[VVSG-post-election] Separating Issues and Avoiding Ghost Stories - RE: [VVSG-interoperability] By November,
Stephen Berger
There is an attack vector that could be focused on the internet connected portion of an election system. The ultimately objective wouldn?t even need to be to successfully change votes. Just creating confusion or uncertainty might achieve the objectives of some actor.
Let?s first separate what is under the control of an election official from what is not. What just happened with the DNC E-Mails is not under their control but it might well impact the election. There are a host of social engineering attacks that could impact elections but those are beyond the control of election officials.
Perhaps the boundaries are not set where they need to be. It is worth thinking about.
But with our current boundaries what might be done is to get into the internet connected portion of the system and make mischief there. While we think about that we also want to consider the potential safeguards that being internet connected offers. If the information is available on where every vote came from, meaning precincts, then every party and public interest group can run its own audit. Multiple independent audits might be a good thing. We might be overall more secure although there is a new risk to consider.
I also agree with Arthur that auditability and audits are very different. I have the view that logs should be always forwarded with results and various checks made to highlight problems quickly and prominently. Separate from security, every set of election logs I have looked at that had any significant number of machines clearly showed that a few were not functioning correctly. You can see a few that have many more paper jams, misreads or blank ballots than others. In my view it would be good if the voting system alerted election officials even, perhaps especially, during election day so that they can check those machines and take appropriate steps if they are not functioning correctly.
Along the security line when I found a log showing that a voting machine had opened the polls at 1 AM, why was I the first to learn this several months after the election? Shouldn?t the county election official have known at 7 AM that someone at one precinct had opened the polls at 1 AM? With today?s technology that is trivial.
I have to disagree with bringing in the 2000 election to this topic. That was a clear measurement uncertainty issue and it WILL HAPPEN AGAIN!! Every system we have has a certain number of uncertain votes. It happens in different ways with different systems. One of the most common ways is that voters don?t fill in ovals on ballots as instructed. In my research only about 20% of marks fully comply with instructions to fully fill the oval in black ink. The failure in 2000 was in not having procedures for dealing with an election that fell within the system uncertainty. Everyone always knew there were hanging chads etc just as we all know that some voters, actually most voters, don?t fill in marks as directed. ESS has a very interesting patent on how a machine can better recognize these marks. However, that very good work by ESS means that some votes counted on one system would not be counted on a different system. Same vote made by the same voter but counted differently depending on the scanner you put it through. Important but different problem.
Arthur, thanks for bringing this up. I am all for separating out the issues and tackling those that fall into our area of control. We can leave it up to the theologians to deal with the real problem, which would be how you get people to be honest and deal fairly.
Best Regards,
Stephen Berger
TEM Consulting, LP
Web Site - <http://www.temconsulting.com> www.temconsulting.com
E-MAIL - <mailto:stephen.berger at ieee.org> stephen.berger at ieee.org
Phone - (512) 864-3365
Mobile - (512) 466-0833
FAX - (512) 869-8709
From: vvsg-interoperability-bounces at nist.gov [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 8:23 AM
To: Deutsch, Herb <hdeutsch at essvote.com>
Cc: vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <vvsg-pre-election at nist.gov>; vvsg-post-election <vvsg-post...@list.nist.gov>; vvsg-interoperability <vvsg-interoperability at nist.gov>
Subject: Re: [VVSG-interoperability] By November, Russian hackers could target voting machines
But vote tabulation and especially roll up is often connected to the Internet. And with the lack of effective audits in more jurisdictions, hacking the Internet-connected vote tabulation systems would do the trick.
In particular, if the vote tabulation system is connected to the web reporting system, then that's an avenue for attack.
There's a difference between auditable and actually audited. If the results are sufficiently skewed on election night, post election audits may not matter anyway. They didn't even matter in Florida in 2000 where the election was close.
Could the programming of electronic voting machines be hacked in a Stuxnet type attack while they are loaded with the election data file?
If China can hack Google, do we really believe there's no way Russia can't hack enough counties or states to change the outcome of the presidential election?
Best regards,
Arthur
On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com <mailto:hdeutsch at essvote.com> > wrote:
Voting machines are not attached to the internet. You can?t hack them without physical control and that is auditable.
From: vvsg-interoperability-bounces at nist.gov <mailto:vvsg-interoperability-bounces at nist.gov> [mailto:vvsg-interoperability-bounces at nist.gov] On Behalf Of Arthur Keller
Sent: Thursday, July 28, 2016 12:30 AM
To: John Wack
Cc: vvsg-election; vvsg-pre-election; vvsg-post-election; vvsg-interoperability
Subject: [VVSG-interoperability] By November, Russian hackers could target voting machines
What should the election community do about this threat?
Best regards,
Arthur
By November, Russian hackers could target voting machines
If Russia really is responsible, there's no reason political interference would end with the DNC emails.
By Bruce Schneier July 27 at 3:10 PM
Bruce Schneier <https://www.schneier.com> is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is <https://www.schneier.com/book-dg.html> Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.
Russia was behind the hacks into the Democratic National Committee?s computer network that led to the release of thousands of internal emails just before the party?s convention began, U.S. intelligence agencies have reportedly <http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html> concluded.
The FBI is investigating. WikiLeaks promises <http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there is more data to come. The political nature <http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-american-president/130163/> of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation?s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ? that our election systems and our voting machines could be vulnerable to a similar attack.
If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is <http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/> essential <https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/> . If foreign governments learn that they can influence our elections with impunity, this opens the door for future <http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html> manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don?t see.
Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ? politically, economically or in cyberspace ? and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there?s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.
Even more important, we need to secure our election systems before autumn. If Putin?s government has already used a cyberattack to attempt to help <http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing> Trump win, there?s no reason to believe he won?t do it again ? especially now that Trump is inviting the ?help.? <https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html?hpid=hp_hp-top-table-main_trump-1230pm%3Ahomepage%2Fstory>
Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are <http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/> insecure <https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us> and <https://www.salon.com/2011/09/27/votinghack/> vulnerable <https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security> to <http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/> attack <http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine> .
[Your iPhone just got less secure. Blame the FBI. <https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/> ]
But while computer security experts like <https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html> me have sounded <https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962> the <http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm <https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html> for <https://citp.princeton.edu/research/voting/> many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.
We no <https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92> longer have time <https://xkcd.com/463/> for that. We must ignore the machine manufacturers? spurious <https://www.salon.com/2006/09/13/diebold_3/> claims of security, create tiger teams to test the machines? and systems? resistance to attack, drastically increase their cyber-defenses and take them offline if we can?t guarantee their security online.
Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified <http://votingmachines.procon.org/view.answers.php?questionID=000291> paper audit trails, and no <http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/> Internet <https://www.verifiedvoting.org/resources/internet-voting/vote-online/> voting <http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting> . I know it?s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.
There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting <http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records> voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political <https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> doxing ? publishing personal information and documents about a person or organization ? and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.
Government interference with foreign elections isn?t new, and in fact, that?s something the United States itself has repeatedly <https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ? most notably in Latin <http://www.bloomberg.com/features/2016-how-to-hack-an-election/> America. Hacking of voting machines isn?t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.
[Why would Russia try to hack the U.S. election? Because it might work. <https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/> ]
Last April, the Obama administration issued <https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know> an <https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats> executive <https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi> order <https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they?re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.
Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.
Susan Eustis
1. How to make fraud detectable, the code base in any electronics is
vulnerable where-ever it is, Code can be changed without detection and this
needs to be addressed.
2. The problem goes back to paper ballots and there is a mountain of court
cases arguing over whether a mark counts or not. I believe that we are
talking about hand counting all the ballots, maybe in every state, maybe
only swing states depending on whether there appears to be an issue, say a
safe state went for the other party. With an audit trail you have a
recount. The only difference technology brings is that the candidate
representatives can each mark a stack of ballots that get counted
automatically on the candidate's own scanner. And we need to make the
recount automatic the very next day to allay the argument that it is too
disruptive to have uncertainty and a recount. To handle votes that come in
after the election, yo still do the recount the very next day and continue
the counting until all the ballots come in.
One of the problems becomes resolving differences in counts.
Susan
> *TEM Consulting, LP*
>
> Web Site - *www.temconsulting.com <http://www.temconsulting.com>*
> E-MAIL - stephen.berger at ieee.org
> Phone - (512) 864-3365
> Mobile - (512) 466-0833
> FAX - (512) 869-8709
>
>
>
> *From:* vvsg-interoperability-bounces at nist.gov [mailto:
> vvsg-interoperability-bounces at nist.gov] *On Behalf Of *Arthur Keller
> *Sent:* Thursday, July 28, 2016 8:23 AM
> *To:* Deutsch, Herb <hdeutsch at essvote.com>
> *Cc:* vvsg-election <vvsg-election at nist.gov>; vvsg-pre-election <
> vvsg-pre-election at nist.gov>; vvsg-post-election <
> vvsg-post...@list.nist.gov>; vvsg-interoperability <
> vvsg-interoperability at nist.gov>
> *Subject:* Re: [VVSG-interoperability] By November, Russian hackers could
> target voting machines
>
>
>
> But vote tabulation and especially roll up is often connected to the
> Internet. And with the lack of effective audits in more jurisdictions,
> hacking the Internet-connected vote tabulation systems would do the trick.
>
>
>
> In particular, if the vote tabulation system is connected to the web
> reporting system, then that's an avenue for attack.
>
>
>
> There's a difference between auditable and actually audited. If the
> results are sufficiently skewed on election night, post election audits may
> not matter anyway. They didn't even matter in Florida in 2000 where the
> election was close.
>
>
>
> Could the programming of electronic voting machines be hacked in a Stuxnet
> type attack while they are loaded with the election data file?
>
>
>
> If China can hack Google, do we really believe there's no way Russia can't
> hack enough counties or states to change the outcome of the presidential
> election?
>
>
>
> Best regards,
>
> Arthur
>
>
> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>
> Voting machines are not attached to the internet. You can?t hack them
> without physical control and that is auditable.
>
>
>
> *From:* vvsg-interoperability-bounces at nist.gov [
> mailto:vvsg-interoperability-bounces at nist.gov
> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Arthur Keller
> *Sent:* Thursday, July 28, 2016 12:30 AM
> *To:* John Wack
> *Cc:* vvsg-election; vvsg-pre-election; vvsg-post-election;
> vvsg-interoperability
> *Subject:* [VVSG-interoperability] By November, Russian hackers could
> target voting machines
>
>
>
> What should the election community do about this threat?
>
>
>
> Best regards,
>
> Arthur
>
>
>
>
> https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
>
>
> By November, Russian hackers could target voting machines
> If Russia really is responsible, there's no reason political interference
> would end with the DNC emails.
>
> By Bruce Schneier July 27 at 3:10 PM
>
> Bruce Schneier <https://www.schneier.com> is a security technologist and
> a lecturer at the Kennedy School of Government at Harvard University. His
> latest book is *Data and Goliath: The Hidden Battles to Collect Your Data
> and Control Your World* <https://www.schneier.com/book-dg.html>.
>
> Russia was behind the hacks into the Democratic National Committee?s
> computer network that led to the release of thousands of internal emails
> just before the party?s convention began, U.S. intelligence agencies have
> reportedly
> <http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html>
> concluded.
>
> The FBI is investigating. WikiLeaks promises
> <http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there
> is more data to come. The political nature
> <http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-american-president/130163/>
> of this cyberattack means that Democrats and Republicans are trying to spin
> this as much as possible. Even so, we have to accept that someone is
> attacking our nation?s computer systems in an apparent attempt to influence
> a presidential election. This kind of cyberattack targets the very core of
> our democratic process. And it points to the possibility of an even worse
> problem in November ? that our election systems and our voting machines
> could be vulnerable to a similar attack.
>
> If the intelligence community has indeed ascertained that Russia is to
> blame, our government needs to decide what to do in response. This is
> difficult because the attacks are politically partisan, but it is
> <http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-looks-like/>
> essential
> <https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/>. If
> foreign governments learn that they can influence our elections with
> impunity, this opens the door for future manipulations
> <http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html>,
> both document thefts and dumps like this one that we see and more subtle
> manipulations that we don?t see.
>
> Retaliation is politically fraught and could have serious consequences,
> but this is an attack against our democracy. We need to confront Russian
> President Vladimir Putin in some way ? politically, economically or in
> cyberspace ? and make it clear that we will not tolerate this kind of
> interference by any government. Regardless of your political leanings this
> time, there?s no guarantee the next country that tries to manipulate our
> elections will share your preferred candidates.
>
> Even more important, we need to secure our election systems before autumn.
> If Putin?s government has already used a cyberattack to attempt to help Trump
> win
> <http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing>,
> there?s no reason to believe he won?t do it again ? especially now that Trump
> is inviting the ?help.?
> <https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html?hpid=hp_hp-top-table-main_trump-1230pm%3Ahomepage%2Fstory>
>
> Over the years, more and more states have moved to electronic voting
> machines and have flirted with Internet voting. These systems are
> <http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/>
> insecure
> <https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-systems-in-the-us>
> and <https://www.salon.com/2011/09/27/votinghack/> vulnerable
> <https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security>
> to
> <http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/>
> attack
> <http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine>
> .
>
> *[Your iPhone just got less secure. Blame the FBI.
> <https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/>]
> *
>
> But while computer security experts like me
> <https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html>
> have sounded
> <https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962>
> the <http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm
> <https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-voting/index_files/page0004.html>
> for <https://citp.princeton.edu/research/voting/> many years, states
> have largely ignored the threat, and the machine manufacturers have thrown
> up enough obfuscating babble that election officials are largely mollified.
>
> We no longer
> <https://scontent.xx.fbcdn.net/hphotos-xlp1/v/t1.0-9/12115815_699872940152206_2266030088084252627_n.png?oh=2a4e5e944a5feadb7e133dd8c57be376&oe=57AD8C92>
> have time <https://xkcd.com/463/> for that. We must ignore the machine
> manufacturers? spurious claims
> <https://www.salon.com/2006/09/13/diebold_3/> of security, create tiger
> teams to test the machines? and systems? resistance to attack, drastically
> increase their cyber-defenses and take them offline if we can?t guarantee
> their security online.
>
> Longer term, we need to return to election systems that are secure from
> manipulation. This means voting machines with voter-verified paper audit
> trails
> <http://votingmachines.procon.org/view.answers.php?questionID=000291>,
> and no
> <http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/>
> Internet
> <https://www.verifiedvoting.org/resources/internet-voting/vote-online/>
> voting
> <http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting>. I
> know it?s slower and less convenient to stick to the old-fashioned way, but
> the security risks are simply too great.
>
> There are other ways to attack our election system on the Internet besides
> hacking voting machines or changing vote tallies: deleting voter records
> <http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records>,
> hijacking candidate or party websites, targeting and intimidating campaign
> workers or donors. There have already been multiple instances of
> political doxing
> <https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> ?
> publishing personal information and documents about a person or
> organization ? and we could easily see more of it in this election cycle.
> We need to take these risks much more seriously than before.
>
> Government interference with foreign elections isn?t new, and in fact,
> that?s something the United States itself has repeatedly done
> <https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> in
> recent history. Using cyberattacks to influence elections is newer but has
> been done before, too ? most notably in Latin America
> <http://www.bloomberg.com/features/2016-how-to-hack-an-election/>.
> Hacking of voting machines isn?t new, either. But what is new is a foreign
> government interfering with a U.S. national election on a large scale. Our
> democracy cannot tolerate it, and we as citizens cannot accept it.
>
> *[Why would Russia try to hack the U.S. election? Because it might work.
> <https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-election-because-it-usually-works/>]
> *
>
> Last April, the Obama administration issued
> <https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know>
> an
> <https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats>
> executive
> <https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi>
> order
> <https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining
> how we as a nation respond to cyberattacks against our critical
> infrastructure. While our election technology was not explicitly mentioned,
> our political process is certainly critical. And while they?re a hodgepodge
> of separate state-run systems, together their security affects every one of
> us. After everyone has voted, it is essential that both sides believe the
> election was fair and the results accurate. Otherwise, the election has no
> legitimacy.
>
> Election security is now a national security issue; federal officials need
> to take the lead, and they need to do it quickly.
>
>
>
>
>
>
--
--
Susan Eustis
President
WinterGreen Research
6 Raymond Street
Lexington, Massachusetts
phone 781 863 5078
cell 617 852 7876
Joseph Kiniry
> On Jul 28, 2016, at 07:12, Susan Eustis <susan at wintergreenresearch.com> wrote:
>
> I believe the problems are 2:
> 1. How to make fraud detectable, the code base in any electronics is vulnerable where-ever it is, Code can be changed without detection and this needs to be addressed.
I keep hearing this statement made in many forums and continue to bring up the fact that there is some excellent R&D going on wrt this topic which has been seeing practical application in the DOD space for a few years.
It is now the case that you can prove that the application (and operating system &c) you have is exactly what you think it is an moreover that a running system is executing exactly that software.
This is hard. Few people know how to do it. No existing/traditional elections vendor does it or knows how to do it. But it is a solved problem now.
I?m happy to go into deep technical detail with anyone who is interested and point to the relevant peer-reviewed work, but this is not the forum for such.
Joe
livingston, dale
I also believe that one of the main reasons there is so much distrust by the general public is because they are not aware or educated about elections or the voting systems put in place for them. We are trying to educate generations of people who don't even know who their County Executive or in some cases even the Vice President of the United States. Seriously, not even our politicians are interested in what we do, but rather spend 90% of their time campaigning for their next election. If someone wants to HACK into a system, any system, they are going to try. It is how we address such a situation, both prior to purchasing a system and if someone does make an attempt to HACK it, that the public is going to look at. Their perception must be that we as election officials are doing everything in our power to give them fair, safe, and accurate elections. And in my shop, we do just that.
Dale Livingston
Dale E. Livingston
Deputy Director
Harford County Board of Elections
410-809-6002 (Direct Line)
443-417-0156 (Cell)
410-638-3565 (General Office)
410-638-4413 (fax)
From: vvsg-pre-election-bounces at nist.gov [mailto:vvsg-pre-election-bounces at nist.gov] On Behalf Of Wayne Williams
Sent: Thursday, July 28, 2016 11:57 PM
To: Susan Eustis; Joseph Kiniry
Cc: vvsg-pre-election; Arthur Keller; vvsg-election; Deutsch, Herb; Stephen Berger; vvsg-post-election; vvsg-interoperability
Subject: Re: [VVSG-pre-election] [VVSG-interoperability] Separating Issues and Avoiding Ghost Stories - RE: By November, Russian hackers could target voting machines
The voting machines used in Colorado are not connected to the Internet. Colorado has vigorous voting-systems standards that require all voting systems to operate on a closed network that cannot be accessed through the Internet.
In addition, counties must use a voting system that has been certified by the Colorado Secretary of State as meeting all security requirements.
Wayne Williams
________________________________
From: vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov> <vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov>> on behalf of Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>>
Sent: Thursday, July 28, 2016 5:41 PM
To: Joseph Kiniry
Cc: vvsg-pre-election; Arthur Keller; vvsg-election; Deutsch, Herb; Stephen Berger; vvsg-post-election; vvsg-interoperability
Subject: Re: [VVSG-pre-election] [VVSG-interoperability] Separating Issues and Avoiding Ghost Stories - RE: By November, Russian hackers could target voting machines
Joe, I do get to write about this, so I know it exists, but in the real world election of Novenber not have that, and we have a not so veiled threat to hack the systems so I believe that is the issue we need to address. How do we leverage the audit trail the systems tout and do it in a manner that is timely and relevant to what can be a disastrous unraveling of our political core. Do you have any suggestions about the audit trail use ?
On Thu, Jul 28, 2016 at 6:21 PM, Joseph Kiniry <kiniry at galois.com<mailto:kiniry at galois.com>> wrote:
Susan et al.,
> On Jul 28, 2016, at 07:12, Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>> wrote:
>
> I believe the problems are 2:
> 1. How to make fraud detectable, the code base in any electronics is vulnerable where-ever it is, Code can be changed without detection and this needs to be addressed.
I keep hearing this statement made in many forums and continue to bring up the fact that there is some excellent R&D going on wrt this topic which has been seeing practical application in the DOD space for a few years.
It is now the case that you can prove that the application (and operating system &c) you have is exactly what you think it is an moreover that a running system is executing exactly that software.
This is hard. Few people know how to do it. No existing/traditional elections vendor does it or knows how to do it. But it is a solved problem now.
I'm happy to go into deep technical detail with anyone who is interested and point to the relevant peer-reviewed work, but this is not the forum for such.
Joe
--
Arthur Keller
Best regards,
Arthur
> On Jul 29, 2016, at 5:34 AM, Susan Greenhalgh <segreenhalgh at gmail.com> wrote:
>
> Susan, That's a good point but I think it's necessary to separate the types of attacks. While there are plenty of examples of non-internet based attacks (stuxnet), such attacks require some physical access to the system. The DNC hack drove home the very real possibility of foreign actors interfering with US networks with the intention of impacting elections. These attacks could take place off of US soil and out of reach of US law enforcement making them so dangerous.
Arthur Keller
While it is true that an Internet attack doesn?t even need physical access, the attack can jump from an Internet connected system to an isolated one. Stuxnet showed that.
Best regards,
Arthur
> On Jul 29, 2016, at 6:05 AM, Susan Greenhalgh <segreenhalgh at gmail.com> wrote:
>
> Hi Arthur,
> I understand, but with Stuxnet someone had to get the USB drives into the hands of the workers (I understand some were dropped in the parking lot) so they could be physically inserted into the system. An Internet attack doesn't even need that.
>
> On Fri, Jul 29, 2016 at 8:55 AM, Arthur Keller <ark at soe.ucsc.edu <mailto:ark at soe.ucsc.edu>> wrote:
> Susan, the Stuxnet attack did not require physical access to the system by the attackers. Personnel who ordinarily access the systems infected them using portable USB drives (i.e., thumb drives). A similar vector could infect non-Internet connected ballot tabulation systems.
>
> Best regards,
> Arthur
livingston, dale
I was in no way making any allegations that anyone is alleging complicity on behalf of any election official. My apologies if that is what came across from my comments.
My concern is the general mistrust the public has toward Elections overall. And quite honestly, I seriously doubt that the majority of the public cares or thinks about vendor lock in, secret corporately owned software issues, or general vendor control. The public sees the end result of all this ? the polling place and the machines or paper or whatever they are given to vote on and how they can easily maneuver through the voting process. They also want to know that their vote counted accurately.
Most of the fear the public has about a voting system is based on what they are hearing from the media, or seeing on the web, YouTube or Facebook. And usually it is an uneducated opinion or an isolated incident that is blown out of all proportion, because fear sells.
All voting systems should be vetted in a very methodical way. And the system should be transparent. There are so many components of a voting system and it?s procurement to consider, but I will leave that to the subject matter experts. And I?m sure that there are ?cozy relationships? and lots of politics involved in procuring voting systems. Personally and professionally I think the politics should be taken out of this process. There is no room for politics in Elections as Elections should be and only be about the voters and making sure their vote counts. In my opinion it is a conflict of interest to allow politics in a conversation about a voting system. But I digress.
The ?back-stage? work that is done, and the part that the public never sees, is what we are tasked to do to in order to secure the voting system and their vote. That is why I believe that public education about elections is a very important component to securing the public trust. Public Education is also an important component in making sure Elections and their systems and processes are transparent. And when everything is transparent that is when the public trust will soar.
Dale
Dale E. Livingston
Deputy Director
Harford County Board of Elections
410-809-6002 (Direct Line)
443-417-0156 (Cell)
410-638-3565 (General Office)
410-638-4413 (fax)
From: Brent Turner [mailto:turnerbrentm at gmail.com]
Sent: Friday, July 29, 2016 11:27 AM
To: livingston, dale
Cc: Wayne Williams; Susan Eustis; Joseph Kiniry; vvsg-pre-election; Arthur Keller; vvsg-election; Stephen Berger; vvsg-post-election; vvsg-interoperability; CAVO; Alan Dechert; Brigette Hunley; Brian Fox
Subject: Re: [VVSG-election] [VVSG-pre-election] [VVSG-interoperability] Separating Issues and Avoiding Ghost Stories - RE: By November, Russian hackers could target voting machines
Dale-- No one is alleging complicity on behalf of the election officials.. more an act of negligence in not pushing for publicly owned / more secure voting systems. The distrust of the current systems starts with the " secret " corporate owned software issue.. and the general vendor control of the event. This is exacerbated by the vendor lock-in and the overly cozy relationship between the vendors and some clerks cemented by business leagues ( parties and junkets etc ) i.e CACEO in California..
Once publicly owned / open source ( GPL ) systems are in place the public confidence will soar. The public still craves paper ballots as well which the CAVO advocated precinct system prints perfectly.
The certification system .. per Roy Saltman and a host of others .. needs a complete overhaul from the Fed to the States .. and that is the plan for open source certifications. Ryan Macias stated he did not believe there to be much difference in that process .. but we are available for assisting that effort-
Brent
California Association of Voting Officials
On Fri, Jul 29, 2016 at 4:20 AM, livingston, dale <delivingston at harfordcountymd.gov<mailto:delivingston at harfordcountymd.gov>> wrote:
We had a similar system in Maryland, prior to going back to a paper system this past Primary Election. We also had and have numerous checks and balances and care and custody in place to assure that when the polls opened in the morning our equipment was secure and working properly. And as in Colorado, our system has to be State certified.
I also believe that one of the main reasons there is so much distrust by the general public is because they are not aware or educated about elections or the voting systems put in place for them. We are trying to educate generations of people who don?t even know who their County Executive or in some cases even the Vice President of the United States. Seriously, not even our politicians are interested in what we do, but rather spend 90% of their time campaigning for their next election. If someone wants to HACK into a system, any system, they are going to try. It is how we address such a situation, both prior to purchasing a system and if someone does make an attempt to HACK it, that the public is going to look at. Their perception must be that we as election officials are doing everything in our power to give them fair, safe, and accurate elections. And in my shop, we do just that.
Dale Livingston
Dale E. Livingston
Deputy Director
Harford County Board of Elections
410-809-6002<tel:410-809-6002> (Direct Line)
443-417-0156<tel:443-417-0156> (Cell)
410-638-3565<tel:410-638-3565> (General Office)
410-638-4413<tel:410-638-4413> (fax)
From: vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov> [mailto:vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov>] On Behalf Of Wayne Williams
Sent: Thursday, July 28, 2016 11:57 PM
To: Susan Eustis; Joseph Kiniry
Cc: vvsg-pre-election; Arthur Keller; vvsg-election; Deutsch, Herb; Stephen Berger; vvsg-post-election; vvsg-interoperability
Subject: Re: [VVSG-pre-election] [VVSG-interoperability] Separating Issues and Avoiding Ghost Stories - RE: By November, Russian hackers could target voting machines
The voting machines used in Colorado are not connected to the Internet. Colorado has vigorous voting-systems standards that require all voting systems to operate on a closed network that cannot be accessed through the Internet.
In addition, counties must use a voting system that has been certified by the Colorado Secretary of State as meeting all security requirements.
Wayne Williams
________________________________
From: vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov> <vvsg-pre-election-bounces at nist.gov<mailto:vvsg-pre-election-bounces at nist.gov>> on behalf of Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>>
Sent: Thursday, July 28, 2016 5:41 PM
To: Joseph Kiniry
Cc: vvsg-pre-election; Arthur Keller; vvsg-election; Deutsch, Herb; Stephen Berger; vvsg-post-election; vvsg-interoperability
Subject: Re: [VVSG-pre-election] [VVSG-interoperability] Separating Issues and Avoiding Ghost Stories - RE: By November, Russian hackers could target voting machines
Joe, I do get to write about this, so I know it exists, but in the real world election of Novenber not have that, and we have a not so veiled threat to hack the systems so I believe that is the issue we need to address. How do we leverage the audit trail the systems tout and do it in a manner that is timely and relevant to what can be a disastrous unraveling of our political core. Do you have any suggestions about the audit trail use ?
On Thu, Jul 28, 2016 at 6:21 PM, Joseph Kiniry <kiniry at galois.com<mailto:kiniry at galois.com>> wrote:
Susan et al.,
> On Jul 28, 2016, at 07:12, Susan Eustis <susan at wintergreenresearch.com<mailto:susan at wintergreenresearch.com>> wrote:
>
> I believe the problems are 2:
> 1. How to make fraud detectable, the code base in any electronics is vulnerable where-ever it is, Code can be changed without detection and this needs to be addressed.
I keep hearing this statement made in many forums and continue to bring up the fact that there is some excellent R&D going on wrt this topic which has been seeing practical application in the DOD space for a few years.
It is now the case that you can prove that the application (and operating system &c) you have is exactly what you think it is an moreover that a running system is executing exactly that software.
This is hard. Few people know how to do it. No existing/traditional elections vendor does it or knows how to do it. But it is a solved problem now.
I?m happy to go into deep technical detail with anyone who is interested and point to the relevant peer-reviewed work, but this is not the forum for such.
Joe
--
--
Susan Eustis
President
WinterGreen Research
6 Raymond Street
Lexington, Massachusetts
phone 781 863 5078<tel:781%20863%205078>
cell 617 852 7876<tel:617%20852%207876>
Arthur Keller
Best regards,
Arthur