[VVSG-post-election] Single Point of Failure - the Scan Head - RE: [VVSG-interoperability] By November,
Arthur Keller
Best regards,
Arthur
> On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net> wrote:
>
> Susan,
>
> Good points.
>
> Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left to each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
>
> It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
>
> Best Regards,
>
>
> Stephen Berger
> TEM Consulting, LP
> Web Site - www.temconsulting.com
> E-MAIL - stephen.berger at ieee.org
> Phone - (512) 864-3365
> Mobile - (512) 466-0833
> FAX - (512) 869-8709
>
> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
> Sent: Thursday, July 28, 2016 8:31 AM
> To: Arthur Keller <ark at soe.ucsc.edu>
> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
> Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
>
> Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
> Susan
>
> On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
> But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
>
> In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
>
> There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
>
> Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
>
> If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
>
> Best regards,
> Arthur
>
> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>
> Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
>
> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
> Sent: Thursday, July 28, 2016 12:30 AM
> To: John Wack
> Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
> Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
>
> What should the election community do about this threat?
>
> Best regards,
> Arthur
>
> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>
> By November, Russian hackers could target voting machines
>
> If Russia really is responsible, there's no reason political interference would end with the DNC emails.
>
>
> By Bruce Schneier July 27 at 3:10 PM
> Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
> Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly concluded.
> The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
> If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is essential. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
> Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
> Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.?
> Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are insecure and vulnerable to attack.
> [Your iPhone just got less secure. Blame the FBI.]
>
> But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
> We no longer have time for that. We must ignore the machine manufacturers? spurious claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
> Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails, and no Internet voting. I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
> There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
> Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
> [Why would Russia try to hack the U.S. election? Because it might work.]
>
> Last April, the Obama administration issued an executive order outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
> Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.
>
>
>
>
>
> --
> --
>
> Susan Eustis
> President
> WinterGreen Research
> 6 Raymond Street
> Lexington, Massachusetts
> phone 781 863 5078
> cell 617 852 7876
Stephen Berger
Thanks for catching that error! You are correct. I meant to say that the low level scanner software is nowhere examines in our current certification processes. I think we want to understand the process from the ballot to determination of the votes on it. Further, I think we would want the same ballot counted in the same way, independent of the scanner or system used.
Of course some marks will fall into a middle ground where different scanners might evaluate them differently. That would seem to be a category where those might get additional processing and special attention in a very close election.
Best Regards,
Stephen Berger
TEM Consulting, LP
Web Site - <http://www.temconsulting.com> www.temconsulting.com
E-MAIL - <mailto:stephen.berger at ieee.org> stephen.berger at ieee.org
Phone - (512) 864-3365
Mobile - (512) 466-0833
FAX - (512) 869-8709
From: Arthur Keller [mailto:ark at soe.ucsc.edu]
Sent: Thursday, July 28, 2016 9:20 AM
To: Stephen Berger <stephen.berger at suddenlink.net>
Cc: Susan Eustis <susan at wintergreenresearch.com>; vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
Subject: Re: Single Point of Failure - the Scan Head - RE: [VVSG-interoperability] By November, Russian hackers could target voting machines
Thanks, Stephen. I think you mean scanner software is NEVER examined.
Best regards,
Arthur
On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net <mailto:stephen.berger at suddenlink.net> > wrote:
Susan,
Good points.
Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left to each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
Best Regards,
Stephen Berger
TEM Consulting, LP
Web Site - <http://www.temconsulting.com> www.temconsulting.com
E-MAIL - <mailto:stephen.berger at ieee.org> stephen.berger at ieee.org
Phone - (512) 864-3365
Mobile - (512) 466-0833
FAX - (512) 869-8709
From: vvsg-interoperability-bounces at nist.gov <mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
Sent: Thursday, July 28, 2016 8:31 AM
To: Arthur Keller <ark at soe.ucsc.edu <mailto:ark at soe.ucsc.edu> >
Cc: vvsg-election <vvsg-election at nist.gov <mailto:vvsg-election at nist.gov> >; vvsg-pre-election <vvsg-pre-election at nist.gov <mailto:vvsg-pre-election at nist.gov> >; vvsg-post-election <vvsg-post...@list.nist.gov <mailto:vvsg-post...@list.nist.gov> >; vvsg-interoperability <vvsg-interoperability at nist.gov <mailto:vvsg-interoperability at nist.gov> >
Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
Susan
On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu <mailto:ark at soe.ucsc.edu> > wrote:
But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
Best regards,
Arthur
On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com <mailto:hdeutsch at essvote.com> > wrote:
Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
From: vvsg-interoperability-bounces at nist.gov <mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 12:30 AM
To: John Wack
Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
What should the election community do about this threat?
Best regards,
Arthur
By November, Russian hackers could target voting machines
If Russia really is responsible, there's no reason political interference would end with the DNC emails.
By Bruce Schneier July 27 at 3:10 PM
Bruce Schneier <https://www.schneier.com> is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is <https://www.schneier.com/book-dg.html> Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly <http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html> concluded.
The FBI is investigating. WikiLeaks promises <http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there is more data to come. The political nature <http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-american-president/130163/> of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is <http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/> essential <https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/> . If foreign governments learn that they can influence our elections with impunity, this opens the door for future <http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html> manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help <http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing> Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.? <https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html?hpid=hp_hp-top-table-main_trump-1230pm%3Ahomepage%2Fstory>
Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are <http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/> insecure <https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us> and <https://www.salon.com/2011/09/27/votinghack/> vulnerable <https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security> to <http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/> attack <http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine> .
[Your iPhone just got less secure. Blame the FBI. <https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/> ]
But while computer security experts like <https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html> me have sounded <https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962> the <http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm <https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html> for <https://citp.princeton.edu/research/voting/> many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
We no <https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92> longer have time <https://xkcd.com/463/> for that. We must ignore the machine manufacturers? spurious <https://www.salon.com/2006/09/13/diebold_3/> claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified <http://votingmachines.procon.org/view.answers.php?questionID=000291> paper audit trails, and no <http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/> Internet <https://www.verifiedvoting.org/resources/internet-voting/vote-online/> voting <http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting> . I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting <http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records> voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political <https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly <https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin <http://www.bloomberg.com/features/2016-how-to-hack-an-election/> America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
[Why would Russia try to hack the U.S. election? Because it might work. <https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/> ]
Last April, the Obama administration issued <https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know> an <https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats> executive <https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi> order <https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Wack, John (Fed)
The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I?m reading the posts, I?m thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
Cheers, John
From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 10:20 AM
To: Stephen Berger <stephen.berger at suddenlink.net>
Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
Subject: Re: [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
Thanks, Stephen. I think you mean scanner software is NEVER examined.
Best regards,
Arthur
On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net<mailto:stephen.berger at suddenlink.net>> wrote:
Susan,
Good points.
Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left to each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
Best Regards,
Stephen Berger
TEM Consulting, LP
Web Site - www.temconsulting.com<http://www.temconsulting.com>
E-MAIL - stephen.berger at ieee.org<mailto:stephen.berger at ieee.org>
Phone - (512) 864-3365
Mobile - (512) 466-0833
FAX - (512) 869-8709
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
Sent: Thursday, July 28, 2016 8:31 AM
To: Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>>
Cc: vvsg-election <vvsg-election at nist.gov<mailto:vvsg-election at nist.gov>>; vvsg-pre-election <vvsg-pre-election at nist.gov<mailto:vvsg-pre-election at nist.gov>>; vvsg-post-election <vvsg-post...@list.nist.gov<mailto:vvsg-post...@list.nist.gov>>; vvsg-interoperability <vvsg-interoperability at nist.gov<mailto:vvsg-interoperability at nist.gov>>
Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
Susan
On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>> wrote:
But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
Best regards,
Arthur
On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com<mailto:hdeutsch at essvote.com>> wrote:
Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 12:30 AM
To: John Wack
Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
What should the election community do about this threat?
Best regards,
Arthur
By November, Russian hackers could target voting machines
If Russia really is responsible, there's no reason political interference would end with the DNC emails.
[Image removed by sender.]
By Bruce Schneier July 27 at 3:10 PM
Bruce Schneier<https://www.schneier.com> is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World<https://www.schneier.com/book-dg.html>.
Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly<http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html> concluded.
The FBI is investigating. WikiLeaks promises<http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there is more data to come. The political nature<http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-american-president/130163/> of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is<http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/> essential<https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/>. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations<http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html>, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help Trump win<http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing>, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.?<https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html?hpid=hp_hp-top-table-main_trump-1230pm%3Ahomepage%2Fstory>
Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are<http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/> insecure<https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us> and<https://www.salon.com/2011/09/27/votinghack/> vulnerable<https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security> to<http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/> attack<http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine>.
[Your iPhone just got less secure. Blame the FBI.<https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/>]
But while computer security experts like me<https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html> have sounded<https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962> the<http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm<https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html> for<https://citp.princeton.edu/research/voting/> many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
We no longer<https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92> have time<https://xkcd.com/463/> for that. We must ignore the machine manufacturers? spurious claims<https://www.salon.com/2006/09/13/diebold_3/> of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails<http://votingmachines.procon.org/view.answers.php?questionID=000291>, and no<http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/> Internet<https://www.verifiedvoting.org/resources/internet-voting/vote-online/> voting<http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting>. I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records<http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records>, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing<https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly done<https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin America<http://www.bloomberg.com/features/2016-how-to-hack-an-election/>. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
[Why would Russia try to hack the U.S. election? Because it might work.<https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/>]
Last April, the Obama administration issued<https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know> an<https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats> executive<https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi> order<https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Arthur Keller
Some people would worry that the delay in reporting would allow nefarious activities to occur.
Best regards,
Arthur
> On Jul 28, 2016, at 7:38 AM, Wack, John (Fed) <john.wack at nist.gov> wrote:
>
> I hesitate to jump in, but I do agree that it?s very very important to get the election night count accurate. I tend to think that no matter what, it?s a human process, a logistical nightmare for some locales, and that this needs to be recognized in technical discussions and recommendations. One of the best things to do, in my opinion, to make things more secure and more accurate, falls into the usability category for tabulation: perhaps election results shall not be released until such and such a time on the next day, say noon. Pressure to get everything correct in a very short amount of time after a long day works against security and accuracy. No matter what technology we use or how secure or whatever, it can?t erase the fact that the overall process is a very demanding management issue.
>
> The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I?m reading the posts, I?m thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
>
> Cheers, John
>
> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
> Sent: Thursday, July 28, 2016 10:20 AM
> To: Stephen Berger <stephen.berger at suddenlink.net>
> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
> Subject: Re: [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
>
> Thanks, Stephen. I think you mean scanner software is NEVER examined.
>
> Best regards,
> Arthur
>
> On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net> wrote:
>
> Susan,
>
> Good points.
>
> Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left to each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
>
> It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
>
> Best Regards,
>
>
>
> Stephen Berger
> TEM Consulting, LP
> Web Site - www.temconsulting.com
> E-MAIL - stephen.berger at ieee.org
> Phone - (512) 864-3365
> Mobile - (512) 466-0833
> FAX - (512) 869-8709
>
> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
> Sent: Thursday, July 28, 2016 8:31 AM
> To: Arthur Keller <ark at soe.ucsc.edu>
> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
> Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
>
> Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
> Susan
>
> On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
> But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
>
> In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
>
> There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
>
> Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
>
> If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
>
> Best regards,
> Arthur
>
> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>
> Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
>
> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
> Sent: Thursday, July 28, 2016 12:30 AM
> To: John Wack
> Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
> Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
>
> What should the election community do about this threat?
>
> Best regards,
> Arthur
>
> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>
> By November, Russian hackers could target voting machines
>
> If Russia really is responsible, there's no reason political interference would end with the DNC emails.
>
> <image001.jpg>
> By Bruce Schneier July 27 at 3:10 PM
> Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
> Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly concluded.
> The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
> If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is essential. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
> Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
> Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.?
> Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are insecure and vulnerable to attack.
> [Your iPhone just got less secure. Blame the FBI.]
>
> But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
> We no longer have time for that. We must ignore the machine manufacturers? spurious claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
> Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails, and no Internet voting. I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
> There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
> Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
> [Why would Russia try to hack the U.S. election? Because it might work.]
>
> Last April, the Obama administration issued an executive order outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Brent Turner
We have the first count systems in motion for build out in SF. The plan is
to utilize GPL v3 open source with COTS hardware..
The real obstacle has been the Microsoft / Intellectual Property lobbyist
stranglehold on the politicians that apparently runs through the business
leagues of the election administrators. Currently the vendors are pushing
for " one more bite of the apple " before the jurisdictions follow New
Hampshire and CA toward open source systems.
Perhaps a memo should go out to the jurisdictions mentioning the looming
open source voting system availability .. and advising them to " stand in
place " regarding further purchases of proprietary systems.
Best-
Brent
On Thu, Jul 28, 2016 at 7:38 AM, Wack, John (Fed) <john.wack at nist.gov>
wrote:
> I hesitate to jump in, but I do agree that it?s very very important to get
> the election night count accurate. I tend to think that no matter what,
> it?s a human process, a logistical nightmare for some locales, and that
> this needs to be recognized in technical discussions and recommendations.
> One of the best things to do, in my opinion, to make things more secure and
> more accurate, falls into the usability category for tabulation: perhaps
> election results shall not be released until such and such a time on the
> next day, say noon. Pressure to get everything correct in a very short
> amount of time after a long day works against security and accuracy. No
> matter what technology we use or how secure or whatever, it can?t erase the
> fact that the overall process is a very demanding management issue.
>
>
>
> The CDF work can help to make that easier, common identifiers for
> geopolitical geography and contests can help to make it easier, and there
> are probably a host of other items that could help to reduce the amount of
> time (and software required) to get all the equipment to work together
> smoothly. So as I?m reading the posts, I?m thinking about future VVSG
> requirements to make all the equipment work together so that the overall
> tabulation process is more usable to the election people conducting it. Of
> course, giving them more time to do would help significantly.
>
>
>
> Cheers, John
>
>
>
> *From:* vvsg-interoperability-bounces at nist.gov [mailto:
> vvsg-interoperability-bounces at nist.gov] *On Behalf Of *Arthur Keller
> *Sent:* Thursday, July 28, 2016 10:20 AM
> *To:* Stephen Berger <stephen.berger at suddenlink.net>
> *Cc:* vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <
> vvsg-pre-election at nist.gov>; vvsg-post-election <
> vvsg-post...@list.nist.gov>; vvsg-interoperability <
> vvsg-interoperability at nist.gov>
> *Subject:* Re: [VVSG-interoperability] Single Point of Failure - the Scan
> Head - RE: By November, Russian hackers could target voting machines
>
>
>
> Thanks, Stephen. I think you mean scanner software is NEVER examined.
>
>
>
> Best regards,
>
> Arthur
>
>
> On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net>
> *TEM Consulting, LP*
>
> Web Site - *www.temconsulting.com <http://www.temconsulting.com>*
> E-MAIL - stephen.berger at ieee.org
> Phone - (512) 864-3365
> Mobile - (512) 466-0833
> FAX - (512) 869-8709
>
>
>
> *From:* vvsg-interoperability-bounces at nist.gov [
> mailto:vvsg-interoperability-bounces at nist.gov
> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Susan Eustis
> *Sent:* Thursday, July 28, 2016 8:31 AM
> *To:* Arthur Keller <ark at soe.ucsc.edu>
> *Cc:* vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <
> vvsg-pre-election at nist.gov>; vvsg-post-election <
> vvsg-post...@list.nist.gov>; vvsg-interoperability <
> vvsg-interoperability at nist.gov>
> *Subject:* Re: [VVSG-interoperability] By November, Russian hackers could
> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>
> Voting machines are not attached to the internet. You can?t hack them
> without physical control and that is auditable.
>
>
>
> *From:* vvsg-interoperability-bounces at nist.gov [
> mailto:vvsg-interoperability-bounces at nist.gov
> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Arthur Keller
> *Sent:* Thursday, July 28, 2016 12:30 AM
> *To:* John Wack
> *Cc:* vvsg-election; vvsg-pre-election; vvsg-post-election;
> vvsg-interoperability
> *Subject:* [VVSG-interoperability] By November, Russian hackers could
> target voting machines
>
>
>
> What should the election community do about this threat?
>
>
>
> Best regards,
>
> Arthur
>
>
>
>
> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>
>
> By November, Russian hackers could target voting machines
> If Russia really is responsible, there's no reason political interference
> would end with the DNC emails.
>
> [image: Image removed by sender.]
>
> By Bruce Schneier July 27 at 3:10 PM
>
> Bruce Schneier <https://www.schneier.com> is a security technologist and
> a lecturer at the Kennedy School of Government at Harvard University. His
> latest book is *Data and Goliath: The Hidden Battles to Collect Your Data
> and Control Your World* <https://www.schneier.com/book-dg.html>.
> *[Your iPhone just got less secure. Blame the FBI.
> <https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/>]
> *
> *[Why would Russia try to hack the U.S. election? Because it might work.
> <https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/>]
> *
Susan Eustis
did happen.
Susan
> *From:* vvsg-interoperability-bounces at nist.gov [
> mailto:vvsg-interoperability-bounces at nist.gov
> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Arthur Keller
> *Sent:* Thursday, July 28, 2016 10:20 AM
> *To:* Stephen Berger <stephen.berger at suddenlink.net>
> *Cc:* vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <
> vvsg-pre-election at nist.gov>; vvsg-post-election <
> vvsg-post...@list.nist.gov>; vvsg-interoperability <
> vvsg-interoperability at nist.gov>
> *Subject:* Re: [VVSG-interoperability] Single Point of Failure - the Scan
> *TEM Consulting, LP*
>
> Web Site - *www.temconsulting.com <http://www.temconsulting.com>*
> E-MAIL - stephen.berger at ieee.org
> Phone - (512) 864-3365
> Mobile - (512) 466-0833
> FAX - (512) 869-8709
>
>
>
> *From:* vvsg-interoperability-bounces at nist.gov [
> mailto:vvsg-interoperability-bounces at nist.gov
> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Susan Eustis
> *Sent:* Thursday, July 28, 2016 8:31 AM
> *To:* Arthur Keller <ark at soe.ucsc.edu>
> *Cc:* vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <
> vvsg-pre-election at nist.gov>; vvsg-post-election <
> vvsg-post...@list.nist.gov>; vvsg-interoperability <
> vvsg-interoperability at nist.gov>
> *Subject:* Re: [VVSG-interoperability] By November, Russian hackers could
> *From:* vvsg-interoperability-bounces at nist.gov [
> mailto:vvsg-interoperability-bounces at nist.gov
> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Arthur Keller
> *Sent:* Thursday, July 28, 2016 12:30 AM
> *To:* John Wack
> *Cc:* vvsg-election; vvsg-pre-election; vvsg-post-election;
> vvsg-interoperability
> *Subject:* [VVSG-interoperability] By November, Russian hackers could
> target voting machines
>
>
>
> What should the election community do about this threat?
>
>
>
> Best regards,
>
> Arthur
>
>
>
>
> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>
>
> By November, Russian hackers could target voting machines
> If Russia really is responsible, there's no reason political interference
> would end with the DNC emails.
>
> <image001.jpg>
>
> By Bruce Schneier July 27 at 3:10 PM
>
> Bruce Schneier <https://www.schneier.com> is a security technologist and
> a lecturer at the Kennedy School of Government at Harvard University. His
> latest book is *Data and Goliath: The Hidden Battles to Collect Your Data
> and Control Your World* <https://www.schneier.com/book-dg.html>.
>
> Russia was behind the hacks into the Democratic National Committee?s
> computer network that led to the release of thousands of internal emails
> just before the party?s convention began, U.S. intelligence agencies have
> reportedly
> <http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html>
> concluded.
>
> The FBI is investigating. WikiLeaks promises
> <http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there
> is more data to come. The political nature
> of this cyberattack means that Democrats and Republicans are trying to spin
> this as much as possible. Even so, we have to accept that someone is
> attacking our nation?s computer systems in an apparent attempt to influence
> a presidential election. This kind of cyberattack targets the very core of
> our democratic process. And it points to the possibility of an even worse
> problem in November ? that our election systems and our voting machines
> could be vulnerable to a similar attack.
>
> If the intelligence community has indeed ascertained that Russia is to
> blame, our government needs to decide what to do in response. This is
> difficult because the attacks are politically partisan, but it is
> <http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/>
> essential
> <https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/>. If
> foreign governments learn that they can influence our elections with
> impunity, this opens the door for future manipulations
> <http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html>,
> both document thefts and dumps like this one that we see and more subtle
> manipulations that we don?t see.
>
> Retaliation is politically fraught and could have serious consequences,
> but this is an attack against our democracy. We need to confront Russian
> President Vladimir Putin in some way ? politically, economically or in
> cyberspace ? and make it clear that we will not tolerate this kind of
> interference by any government. Regardless of your political leanings this
> time, there?s no guarantee the next country that tries to manipulate our
> elections will share your preferred candidates.
>
> Even more important, we need to secure our election systems before autumn.
> If Putin?s government has already used a cyberattack to attempt to help Trump
> win
> <http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing>,
> there?s no reason to believe he won?t do it again ? especially now that Trump
> is inviting the ?help.?
>
> Over the years, more and more states have moved to electronic voting
> machines and have flirted with Internet voting. These systems are
> <http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/>
> insecure
> <https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us>
> and <https://www.salon.com/2011/09/27/votinghack/> vulnerable
> <https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security>
> to
> <http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/>
> attack
> <http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine>
> .
>
> *[Your iPhone just got less secure. Blame the FBI.
> <https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/>]
> *
>
> But while computer security experts like me
> <https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html>
> have sounded
> <https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962>
> the <http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm
> <https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html>
> for <https://citp.princeton.edu/research/voting/> many years, states
> have largely ignored the threat, and the machine manufacturers have thrown
> up enough obfuscating babble that election officials are largely mollified.
>
> We no longer
> <https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92>
> have time <https://xkcd.com/463/> for that. We must ignore the machine
> manufacturers? spurious claims
> <https://www.salon.com/2006/09/13/diebold_3/> of security, create tiger
> teams to test the machines? and systems? resistance to attack, drastically
> increase their cyber-defenses and take them offline if we can?t guarantee
> their security online.
>
> Longer term, we need to return to election systems that are secure from
> manipulation. This means voting machines with voter-verified paper audit
> trails
> <http://votingmachines.procon.org/view.answers.php?questionID=000291>,
> and no
> <http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/>
> Internet
> <https://www.verifiedvoting.org/resources/internet-voting/vote-online/>
> voting
> <http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting>. I
> know it?s slower and less convenient to stick to the old-fashioned way, but
> the security risks are simply too great.
>
> There are other ways to attack our election system on the Internet besides
> hacking voting machines or changing vote tallies: deleting voter records
> <http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records>,
> hijacking candidate or party websites, targeting and intimidating campaign
> workers or donors. There have already been multiple instances of
> political doxing
> <https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> ?
> publishing personal information and documents about a person or
> organization ? and we could easily see more of it in this election cycle.
> We need to take these risks much more seriously than before.
>
> Government interference with foreign elections isn?t new, and in fact,
> that?s something the United States itself has repeatedly done
> <https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> in
> recent history. Using cyberattacks to influence elections is newer but has
> been done before, too ? most notably in Latin America
> <http://www.bloomberg.com/features/2016-how-to-hack-an-election/>.
> Hacking of voting machines isn?t new, either. But what is new is a foreign
> government interfering with a U.S. national election on a large scale. Our
> democracy cannot tolerate it, and we as citizens cannot accept it.
>
> *[Why would Russia try to hack the U.S. election? Because it might work.
> <https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/>]
> *
>
> Last April, the Obama administration issued
> <https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know>
> an
> <https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats>
> executive
> <https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi>
> order
Susan Eustis
audit trail? GPL v3 open source with COTS hardware has enormous potential
for buried hack handles in the code and the COTS has BIOS vulnerability. I
contend with that in my business all the time, the coders in foreign
countries leave hooks in the open source code that is not detectable and
that may not be activated for years.
Susan
Brent Turner
What is your alternative to open source code ? Closed / disclosed ? The
DOD / NASA / Air Force etc side with open source ...
I think the question regarding best approach open vs closed has been called
and is now long over--
Regarding audit capability.. the printed ballots themselves are the
countable record..
Best- BT
On Thu, Jul 28, 2016 at 8:31 AM, Susan Eustis <susan at wintergreenresearch.com
David RR Webber (XML)
Arthur Keller
What security experts are reviewing the design for the SF style system?
Best regards,
Arthur
> On Jul 28, 2016, at 8:11 AM, Brent Turner <turnerbrentm at gmail.com> wrote:
>
> Thanks for the nod, John..
>
> We have the first count systems in motion for build out in SF. The plan is to utilize GPL v3 open source with COTS hardware..
>
> The real obstacle has been the Microsoft / Intellectual Property lobbyist stranglehold on the politicians that apparently runs through the business leagues of the election administrators. Currently the vendors are pushing for " one more bite of the apple " before the jurisdictions follow New Hampshire and CA toward open source systems.
>
> Perhaps a memo should go out to the jurisdictions mentioning the looming open source voting system availability .. and advising them to " stand in place " regarding further purchases of proprietary systems.
>
> Best-
>
> Brent
>
>> On Thu, Jul 28, 2016 at 7:38 AM, Wack, John (Fed) <john.wack at nist.gov> wrote:
>> I hesitate to jump in, but I do agree that it?s very very important to get the election night count accurate. I tend to think that no matter what, it?s a human process, a logistical nightmare for some locales, and that this needs to be recognized in technical discussions and recommendations. One of the best things to do, in my opinion, to make things more secure and more accurate, falls into the usability category for tabulation: perhaps election results shall not be released until such and such a time on the next day, say noon. Pressure to get everything correct in a very short amount of time after a long day works against security and accuracy. No matter what technology we use or how secure or whatever, it can?t erase the fact that the overall process is a very demanding management issue.
>>
>>
>>
>> The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I?m reading the posts, I?m thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
>>
>>
>>
>> Cheers, John
>>
>>
>>
>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
>> Sent: Thursday, July 28, 2016 10:20 AM
>> To: Stephen Berger <stephen.berger at suddenlink.net>
>> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
>> Subject: Re: [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
>>
>>
>>
>> Thanks, Stephen. I think you mean scanner software is NEVER examined.
>>
>>
>>
>> Best regards,
>>
>> Arthur
>>
>>
>> On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net> wrote:
>>
>> Susan,
>>
>>
>>
>> Good points.
>>
>>
>>
>> Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left to each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
>>
>>
>>
>> It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
>>
>>
>>
>> Best Regards,
>>
>>
>>
>>
>> Stephen Berger
>>
>> TEM Consulting, LP
>>
>> Web Site - www.temconsulting.com
>> E-MAIL - stephen.berger at ieee.org
>> Phone - (512) 864-3365
>> Mobile - (512) 466-0833
>> FAX - (512) 869-8709
>>
>>
>>
>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
>> Sent: Thursday, July 28, 2016 8:31 AM
>> To: Arthur Keller <ark at soe.ucsc.edu>
>> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
>> Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
>>
>>
>>
>> Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
>>
>> Susan
>>
>>
>>
>> On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
>>
>> But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
>>
>>
>>
>> In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
>>
>>
>>
>> There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
>>
>>
>>
>> Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
>>
>>
>>
>> If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
>>
>>
>>
>> Best regards,
>>
>> Arthur
>>
>>
>> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>>
>> Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
>>
>>
>>
>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
>> Sent: Thursday, July 28, 2016 12:30 AM
>> To: John Wack
>> Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
>> Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
>>
>>
>>
>> What should the election community do about this threat?
>>
>>
>>
>> Best regards,
>>
>> Arthur
>>
>>
>>
>> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>>
>>
>>
>> By November, Russian hackers could target voting machines
>>
>> If Russia really is responsible, there's no reason political interference would end with the DNC emails.
>>
>> <image001.jpg>
>>
>> By Bruce Schneier July 27 at 3:10 PM
>>
>> Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
>>
>> Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly concluded.
>>
>> The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
>>
>> If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is essential. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
>>
>> Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
>>
>> Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.?
>>
>> Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are insecure and vulnerable to attack.
>>
>> [Your iPhone just got less secure. Blame the FBI.]
>>
>> But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
>>
>> We no longer have time for that. We must ignore the machine manufacturers? spurious claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
>>
>> Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails, and no Internet voting. I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
>>
>> There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
>>
>> Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
>>
>> [Why would Russia try to hack the U.S. election? Because it might work.]
>>
>> Last April, the Obama administration issued an executive order outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
David RR Webber (XML)
Arthur Keller
One problem with published source is if someone finds a serious flaw too soon before the election to get the flaw fixed for recertification and deployment. Even without Federal certification, there still needs to be an acceptance process that takes time. But that's a risk better than secrecy's risks.
Best regards,
Arthur
> On Jul 28, 2016, at 8:38 AM, Brent Turner <turnerbrentm at gmail.com> wrote:
>
> Susan--
>
> What is your alternative to open source code ? Closed / disclosed ? The DOD / NASA / Air Force etc side with open source ...
>
> I think the question regarding best approach open vs closed has been called and is now long over--
>
> Regarding audit capability.. the printed ballots themselves are the countable record..
>
> Best- BT
>
>
>> On Thu, Jul 28, 2016 at 8:31 AM, Susan Eustis <susan at wintergreenresearch.com> wrote:
>> I agree this is attractive, and should be done, but what about a usable audit trail? GPL v3 open source with COTS hardware has enormous potential for buried hack handles in the code and the COTS has BIOS vulnerability. I contend with that in my business all the time, the coders in foreign countries leave hooks in the open source code that is not detectable and that may not be activated for years.
>> Susan
>>
>>
>>> On Thu, Jul 28, 2016 at 11:20 AM, Susan Eustis <susan at wintergreenresearch.com> wrote:
>>> There is plenty of precedent in the court cases in Massachusetts where that did happen.
>>>
>>> Susan
>>>
>>>> On Thu, Jul 28, 2016 at 10:43 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
>>>> Thanks, John.
>>>>
>>>> Some people would worry that the delay in reporting would allow nefarious activities to occur.
>>>>
>>>> Best regards,
>>>> Arthur
>>>>
>>>>
>>>>> On Jul 28, 2016, at 7:38 AM, Wack, John (Fed) <john.wack at nist.gov> wrote:
>>>>>
>>>>> I hesitate to jump in, but I do agree that it?s very very important to get the election night count accurate. I tend to think that no matter what, it?s a human process, a logistical nightmare for some locales, and that this needs to be recognized in technical discussions and recommendations. One of the best things to do, in my opinion, to make things more secure and more accurate, falls into the usability category for tabulation: perhaps election results shall not be released until such and such a time on the next day, say noon. Pressure to get everything correct in a very short amount of time after a long day works against security and accuracy. No matter what technology we use or how secure or whatever, it can?t erase the fact that the overall process is a very demanding management issue.
>>>>>
>>>>>
>>>>>
>>>>> The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I?m reading the posts, I?m thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
>>>>>
>>>>>
>>>>>
>>>>> Cheers, John
>>>>>
>>>>>
>>>>>
>>>>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
>>>>> Sent: Thursday, July 28, 2016 10:20 AM
>>>>> To: Stephen Berger <stephen.berger at suddenlink.net>
>>>>> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
>>>>> Subject: Re: [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
>>>>>
>>>>>
>>>>>
>>>>> Thanks, Stephen. I think you mean scanner software is NEVER examined.
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Arthur
>>>>>
>>>>>
>>>>> On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net> wrote:
>>>>>
>>>>> Susan,
>>>>>
>>>>>
>>>>>
>>>>> Good points.
>>>>>
>>>>>
>>>>>
>>>>> Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left to each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
>>>>>
>>>>>
>>>>>
>>>>> It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
>>>>>
>>>>>
>>>>>
>>>>> Best Regards,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Stephen Berger
>>>>>
>>>>> TEM Consulting, LP
>>>>>
>>>>> Web Site - www.temconsulting.com
>>>>> E-MAIL - stephen.berger at ieee.org
>>>>> Phone - (512) 864-3365
>>>>> Mobile - (512) 466-0833
>>>>> FAX - (512) 869-8709
>>>>>
>>>>>
>>>>>
>>>>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
>>>>> Sent: Thursday, July 28, 2016 8:31 AM
>>>>> To: Arthur Keller <ark at soe.ucsc.edu>
>>>>> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
>>>>> Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
>>>>>
>>>>>
>>>>>
>>>>> Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
>>>>>
>>>>> Susan
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
>>>>>
>>>>> But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
>>>>>
>>>>>
>>>>>
>>>>> In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
>>>>>
>>>>>
>>>>>
>>>>> There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
>>>>>
>>>>>
>>>>>
>>>>> Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
>>>>>
>>>>>
>>>>>
>>>>> If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Arthur
>>>>>
>>>>>
>>>>> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>>>>>
>>>>> Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
>>>>>
>>>>>
>>>>>
>>>>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
>>>>> Sent: Thursday, July 28, 2016 12:30 AM
>>>>> To: John Wack
>>>>> Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
>>>>> Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
>>>>>
>>>>>
>>>>>
>>>>> What should the election community do about this threat?
>>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Arthur
>>>>>
>>>>>
>>>>>
>>>>> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>>>>>
>>>>>
>>>>>
>>>>> By November, Russian hackers could target voting machines
>>>>>
>>>>> If Russia really is responsible, there's no reason political interference would end with the DNC emails.
>>>>>
>>>>> <image001.jpg>
>>>>>
>>>>> By Bruce Schneier July 27 at 3:10 PM
>>>>>
>>>>> Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
>>>>>
>>>>> Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly concluded.
>>>>>
>>>>> The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
>>>>>
>>>>> If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is essential. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
>>>>>
>>>>> Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
>>>>>
>>>>> Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.?
>>>>>
>>>>> Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are insecure and vulnerable to attack.
>>>>>
>>>>> [Your iPhone just got less secure. Blame the FBI.]
>>>>>
>>>>> But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
>>>>>
>>>>> We no longer have time for that. We must ignore the machine manufacturers? spurious claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
>>>>>
>>>>> Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails, and no Internet voting. I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
>>>>>
>>>>> There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
>>>>>
>>>>> Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
>>>>>
>>>>> [Why would Russia try to hack the U.S. election? Because it might work.]
>>>>>
>>>>> Last April, the Obama administration issued an executive order outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Arthur Keller
Best regards,
Arthur
> On Jul 28, 2016, at 8:43 AM, David RR Webber (XML) <david at drrw.info> wrote:
>
> The bigger sweeter honey pot is the Early Voting machines.
>
> They are sat there for a week and change - in designated locations.
>
> I raised this concern 5+ years to the EAC when they first began that - but it was brushed aside.
>
> Even just pulling count data off the early vote machines - not even changing data - could compromise an election in so many ways - allowing informed decisions for those privy to that information - to take actions to their advantage.
>
> David
Brent Turner
" !!
No one I have ever heard has EVER posed open source as a " panacea " -
that would be silly talk.. so to refute a statement that has never been
made is an interesting statement indeed.
San Francisco is in it's infancy stage.. so hopefully the OS community --
with Dr. Gilbert / Brian Fox and others will be available for the task..
CAVO's role will remain to watch the watchers.. If anyone pulls up in a
new Rolls Royce with plates that read DIE BOLD I will sound appropriate
alarms.. ha ha
i defer to experts whether or not it is realistic to think a master gamer
could plant all the COTS of the world.. seems unlikely.. to a layperson..
but please enlighten..
Best- BT
>> *From:* vvsg-interoperability-bounces at nist.gov [mailto:
>> vvsg-interoperability-bounces at nist.gov] *On Behalf Of *Arthur Keller
>> *Sent:* Thursday, July 28, 2016 10:20 AM
>> *To:* Stephen Berger <stephen.berger at suddenlink.net>
>> *Cc:* vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <
>> vvsg-pre-election at nist.gov>; vvsg-post-election <
>> vvsg-post...@list.nist.gov>; vvsg-interoperability <
>> vvsg-interoperability at nist.gov>
>> *Subject:* Re: [VVSG-interoperability] Single Point of Failure - the
>> *TEM Consulting, LP*
>>
>> Web Site - *www.temconsulting.com <http://www.temconsulting.com>*
>> E-MAIL - stephen.berger at ieee.org
>> Phone - (512) 864-3365
>> Mobile - (512) 466-0833
>> FAX - (512) 869-8709
>>
>>
>>
>> *From:* vvsg-interoperability-bounces at nist.gov [
>> mailto:vvsg-interoperability-bounces at nist.gov
>> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Susan Eustis
>> *Sent:* Thursday, July 28, 2016 8:31 AM
>> *To:* Arthur Keller <ark at soe.ucsc.edu>
>> *Cc:* vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <
>> vvsg-pre-election at nist.gov>; vvsg-post-election <
>> vvsg-post...@list.nist.gov>; vvsg-interoperability <
>> vvsg-interoperability at nist.gov>
>> *Subject:* Re: [VVSG-interoperability] By November, Russian hackers
>> *From:* vvsg-interoperability-bounces at nist.gov [
>> mailto:vvsg-interoperability-bounces at nist.gov
>> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Arthur Keller
>> *Sent:* Thursday, July 28, 2016 12:30 AM
>> *To:* John Wack
>> *Cc:* vvsg-election; vvsg-pre-election; vvsg-post-election;
>> vvsg-interoperability
>> *Subject:* [VVSG-interoperability] By November, Russian hackers could
>> target voting machines
>>
>>
>>
>> What should the election community do about this threat?
>>
>>
>>
>> Best regards,
>>
>> Arthur
>>
>>
>>
>>
>> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>>
>>
>> By November, Russian hackers could target voting machines
>> If Russia really is responsible, there's no reason political interference
>> would end with the DNC emails.
>>
>> <image001.jpg>
>>
>> By Bruce Schneier July 27 at 3:10 PM
>>
>> Bruce Schneier <https://www.schneier.com> is a security technologist and
>> a lecturer at the Kennedy School of Government at Harvard University. His
>> latest book is *Data and Goliath: The Hidden Battles to Collect Your
>> Data and Control Your World* <https://www.schneier.com/book-dg.html>.
>>
>> Russia was behind the hacks into the Democratic National Committee?s
>> computer network that led to the release of thousands of internal emails
>> just before the party?s convention began, U.S. intelligence agencies have
>> reportedly
>> <http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html>
>> concluded.
>>
>> The FBI is investigating. WikiLeaks promises
>> <http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there
>> is more data to come. The political nature
>> of this cyberattack means that Democrats and Republicans are trying to spin
>> this as much as possible. Even so, we have to accept that someone is
>> attacking our nation?s computer systems in an apparent attempt to influence
>> a presidential election. This kind of cyberattack targets the very core of
>> our democratic process. And it points to the possibility of an even worse
>> problem in November ? that our election systems and our voting machines
>> could be vulnerable to a similar attack.
>>
>> If the intelligence community has indeed ascertained that Russia is to
>> blame, our government needs to decide what to do in response. This is
>> difficult because the attacks are politically partisan, but it is
>> <http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/>
>> essential
>> <https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/>. If
>> foreign governments learn that they can influence our elections with
>> impunity, this opens the door for future manipulations
>> <http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html>,
>> both document thefts and dumps like this one that we see and more subtle
>> manipulations that we don?t see.
>>
>> Retaliation is politically fraught and could have serious consequences,
>> but this is an attack against our democracy. We need to confront Russian
>> President Vladimir Putin in some way ? politically, economically or in
>> cyberspace ? and make it clear that we will not tolerate this kind of
>> interference by any government. Regardless of your political leanings this
>> time, there?s no guarantee the next country that tries to manipulate our
>> elections will share your preferred candidates.
>>
>> Even more important, we need to secure our election systems before
>> autumn. If Putin?s government has already used a cyberattack to attempt to help Trump
>> win
>> <http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing>,
>> there?s no reason to believe he won?t do it again ? especially now that Trump
>> is inviting the ?help.?
>>
>> Over the years, more and more states have moved to electronic voting
>> machines and have flirted with Internet voting. These systems are
>> <http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/>
>> insecure
>> <https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us>
>> and <https://www.salon.com/2011/09/27/votinghack/> vulnerable
>> <https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security>
>> to
>> <http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/>
>> attack
>> <http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine>
>> .
>>
>> *[Your iPhone just got less secure. Blame the FBI.
>> <https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/>]
>> *
>>
>> But while computer security experts like me
>> <https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html>
>> have sounded
>> <https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962>
>> the <http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm
>> <https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html>
>> for <https://citp.princeton.edu/research/voting/> many years, states
>> have largely ignored the threat, and the machine manufacturers have thrown
>> up enough obfuscating babble that election officials are largely mollified.
>>
>> We no longer
>> <https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92>
>> have time <https://xkcd.com/463/> for that. We must ignore the machine
>> manufacturers? spurious claims
>> <https://www.salon.com/2006/09/13/diebold_3/> of security, create tiger
>> teams to test the machines? and systems? resistance to attack, drastically
>> increase their cyber-defenses and take them offline if we can?t guarantee
>> their security online.
>>
>> Longer term, we need to return to election systems that are secure from
>> manipulation. This means voting machines with voter-verified paper audit
>> trails
>> <http://votingmachines.procon.org/view.answers.php?questionID=000291>,
>> and no
>> <http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/>
>> Internet
>> <https://www.verifiedvoting.org/resources/internet-voting/vote-online/>
>> voting
>> <http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting>. I
>> know it?s slower and less convenient to stick to the old-fashioned way, but
>> the security risks are simply too great.
>>
>> There are other ways to attack our election system on the Internet
>> besides hacking voting machines or changing vote tallies: deleting voter
>> records
>> <http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records>,
>> hijacking candidate or party websites, targeting and intimidating campaign
>> workers or donors. There have already been multiple instances of
>> political doxing
>> <https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> ?
>> publishing personal information and documents about a person or
>> organization ? and we could easily see more of it in this election cycle.
>> We need to take these risks much more seriously than before.
>>
>> Government interference with foreign elections isn?t new, and in fact,
>> that?s something the United States itself has repeatedly done
>> <https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> in
>> recent history. Using cyberattacks to influence elections is newer but has
>> been done before, too ? most notably in Latin America
>> <http://www.bloomberg.com/features/2016-how-to-hack-an-election/>.
>> Hacking of voting machines isn?t new, either. But what is new is a foreign
>> government interfering with a U.S. national election on a large scale. Our
>> democracy cannot tolerate it, and we as citizens cannot accept it.
>>
>> *[Why would Russia try to hack the U.S. election? Because it might work.
>> <https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/>]
>> *
>>
>> Last April, the Obama administration issued
>> <https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know>
>> an
>> <https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats>
>> executive
>> <https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi>
>> order
>> <https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining
Long, Benjamin (Fed)
This is a great discussion. We truly welcome the hearty exchange - thanks for generating it!
Since there are so many topics of interest that are occurring here, we thought it would be good to take these discussions to the public Voting TWiki and to capture them there. We've setup a page for that purpose:
http://collaborate.nist.gov/voting/bin/view/Voting/TopicalDiscussions
We'd like to encourage you to comment upon topics in that forum and to also, as you comment, strive to identify ways in which these comments can tie directly to Future VVSG developments - such as by way of what Future VVSG requirements they might suggest, related principles, best practices, etc.
Thank you very much for helping us capture this conversation and catalyze this work.
Best wishes,
Benjamin Long
Voting Team
NIST
________________________________________
From: vvsg-pre-election-bounces at nist.gov <vvsg-pre-election-bounces at nist.gov> on behalf of Arthur Keller <ark at soe.ucsc.edu>
Sent: Thursday, July 28, 2016 11:55:00 AM
To: Brent Turner
Cc: vvsg-pre-election; vvsg-election; Wack, John (Fed); Susan Eustis; vvsg-post-election; vvsg-interoperability
Subject: Re: [VVSG-pre-election] [VVSG-election] [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
Open source does not necessarily mean contributed source. There's the aspect of published source, for transparency issues. And the ability to experiment with the source code. Those are the important issues.
One problem with published source is if someone finds a serious flaw too soon before the election to get the flaw fixed for recertification and deployment. Even without Federal certification, there still needs to be an acceptance process that takes time. But that's a risk better than secrecy's risks.
Best regards,
Arthur
On Jul 28, 2016, at 8:38 AM, Brent Turner <turnerbrentm at gmail.com<mailto:turnerbrentm at gmail.com>> wrote:
Susan--
What is your alternative to open source code ? Closed / disclosed ? The DOD / NASA / Air Force etc side with open source ...
I think the question regarding best approach open vs closed has been called and is now long over--
Regarding audit capability.. the printed ballots themselves are the countable record..
Best- BT
On Thu, Jul 28, 2016 at 8:31 AM, Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>> wrote:
I agree this is attractive, and should be done, but what about a usable audit trail? GPL v3 open source with COTS hardware has enormous potential for buried hack handles in the code and the COTS has BIOS vulnerability. I contend with that in my business all the time, the coders in foreign countries leave hooks in the open source code that is not detectable and that may not be activated for years.
Susan
On Thu, Jul 28, 2016 at 11:20 AM, Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>> wrote:
There is plenty of precedent in the court cases in Massachusetts where that did happen.
Susan
On Thu, Jul 28, 2016 at 10:43 AM, Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>> wrote:
Thanks, John.
Some people would worry that the delay in reporting would allow nefarious activities to occur.
Best regards,
Arthur
On Jul 28, 2016, at 7:38 AM, Wack, John (Fed) <john.wack at nist.gov<mailto:john.wack at nist.gov>> wrote:
I hesitate to jump in, but I do agree that it?s very very important to get the election night count accurate. I tend to think that no matter what, it?s a human process, a logistical nightmare for some locales, and that this needs to be recognized in technical discussions and recommendations. One of the best things to do, in my opinion, to make things more secure and more accurate, falls into the usability category for tabulation: perhaps election results shall not be released until such and such a time on the next day, say noon. Pressure to get everything correct in a very short amount of time after a long day works against security and accuracy. No matter what technology we use or how secure or whatever, it can?t erase the fact that the overall process is a very demanding management issue.
The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I?m reading the posts, I?m thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
Cheers, John
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 10:20 AM
To: Stephen Berger <stephen.berger at suddenlink.net<mailto:stephen.berger at suddenlink.net>>
Cc: vvsg-election <vvsg-election at nist.gov<mailto:vvsg-election at nist.gov>>; vvsg-pre-election <vvsg-pre-election at nist.gov<mailto:vvsg-pre-election at nist.gov>>; vvsg-post-election <vvsg-post...@list.nist.gov<mailto:vvsg-post...@list.nist.gov>>; vvsg-interoperability <vvsg-interoperability at nist.gov<mailto:vvsg-interoperability at nist.gov>>
Subject: Re: [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
Thanks, Stephen. I think you mean scanner software is NEVER examined.
Best regards,
Arthur
On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net<mailto:stephen.berger at suddenlink.net>> wrote:
Susan,
Good points.
Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left t!
o each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
Best Regards,
Stephen Berger
TEM Consulting, LP
Web Site - www.temconsulting.com<http://www.temconsulting.com>
E-MAIL - stephen.berger at ieee.org<mailto:stephen.berger at ieee.org>
Phone - (512) 864-3365<tel:%28512%29%20864-3365>
Mobile - (512) 466-0833<tel:%28512%29%20466-0833>
FAX - (512) 869-8709<tel:%28512%29%20869-8709>
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
Sent: Thursday, July 28, 2016 8:31 AM
To: Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>>
Cc: vvsg-election <vvsg-election at nist.gov<mailto:vvsg-election at nist.gov>>; vvsg-pre-election <vvsg-pre-election at nist.gov<mailto:vvsg-pre-election at nist.gov>>; vvsg-post-election <vvsg-post...@list.nist.gov<mailto:vvsg-post...@list.nist.gov>>; vvsg-interoperability <vvsg-interoperability at nist.gov<mailto:vvsg-interoperability at nist.gov>>
Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
Susan
On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>> wrote:
But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
Best regards,
Arthur
On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com<mailto:hdeutsch at essvote.com>> wrote:
Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 12:30 AM
To: John Wack
Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
What should the election community do about this threat?
Best regards,
Arthur
By November, Russian hackers could target voting machines
If Russia really is responsible, there's no reason political interference would end with the DNC emails.
<image001.jpg>
By Bruce Schneier July 27 at 3:10 PM
Bruce Schneier<https://www.schneier.com> is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World<https://www.schneier.com/book-dg.html>.
Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly<http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html> concluded.
The FBI is investigating. WikiLeaks promises<http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there is more data to come. The political nature<http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-american-president/130163/> of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is<http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/> essential<https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/>. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations<http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html>, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help Trump win<http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing>, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.?<https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html?hpid=hp_hp-top-table-main_trump-1230pm%3Ahomepage%2Fstory>
Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are<http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/> insecure<https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us> and<https://www.salon.com/2011/09/27/votinghack/> vulnerable<https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security> to<http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/> attack<http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine>.
[Your iPhone just got less secure. Blame the FBI.<https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/>]
But while computer security experts like me<https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html> have sounded<https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962> the<http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm<https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html> for<https://citp.princeton.edu/research/voting/> many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
We no longer<https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92> have time<https://xkcd.com/463/> for that. We must ignore the machine manufacturers? spurious claims<https://www.salon.com/2006/09/13/diebold_3/> of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails<http://votingmachines.procon.org/view.answers.php?questionID=000291>, and no<http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/> Internet<https://www.verifiedvoting.org/resources/internet-voting/vote-online/> voting<http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting>. I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records<http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records>, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing<https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly done<https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin America<http://www.bloomberg.com/features/2016-how-to-hack-an-election/>. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
[Why would Russia try to hack the U.S. election? Because it might work.<https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/>]
Last April, the Obama administration issued<https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know> an<https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats> executive<https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi> order<https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.
--
--
Susan Eustis
President
WinterGreen Research
6 Raymond Street
Lexington, Massachusetts
phone 781 863 5078<tel:781%20863%205078>
cell 617 852 7876<tel:617%20852%207876>
--
--
Susan Eustis
President
WinterGreen Research
6 Raymond Street
Lexington, Massachusetts
phone 781 863 5078<tel:781%20863%205078>
cell 617 852 7876<tel:617%20852%207876>
--
--
Susan Eustis
President
WinterGreen Research
6 Raymond Street
Lexington, Massachusetts
phone 781 863 5078<tel:781%20863%205078>
cell 617 852 7876<tel:617%20852%207876>
Arthur Keller
While some question the work by Los Angeles and Travis County, they are involving qualified and recognized security folks early. And security is the discussion we're having.
Best regards,
Arthur
>>>> TEM Consulting, LP
>>>>
>>>> Web Site - www.temconsulting.com
>>>> E-MAIL - stephen.berger at ieee.org
>>>> Phone - (512) 864-3365
>>>> Mobile - (512) 466-0833
>>>> FAX - (512) 869-8709
>>>>
>>>>
>>>>
>>>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Susan Eustis
>>>> Sent: Thursday, July 28, 2016 8:31 AM
>>>> To: Arthur Keller <ark at soe.ucsc.edu>
>>>> Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
>>>> Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
>>>>
>>>>
>>>>
>>>> Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
>>>>
>>>> Susan
>>>>
>>>>
>>>>
>>>> On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
>>>>
>>>> But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
>>>>
>>>>
>>>>
>>>> In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
>>>>
>>>>
>>>>
>>>> There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
>>>>
>>>>
>>>>
>>>> Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
>>>>
>>>>
>>>>
>>>> If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Arthur
>>>>
>>>>
>>>> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>>>>
>>>> Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
>>>>
>>>>
>>>>
>>>> From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
>>>> Sent: Thursday, July 28, 2016 12:30 AM
>>>> To: John Wack
>>>> Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
>>>> Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
>>>>
>>>>
>>>>
>>>> What should the election community do about this threat?
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Arthur
>>>>
>>>>
>>>>
>>>> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>>>>
>>>>
>>>>
>>>> By November, Russian hackers could target voting machines
>>>>
>>>> If Russia really is responsible, there's no reason political interference would end with the DNC emails.
>>>>
>>>> <image001.jpg>
>>>>
>>>> By Bruce Schneier July 27 at 3:10 PM
>>>>
>>>> Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
>>>>
>>>> Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly concluded.
>>>>
>>>> The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
>>>>
>>>> If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is essential. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
>>>>
>>>> Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
>>>>
>>>> Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.?
>>>>
>>>> Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are insecure and vulnerable to attack.
>>>>
>>>> [Your iPhone just got less secure. Blame the FBI.]
>>>>
>>>> But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
>>>>
>>>> We no longer have time for that. We must ignore the machine manufacturers? spurious claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
>>>>
>>>> Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails, and no Internet voting. I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
>>>>
>>>> There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
>>>>
>>>> Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
>>>>
>>>> [Why would Russia try to hack the U.S. election? Because it might work.]
>>>>
>>>> Last April, the Obama administration issued an executive order outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Thomas, Christopher (MDOS)
Not releasing election results until the next day is not feasible. At times it happens and the outcome is never good. The bottom line is the election night returns are UNOFFICIAL. No one likes to hear that or pays any attention to that caveat; however, when during the canvass results shift on the way to becoming official it good to have clearly labeled election night as unofficial.
From: vvsg-post-election-bounces at nist.gov [mailto:vvsg-post-election-bounces at nist.gov] On Behalf Of Wack, John (Fed)
Sent: Thursday, July 28, 2016 10:38 AM
To: Arthur Keller; Stephen Berger
Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
Subject: Re: [VVSG-post-election] [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
I hesitate to jump in, but I do agree that it?s very very important to get the election night count accurate. I tend to think that no matter what, it?s a human process, a logistical nightmare for some locales, and that this needs to be recognized in technical discussions and recommendations. One of the best things to do, in my opinion, to make things more secure and more accurate, falls into the usability category for tabulation: perhaps election results shall not be released until such and such a time on the next day, say noon. Pressure to get everything correct in a very short amount of time after a long day works against security and accuracy. No matter what technology we use or how secure or whatever, it can?t erase the fact that the overall process is a very demanding management issue.
The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I?m reading the posts, I?m thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
Cheers, John
Neal McBurnett
natural place for the security issues to be well-vetted!)
Thank you Benjamin, for helping us keep a better, more transparent and
public record of these very important concerns.
I've edited the twiki
http://collaborate.nist.gov/voting/bin/view/Voting/TopicalDiscussions page
to add this text. It is just a start. Jump in and help improve it!
Evidence-Based Elections
In late July of 2016, it became evident to a much broader segment of the
public and the VVSG lists that the integrity of our elections is at risk.
See e.g. By November, Russian hackers could target voting machines
<https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/>
by security guru Bruce Schneier
A discussion ensued on a variety of VVSG lists. Points emphasized included:
- We should require Evidence-Based Elections
<https://people.eecs.berkeley.edu/~daw/papers/evidence-spm12.pdf>,
rather than relying on certification alone, as elucidated by Stark and
Wagner. This requires:
- Voter-Verifiable Paper ballots and pervasive, effective and
transparent manual audits of the paper ballots (at least until other
Software Independent voting methods are well-vetted and easy-to-use)
- Two-person chain-of-custody rules, tamper-evident seals, ballot
accounting, and other procedural controls, along with compliance
audits of
these processes
- Casting votes over the Internet is insecure, as is currently allowed
in a variety of states under a variety of circumstances
- We need better secure voter registration information, including
sending postal mail to the previous address-of-record when voter
registration information is changed, in case the change was unintentional
or fraudulent.
Long, Benjamin (Fed)
Ben
________________________________________
From: Neal McBurnett <neal at bcn.boulder.co.us>
Sent: Friday, July 29, 2016 12:20:11 PM
To: Long, Benjamin (Fed)
Cc: vvsg-pre-election; vvsg-election; vvsg-post-election; vvsg-interoperability; vvsg-cybersecurity
Subject: Re: [VVSG-pre-election] [VVSG-election] [VVSG-interoperability] RE: By November, Russian hackers could target voting machines
(Note: I've added vvsg-cybersecurity at nist.gov<mailto:vvsg-cybersecurity at nist.gov> to the list, since it is the natural place for the security issues to be well-vetted!)
Thank you Benjamin, for helping us keep a better, more transparent and public record of these very important concerns.
I've edited the twiki http://collaborate.nist.gov/voting/bin/view/Voting/TopicalDiscussions page to add this text. It is just a start. Jump in and help improve it!
Evidence-Based Elections
In late July of 2016, it became evident to a much broader segment of the public and the VVSG lists that the integrity of our elections is at risk. See e.g. By November, Russian hackers could target voting machines[http://collaborate.nist.gov/voting/pub/TWiki/TWikiDocGraphics/external-link.gif]<https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/> by security guru Bruce Schneier
A discussion ensued on a variety of VVSG lists. Points emphasized included:
* We should require Evidence-Based Elections[http://collaborate.nist.gov/voting/pub/TWiki/TWikiDocGraphics/external-link.gif]<https://people.eecs.berkeley.edu/~daw/papers/evidence-spm12.pdf>, rather than relying on certification alone, as elucidated by Stark and Wagner. This requires:
* Voter-Verifiable Paper ballots and pervasive, effective and transparent manual audits of the paper ballots (at least until other Software Independent voting methods are well-vetted and easy-to-use)
* Two-person chain-of-custody rules, tamper-evident seals, ballot accounting, and other procedural controls, along with compliance audits of these processes
* Casting votes over the Internet is insecure, as is currently allowed in a variety of states under a variety of circumstances
* We need better secure voter registration information, including sending postal mail to the previous address-of-record when voter registration information is changed, in case the change was unintentional or fraudulent.
On Fri, Jul 29, 2016 at 10:13 AM Long, Benjamin (Fed) <benjamin.long at nist.gov<mailto:benjamin.long at nist.gov>> wrote:
Good Morning, Everyone.
This is a great discussion. We truly welcome the hearty exchange - thanks for generating it!
Since there are so many topics of interest that are occurring here, we thought it would be good to take these discussions to the public Voting TWiki and to capture them there. We've setup a page for that purpose:
http://collaborate.nist.gov/voting/bin/view/Voting/TopicalDiscussions
We'd like to encourage you to comment upon topics in that forum and to also, as you comment, strive to identify ways in which these comments can tie directly to Future VVSG developments - such as by way of what Future VVSG requirements they might suggest, related principles, best practices, etc.
Thank you very much for helping us capture this conversation and catalyze this work.
Best wishes,
Benjamin Long
Voting Team
NIST
________________________________________
From: vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov> <vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov>> on behalf of Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>>
Sent: Thursday, July 28, 2016 11:55:00 AM
To: Brent Turner
Cc: vvsg-pre-election; vvsg-election; Wack, John (Fed); Susan Eustis; vvsg-post-election; vvsg-interoperability
Subject: Re: [VVSG-pre-election] [VVSG-election] [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
Open source does not necessarily mean contributed source. There's the aspect of published source, for transparency issues. And the ability to experiment with the source code. Those are the important issues.
One problem with published source is if someone finds a serious flaw too soon before the election to get the flaw fixed for recertification and deployment. Even without Federal certification, there still needs to be an acceptance process that takes time. But that's a risk better than secrecy's risks.
Best regards,
Arthur
On Jul 28, 2016, at 8:38 AM, Brent Turner <turnerbrentm at gmail.com<mailto:turnerbrentm at gmail.com><mailto:turnerbrentm at gmail.com<mailto:turnerbrentm at gmail.com>>> wrote:
Susan--
What is your alternative to open source code ? Closed / disclosed ? The DOD / NASA / Air Force etc side with open source ...
I think the question regarding best approach open vs closed has been called and is now long over--
Regarding audit capability.. the printed ballots themselves are the countable record..
Best- BT
On Thu, Jul 28, 2016 at 8:31 AM, Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com><mailto:susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>>> wrote:
I agree this is attractive, and should be done, but what about a usable audit trail? GPL v3 open source with COTS hardware has enormous potential for buried hack handles in the code and the COTS has BIOS vulnerability. I contend with that in my business all the time, the coders in foreign countries leave hooks in the open source code that is not detectable and that may not be activated for years.
Susan
On Thu, Jul 28, 2016 at 11:20 AM, Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com><mailto:susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>>> wrote:
There is plenty of precedent in the court cases in Massachusetts where that did happen.
Susan
On Thu, Jul 28, 2016 at 10:43 AM, Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu><mailto:ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>>> wrote:
Thanks, John.
Some people would worry that the delay in reporting would allow nefarious activities to occur.
Best regards,
Arthur
On Jul 28, 2016, at 7:38 AM, Wack, John (Fed) <john.wack at nist.gov<mailto:john.wack at nist.gov><mailto:john.wack at nist.gov<mailto:john.wack at nist.gov>>> wrote:
I hesitate to jump in, but I do agree that it?s very very important to get the election night count accurate. I tend to think that no matter what, it?s a human process, a logistical nightmare for some locales, and that this needs to be recognized in technical discussions and recommendations. One of the best things to do, in my opinion, to make things more secure and more accurate, falls into the usability category for tabulation: perhaps election results shall not be released until such and such a time on the next day, say noon. Pressure to get everything correct in a very short amount of time after a long day works against security and accuracy. No matter what technology we use or how secure or whatever, it can?t erase the fact that the overall process is a very demanding management issue.
The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I?m reading the posts, I?m thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
Cheers, John
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov><mailto:vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov>> [mailto:vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov>] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 10:20 AM
To: Stephen Berger <stephen.berger at suddenlink.net<mailto:stephen.berger at suddenlink.net><mailto:stephen.berger at suddenlink.net<mailto:stephen.berger at suddenlink.net>>>
Cc: vvsg-election <vvsg-election at nist.gov<mailto:vvsg-election at nist.gov><mailto:vvsg-election at nist.gov<mailto:vvsg-election at nist.gov>>>; vvsg-pre-election <vvsg-pre-election at nist.gov<mailto:vvsg-pre-election at nist.gov><mailto:vvsg-pre-election at nist.gov<mailto:vvsg-pre-election at nist.gov>>>; vvsg-post-election <vvsg-post...@list.nist.gov<mailto:vvsg-post...@list.nist.gov><mailto:vvsg-post...@list.nist.gov<mailto:vvsg-post...@list.nist.gov>>>; vvsg-interoperability <vvsg-interoperability at nist.gov<mailto:vvsg-interoperability at nist.gov><mailto:vvsg-interoperability at nist.gov<mailto:vvsg-interoperability at nist.gov>>>
Subject: Re: [VVSG-interoperability] Single Point of Failure - the Scan Head - RE: By November, Russian hackers could target voting machines
Thanks, Stephen. I think you mean scanner software is NEVER examined.
Best regards,
Arthur
On Jul 28, 2016, at 7:02 AM, Stephen Berger <stephen.berger at suddenlink.net<mailto:stephen.berger at suddenlink.net><mailto:stephen.berger at suddenlink.net<mailto:stephen.berger at suddenlink.net>>> wrote:
Susan,
Good points.
Let add to the landscape that currently we have a single point of failure that I think deserves some attention. That point is when the ballot is scanned. Typically the scan mechanism is not specified and the initial processing software is not specified. Almost all, actually to my knowledge all of the scanners first throw away a lot of information. Modern scanner electronics is able to get excellent resolution and color differentiation. There is a lot that can be done with high quality can images. However, the scanner software immediately throws away most of that information and make everything black or white. This is done because it makes mark recognition easier and it saves on machine memory. However, what is a vote is determined not off the image of the ballot but the processed image. To make matters worse, neither the VVSG or any election official, decides when a pixel should be determined to be black or white or how many pixels make a valid mark. This is left t!
o each company and even each design team at each company. Even worse, it is often decided by the scanner engine manufacturer and that software is very examined in any of our processes.
It would seem worth paying some attention to what happens between the ballot being feed to the scanner and a decision being made about what votes are on that paper. It also seems reasonable that election officials should be the ones deciding how big a mark is a valid mark and how various kinds of uncertain marks should be dealt with.
Best Regards,
Stephen Berger
TEM Consulting, LP
Web Site - www.temconsulting.com<http://www.temconsulting.com><http://www.temconsulting.com>
E-MAIL - stephen.berger at ieee.org<mailto:stephen.berger at ieee.org><mailto:stephen.berger at ieee.org<mailto:stephen.berger at ieee.org>>
Phone - (512) 864-3365<tel:%28512%29%20864-3365>
Mobile - (512) 466-0833<tel:%28512%29%20466-0833>
FAX - (512) 869-8709<tel:%28512%29%20869-8709>
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov><mailto:vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov>> [mailto:vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov>] On Behalf Of Susan Eustis
Sent: Thursday, July 28, 2016 8:31 AM
To: Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu><mailto:ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>>>
Cc: vvsg-election <vvsg-election at nist.gov<mailto:vvsg-election at nist.gov><mailto:vvsg-election at nist.gov<mailto:vvsg-election at nist.gov>>>; vvsg-pre-election <vvsg-pre-election at nist.gov<mailto:vvsg-pre-election at nist.gov><mailto:vvsg-pre-election at nist.gov<mailto:vvsg-pre-election at nist.gov>>>; vvsg-post-election <vvsg-post...@list.nist.gov<mailto:vvsg-post...@list.nist.gov><mailto:vvsg-post...@list.nist.gov<mailto:vvsg-post...@list.nist.gov>>>; vvsg-interoperability <vvsg-interoperability at nist.gov<mailto:vvsg-interoperability at nist.gov><mailto:vvsg-interoperability at nist.gov<mailto:vvsg-interoperability at nist.gov>>>
Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
Arthur, I agree, I concur. My new book lays this scenario out in detail and provides suggestions for preventing the hacks, ways to protect the integrity of the election results, there needs to be safe guards and automatic recounts the very next day with observers representing all candidates, no matter whether the election was close or not. There needs to be an audit trail and a way to protect the integrity of the balloting that occurs before election day. There needs to be a way for the observers to make a duplicate of the original ballots as the recount goes on and to run those through their own counting scanner to determine the validity of the election. There needs to be a way to interrupt the recount at any time if someone has to go to the bathroom or falls asleep so that the recount process has continuity and integrity. Things like this.
Susan
On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu><mailto:ark at soe.ucsc.edu<mailto:ark at soe.ucsc.edu>>> wrote:
But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
Best regards,
Arthur
On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com<mailto:hdeutsch at essvote.com><mailto:hdeutsch at essvote.com<mailto:hdeutsch at essvote.com>>> wrote:
Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
Brady, Mary C. (Fed)
It's great to see the conversation...following up on Neal's e-mail, this topic belongs in the vvsg-cybersecurity group. I would encourage all of you to participate in crafting a set of issues and proposed solutions within the Cybersecurity Group. We want to be sure that we are capturing your thoughts and working proactively as a community to move them forward. As your work progresses, we'll share the information with both the election groups and the other constituency groups. Please refrain from cross-posting, as a number of folks are having a difficult time keeping up with the volume and their everyday e-mail!
Again, thanks for all of your efforts...it's exactly this type of exchange that we'd like to see within the groups.
--Mary
Mary Brady
NIST, Voting Program Manager
mbrady at nist.gov
Thanks, Neal. Much appreciated!
Ben
http://collaborate.nist.gov/voting/bin/view/Voting/TopicalDiscussions
Best regards,
Arthur
Susan--
Best- BT
Susan
Best regards,
Arthur
I hesitate to jump in, but I do agree that it's very very important to get the election night count accurate. I tend to think that no matter what, it's a human process, a logistical nightmare for some locales, and that this needs to be recognized in technical discussions and recommendations. One of the best things to do, in my opinion, to make things more secure and more accurate, falls into the usability category for tabulation: perhaps election results shall not be released until such and such a time on the next day, say noon. Pressure to get everything correct in a very short amount of time after a long day works against security and accuracy. No matter what technology we use or how secure or whatever, it can't erase the fact that the overall process is a very demanding management issue.
The CDF work can help to make that easier, common identifiers for geopolitical geography and contests can help to make it easier, and there are probably a host of other items that could help to reduce the amount of time (and software required) to get all the equipment to work together smoothly. So as I'm reading the posts, I'm thinking about future VVSG requirements to make all the equipment work together so that the overall tabulation process is more usable to the election people conducting it. Of course, giving them more time to do would help significantly.
Cheers, John
Best regards,
Arthur
Good points.
Best Regards,
Best regards,
Arthur
Voting machines are not attached to the internet. You can't hack them without physical control and that is auditable.
From: vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov><mailto:vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov>> [mailto:vvsg-interoperability-bounces at nist.gov<mailto:vvsg-interoperability-bounces at nist.gov>] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 12:30 AM
To: John Wack
Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
What should the election community do about this threat?
Best regards,
Arthur
By November, Russian hackers could target voting machines If Russia really is responsible, there's no reason political interference would end with the DNC emails.
<image001.jpg>
By Bruce Schneier July 27 at 3:10 PM
Bruce Schneier<https://www.schneier.com> is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World<https://www.schneier.com/book-dg.html>.
Russia was behind the hacks into the Democratic National Committee's computer network that led to the release of thousands of internal emails just before the party's convention began, U.S. intelligence agencies have reportedly<http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html> concluded.
The FBI is investigating. WikiLeaks promises<http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there is more data to come. The political nature<http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-american-president/130163/> of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation's computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November - that our election systems and our voting machines could be vulnerable to a similar attack.
If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is<http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/> essential<https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/>. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations<http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html>, both document thefts and dumps like this one that we see and more subtle manipulations that we don't see.
Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way - politically, economically or in cyberspace - and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there's no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
Even more important, we need to secure our election systems before autumn. If Putin's government has already used a cyberattack to attempt to help Trump win<http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing>, there's no reason to believe he won't do it again - especially now that Trump is inviting the "help."<https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html?hpid=hp_hp-top-table-main_trump-1230pm%3Ahomepage%2Fstory>
Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are<http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/> insecure<https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us> and<https://www.salon.com/2011/09/27/votinghack/> vulnerable<https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security> to<http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/> attack<http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine>.
[Your iPhone just got less secure. Blame the FBI.<https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/>]
But while computer security experts like me<https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html> have sounded<https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962> the<http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm<https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html> for<https://citp.princeton.edu/research/voting/> many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
We no longer<https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92> have time<https://xkcd.com/463/> for that. We must ignore the machine manufacturers' spurious claims<https://www.salon.com/2006/09/13/diebold_3/> of security, create tiger teams to test the machines' and systems' resistance to attack, drastically increase their cyber-defenses and take them offline if we can't guarantee their security online.
Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails<http://votingmachines.procon.org/view.answers.php?questionID=000291>, and no<http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/> Internet<https://www.verifiedvoting.org/resources/internet-voting/vote-online/> voting<http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting>. I know it's slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records<http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records>, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing<https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> - publishing personal information and documents about a person or organization - and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
Government interference with foreign elections isn't new, and in fact, that's something the United States itself has repeatedly done<https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> in recent history. Using cyberattacks to influence elections is newer but has been done before, too - most notably in Latin America<http://www.bloomberg.com/features/2016-how-to-hack-an-election/>. Hacking of voting machines isn't new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
[Why would Russia try to hack the U.S. election? Because it might work.<https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/>]
Last April, the Obama administration issued<https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know> an<https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats> executive<https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi> order<https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they're a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.