pretty common,” Rubin says. “The big change that I’ve seen has been just how sophisticated the hackers are today. And they’re sponsored by countries like Russia and China, which is a much more formidable adversary than we had in the past.”
Schneier says the validity of upcoming elections could be threatened.
“My biggest fear is that we wake up on Wednesday and there is some evidence the vote was hacked,” Schneider says. “We don’t know for sure, we don’t know how, and it’s in a state, a precinct that decides something important. And we don’t know what to do now.”
Each state in the US has different standards for how it handles voting, and what security measures are used. Rubin says uniform rules are needed.
“If we do establish standards, we have to be careful that the standards are the right standards,” Rubin says. “I think we need to take some care and bring in the experts in the security community to establish the security standards. There is something to be said for the diverse set of voting equipment in different places because it would take a different type of attack to attack each different type of voting system. But that said, it might be better to have a good standard everywhere than to have this hodgepodge of non-standard systems out there like we do today.”
Schneier says there are already good voting systems in place in some states that could be used as examples.
“In Minnesota it’s all hand-filled-in,” Schneier says. “We call them optical scan readers — I get a paper ballot, I fill in ovals, I can check it, I know it’s correct. I feed it into a machine, the machine checks to make sure I didn’t vote incorrectly — I didn’t actually vote for two people for the same office — and then that count is done by a computer, and that paper drops into a box that’s safe for recount, and that voter verifiable paper trail is what gives us our security and integrity. … It’s a really nice system. Technology exists today and it’s a lot more secure than these all-computer systems. … Things like paper — that can be reviewed if there’s a problem. It’s one of the tools we know that works.”
With the US presidential election looming, it’s too late to change much this time, but Rubin says there’s still more that can be done.
“Many of the precincts already have their equipment pretty much locked in. They’ve used them for the primaries and they’re not going to be able to change them. But we can increase the amount of auditing that we do and the amount of surveillance and care that we take,” Rubin says. “A professor from Berkeley has come up with a technique for reducing the risk of undetectable fraud by performing manual recounts in random spots against machines to make sure that statistically we know that the machines are counting the votes correctly.”
Bruce Schneier is author of Data and Goliath (Norton, 2015) and Chief Technology Officer at Resilient Systems, Inc. in Cambridge, Massachusetts.
Aviel Rubin is a professor of Computer Science at the Johns Hopkins University. He’s also Technical Director of the JHU Information Security Institute in Baltimore, Maryland.
IRA FLATOW: This week the Department of Homeland Security said that it was considering classifying voting systems as part of the nation’s critical infrastructure. A designation currently held by things like the electric grid and banking networks. That announcement comes in an unusual election season, to say the least, in which the Democratic National Committee has had its servers targeted by hackers suspected by some to have connections to Russia.
So if servers are vulnerable, what about electronic voting machines? How secure and reliable are our voting booths and our voting tallies? Bruce Schneier is a technology security expert. Author of Data and Goliath the Hidden Battles to Collect your data and Control your World. He’s chief technology officer at Resilient, that’s an IBM company. He recently blogged about his concerns over our voting systems. He joins me via Skype. Welcome back to the program, Bruce.
BRUCE SCHNEIER: Thanks again.
IRA FLATOW: Avi Rubin is a professor of computer science and technical director of the JHU Information Security Institute, that’s at Johns Hopkins University in Baltimore. He’s been following this for a while, and 10 years ago he wrote the book Brave New Ballot on voting systems.
He joins me from the studios of WYPR in Baltimore. Welcome back to Science Friday.
AVI RUBIN: Hi it’s great to be back, thank you.
IRA FLATOW: Are you both fearful about the security of our voting system? Let me begin with you Bruce.
BRUCE SCHNEIER: I am. Everything we know about voting machines, electronic ones, computerized ones is they’re not very secure. They’re not tested. They’re not designed rigorously. And in many cases there’s no way to detect or recover from fraud. So there really is a disaster waiting to happen. We don’t know when it will or if it will, but it’s not pretty.
IRA FLATOW: What’s your biggest fear?
BRUCE SCHNEIER: My biggest fear is that we wake up on Wednesday, and there is some evidence the vote was hacked. We don’t know for sure, we don’t know how. And it’s in the state and a precinct that decides something important. And we don’t know what to do now.
IRA FLATOW: Avi when we last spoke together it was 10 years ago about this topic. I can’t believe it’s been so long. Has anything gotten better?
AVI RUBIN: Well yes. Unfortunately I think the thing that’s improved the most in the last 10 years has been the sophistication of the hackers. And the number of incidents that we see that are occurring daily.
If you look at the news you see that ransomware is becoming pretty common. That’s where attackers lock up a system. So you could imagine, for example, if hackers were to launch a ransomware attack against a voter registration database, for example, right before the election. We may not be able to have a way to check who’s eligible to vote.
So I think that the voting systems in many states have improved. For example, in my home state of Maryland we’ve gone from unauditable electronic systems to paper ballots. And a lot of other states have gone in that direction, but not all states.
But I think that the big change that I’ve seen has been just how sophisticated the hackers are today. And they’re sponsored by countries like Russia and China, which is a much more formidable adversary than we had in the past.
IRA FLATOW: I’m Ira Flatow. This is Science Friday from PRI, Public Radio International. I want to go back to something that you said that was interesting. You’re not worried about the actual voting booth itself, but about the voting roles. Explain that a bit.
AVI RUBIN: Sure. Well voting is an entire process. And so I wouldn’t say that I’m not worried about the voting machines, because in many cases I am, but the often neglected concern are the voter roles, the registration databases, which include the lists of everyone who’s eligible to vote.
And if there were a hack, and there already is a documented case of a hack against a voter registration system, that could disenfranchise large numbers of voters. Or it could even just bring into doubt whether the election was run fairly. And so we can’t just concentrate on one aspect of the entire election process, but we need to look at the voter registration process and the way the databases are maintained and the security of that just as much as we need to look at the place where the votes are actually cast and counted.
IRA FLATOW: Bruce Schneier, your reaction?
BRUCE SCHNEIER: I think Avi is certainly correct. Voting is a whole system. And we’ve already seen attacks against the DNCC and the Clinton campaign which involved stealing data and publishing it. That can certainly happen again.
Attacks against voter registration systems intimidations of voters. We’ve seen in the past websites go down the night before an election. We don’t know if that’s an accidental reaction. Imagine targeting the Get Out and Vote campaigns, these are all computerized now. There’s a lot of things that can be done, and we don’t know what’s fair and what’s not.
If there’s a major attack against one candidate’s get out the vote system, are they allowed to cry foul the next morning? I don’t know. We don’t know. There’s no precedent. So yes, these are all risks. There’s a lot of unknowns.
IRA FLATOW: Our number, 844-724-8255 if you’d like to call in. You can also tweet us @scifri, S-C-I-F-R-I. So the election in just a few months away, can we do anything now to help protect this vote? I’ll ask Avi and then Bruce.
AVI RUBIN: Yeah. So I think that there’s plenty that can be done now. I mean, many of the precincts already have their equipment pretty much locked in. They’ve used them for the primaries and they’re not going to be able to change them. But we can increase the amount of auditing that we do. And the amount of surveillance and care that we take.
So for example, most of the country is using paper ballots or paper verified audit trails, voter verified paper audit trails. And in places that do that they can Institute random spot checks. A professor from Berkeley has come up with a technique for reducing the risk of undetectable fraud by performing manual recounts in random spots against machines to make sure that, statistically, we know that the machines are counting the votes correctly.
And also voter awareness I think is very important to increase, about what to look for at the polls and what kind of audits are going to take place.
IRA FLATOW: All right, we’re going to take a break and come back and talk lots more about this. Our number, 844-724-8255. Talking with Bruce Schneier and Avi Rubin. You can also tweet us @scifri, are you fearful. And maybe we’ll have some hints about what to look for and what are some of the problems at the voting poll, at the voting booths and the poll places. Stay with us. We’ll be right back after this break.
This is Science Friday. I’m Ira Flatow. We’re talking this hour about the security of our voting systems with my technology guru guests Bruce Schneier and Avi Rubin. Our number, 844-724-8255.
Let’s see if we can go to a phone call or two. Let’s go to Rashad in Annandale, Virginia. Hi welcome to Science Friday.
RASHAD: Hi Ira, Thank you for taking my call.
IRA FLATOW: Go ahead.
RASHAD: Yeah, so my question is are any of these voting machines under any sort of regulatory authority at all? It sounds like there’s no precedence for this in regards to hacking or breaking into those machines. I’m actually a cyber security professional myself, and I work in the field of compliance.
So I guess the second question is, if they’re not at least held accountable by any sort of assessment or regulatory body, then are there security operations that are in place that actually monitor the traffic and activity of these machines?
IRA FLATOW: Good questions. Bruce, you want to take that first?
BRUCE SCHNEIER: I’ll start. I mean there’s some regulation on machines, but mostly states are left to their own devices. And we don’t have one election here, we have the 50 plus individual elections with different rules, different standards, different systems.
There’s not a lot of security standards. And those that are largely pre-computer, and don’t really look at the new threats and new ways of attacking systems. This isn’t all states, it tends to be all over the map. I actually like the idea of establishing election as critical infrastructure, and having their our own government get involved.
Because I think you’re right. We do need to see some national standards of security of these machines and we don’t have that.
IRA FLATOW: Avi?
AVI RUBIN: Yeah, I think that standards are definitely lacking. And if we do establish standards, we have to be careful that the standards are the right standards. Give you an idea of how bad it can be.
Right now the states of Kentucky and Pennsylvania have completely paperless electronic voting systems. But because of laws that were on the books long before these voting machines existed, there’s an audit requirement in those states. And that’s the standard that they have. And that audit requirement is not something that can possibly be met by the current systems that they have.
And so I think we need to take some care and bring in the experts in the security community to establish the security standards. There is something to be said for the diverse set of voting equipment in different places. Because it would take a different type of attack to attack each different type of voting system. But that said, it might be better to have a good standard everywhere than to have this hodgepodge of nonstandard systems out there like we do today.
IRA FLATOW: And we have different manufacturers using different methods in the voting?
BRUCE SCHNEIER: Absolutely, yes.
IRA FLATOW: The question that always seems to come up is, if we use a black box to get money from the bank at the ATM, why can’t we have a secure voting system just like the banking people have?
AVI RUBIN: Yeah I hear that question all the time. And people need to understand two things. One is that banking is different from voting, in that voting has an anonymity requirement. Imagine if your bank were to disassociate its customers from their transactions and wasn’t allowed to keep track of who deposited money and who withdrew it. I don’t think anybody would be very comfortable with that, and yet in voting systems there’s a requirement that there not be a linkage between a person and how they voted.
And so by its very nature banking is different. But another place that this comparison falls short. If you look at a bank, I’m personally familiar with JP Morgan, they have hundreds of full time, professional, well-trained, many of them graduates of our security program at Johns Hopkins, security professionals. And those guys are working very hard to protect the systems.
And there is nothing equivalent to that any of the voting system manufacturers. I’ve actually yet to meet a voting system manufacturer that had even one full time trained expert in computer security. And so if we’re going to compare banking to voting we have to make sure that we’re comparing apples to apples, and that a lot of effort is going in by skilled professionals to actually secure the systems.
IRA FLATOW: You know what, it sounds like they always talk about when we we’re in a new war we’re always still fighting the last war. It sounds like we’re still fighting the last battles in the voting system instead of something new.
AVI RUBIN: The conversation–
BRUCE SCHNEIER: In a lot of ways that’s true. We tend to have laws and regulations that are well behind the technology, especially now that technology’s moving fast. Think about voting, you don’t do it every day. Every couple of years we pull the machines out of their closets and set them up.
We just don’t have the same level of experience and training from the administrators, the voting officials, or even from the users, from the voters.
IRA FLATOW: Yeah.
BRUCE SCHNEIER: It’s not something we do very often. You’re not going to get that same level of intimacy that you have with your computer systems. It’s actually a very difficult problem to secure voting. That’s why the experts fall back on things like paper that can be reviewed if there’s a problem, because it’s one of the tools we know that works.
IRA FLATOW: And any change is going to cost the m-word, money. That states may not want to or have the money to change.
BRUCE SCHNEIER: And this is a problem after the 2000 election. We had the Help America Vote act, which enabled states to buy new machines. Unfortunately the machines that they were buying were these computer machines, which look good, but end up having these insecurities.
IRA FLATOW: You know, at pretty much every election season there are proposals for internet voting, now maybe cell phone voting. From what I hear you saying, that this could be even worse if we allow that to happen. It’s open to hackers more, Avi.
AVI RUBIN: Yeah, I mean I think that we would take a bad situation and make it a lot worse if we allowed internet voting. Right now the internet is really under siege. And what happened to the DNC, where their emails got hacked, that’s happening pretty much to any organization that’s online that represents a target. And software is known to have vulnerabilities, and when a dedicated, state sponsored attacker decides to go after you, they succeed.
And so I think that we should just look at the news and see all the stories of all these major corporations– I could rattle off a bunch of names but we’ve all seen this– getting hacked and compromised and say to ourselves, is that really what we want from our voting systems? And Furthermore, if we do allow for this type of internet voting, right now we have a major party candidate who’s already declared that the election is going to be rigged against him. And what we need now are systems that allow us to rebut that and to have confidence that the election worked properly, that the mechanics of the election worked fine. And going to the internet is going to do exactly the opposite of that.
IRA FLATOW: So let me ask both of you, what would be– I’ll give you my blank check question, if you could spend all the money and you could create a brand new system– what would be the ideal system? Avi, let me start with you, and get Bruce in the few minutes we have left.
AVI RUBIN: Sure. I think that a system that could be very good already exists. It’s already out there, and it actually, I think, is less expensive than many of the systems that were sold. It’s simply a machine that’s a ballot marking machine. You have a view of all the candidates and a touch screen, and you can have capabilities for sight impaired voters to have audio. And at the end of the process, the machine prints out a paper ballot.
That machine is completely disjoint from any other system, and you could even request to fill out the ballot by hand, if you like. And that paper ballot is then the ballot of record, gets fed into an optical scanner. And then you have a certain number of random spot checks of the optical scanners to make sure they’re counting correctly.
What I like about this system is if there is a controversy, if there is someone claiming the election wasn’t run fairly, you can go back and recount the ballots. And the voters got to see the ballot and got to make sure that all of their selections were made, and that at the end of the day, those elections are still on that paper ballot which is going to be the ballot of record.
IRA FLATOW: Bruce?
BRUCE SCHNEIER: So that is really the best system, we use something similar in Minnesota. It’s all hand filled in, we have an optical scan reader. I’ve got a paper ballot, I fill in ovals, I can check it, I know it’s correct. Feed it into a machine, the machine checks to make sure I didn’t vote incorrectly, I didn’t actually vote for two people for the same office.
And then that count is done by a computer, and the paper drops into a box that’s saved for recount. And that voter verifiable paper trail is what gives us our security and integrity.
Now that has problems, right, I have to go and vote. To vote absentee I get that paper ballot in the mail, I fill out the ovals, put it in an envelope in an envelope that gets sent to the election office, and then that gets counted with the other ballots. It’s a really nice system, technology exists today. And it’s a lot more secure than these old computer systems.
IRA FLATOW: And of course you can always take a photo with your cell phone of the ballot itself as a backup so you know what you actually voted.
AVI RUBIN: Well Ira, before you go there, it’s tricky. In any one of these systems even one small suggestion can lead to problems. One of the issues that’s of concern is vote selling or coercion of voters. And so if you’re going to take a picture of your ballot and show it to someone, you can get paid for how you voted, or you could keep your job if you’re being threatened. And so that’s just something to watch out for.
BRUCE SCHNEIER: Although any system that allows for voting by mail is subject to that.
IRA FLATOW: OK
BRUCE SCHNEIER: They’ll give you a ballot, always given it to somebody else.
IRA FLATOW: Still sounds scary. As you say, Avi, hasn’t gotten better in 10 years.
AVI RUBIN: Right.
IRA FLATOW: Bruce Schneier is technology security expert, chief technology officer at the resilient at IBM. Avi Rubin, professor of computer science at Johns Hopkins, author of the book Brave New Ballot 10 years ago. Time for a new edition, Avi?
AVI RUBIN: Well if something will change, I’ll write another book.
IRA FLATOW: Fair enough. Thank you both for taking time to be with us today.