In the summer before the 2006 elections, when I was chief information security officer for the state of Colorado, the Secretary of State’s office asked my opinion on whether voting machines were secure. I didn’t really know much about electronic voting at the time but offered my opinion that it would be necessary to understand everything from physical security and network connectivity to how voting machine software was developed and what was the actual threat to voting. In other words, the end-to-end risk of electronic voting.
So, I tasked my staff to do some research, review and experimentation on the security of voting machines and as you might imagine, the results weren’t pretty. They identified a number of technical concerns and, not surprisingly, said that due to the vast diversity of products in use across the state, it would be impossible to affirm with any degree of confidence that voting results could not be tampered with.
In addition, while there were an incredible number of technical issues, one of the biggest concerns was around physical chain of custody. Since voting machines are used only every two to four years, when not in use, they were typically stored in warehouses at the city and county level will little physical control. So, in addition to the vast number of potential software updates and patches, it was impossible to validate whether the machines had been physically manipulated.
Of course, in 2006 the threat to electronic voting was vastly different from the environment we live in today. In a recent Lawfare article titled, How the U.S. Has Failed to Protect the 2018 Elections — and Four Ways to Protect 2020, former Facebook CISO Alex Stamos identified all the reasons for why it was critical for the United States to take the threat seriously.
According to Kim Zetter's recent article, The Myth of the Hacker-Proof Voting Machine, it would be difficult to convince anyone that the electronic voting landscape has changed much. With all of the recent media activity surrounding Russian intrusions into state government voting systems before the 2016 elections and growing concerns about possible intrusions into voter registration and voting systems heading into the 2018 elections, I think there is good reason for concern. A quote often attributed to Joseph Stalin states, "It's not the people who vote that count, it's the people who count the votes." That should be incentive enough for us to leverage all the necessary resources to ensure our nation’s voting system remains secure and trustworthy.
Most security professionals chuckle at the naïve assertion of secure electronic voting, and I'm one of them. There is significant risk, and I believe state and local governments are far too willing to accept that risk without understanding the technical complexities. At the recent DEF CON hacking conference in Las Vegas, there was an actual “Voting Village” set up to exercise participating hackers’ ability to compromise common voting machines. According to people on the ground and multiple media reports, it was “child’s play” to take advantage of flaws in the voting machines. Unfortunately, the response from both the electronic voting machine vendors and government officials was to minimize the results.
This is a common response and shows that the people responsible for ensuring safe and accurate voting still don’t understand the hacker community, most of whom are simply interested in helping discover vulnerabilities. Risk-free electronic voting will never happen, but there are two things I think would go a long way toward providing a higher level of confidence:
- Make voting machine vendors legally and financially liable for end-to-end security of the electronic voting process. Transfer complete responsibility for ensuring machines are 100 percent up-to-date on patches, that any external communications (modems, routers, firewalls, etc.) managed by the government agencies are configured securely, and make the life cycle of physical security part of the vendor’s role. There would be a significant cost for this but security isn’t meant to be cheap. Some vendors today are offering "lease" vs "buy," which is an entirely rational idea.
- Collaborate with and challenge the hacker community to discover vulnerabilities in the electronic voting process, including individual vendor machines. Third-party validation is always more realistic than internal auditing because there is an inherent perception that the vendor will cover up bad news. Nothing in life is more appealing to a real hacker than throwing down in a well-crafted challenge. DEF CON proved that in spades.
At the state level, this means that the CIO and CISO and the Secretary of State must be actively involved in the voting process. Equally important, they must be tied in closely with their state CIO and CISO and the Department of Homeland Security. Collaboration and information sharing are often overused terms with little realistic expectation of occurring, but our system of government is now highly dependent upon exactly that.
As Sen. James Lankford, R-Oklahoma, recently stated, “Election security is not a partisan issue, it is a democracy issue and we should take the security of our next election seriously, just like we take the security of our infrastructure seriously, our banking system seriously, our power and electrical grid, our water.”
