Voting System Security
There are only a few short weeks left before everyone heads to their friendly neighborhood polling place to vote for the next U.S. President, a few Senators, their U.S. Representatives and a slew of state and local offices. Almost all of us will vote the old-fashioned way, with some sort of paper ballot, either with a pen checking boxes or a machine punching holes. A few people will vote with a voting computer that will also produce a verifiable paper receipt. Fewer people still will use voting computers with no paper trail.
Direct record electronic voting machines
When it comes to voting systems security, terminology is important. We’re not talking about voting machines; the devices under question here are so far advanced from what has been traditionally referred to as “voting machines” that it is more accurate and useful (at least from a security perspective) to think of them as “voting computers.” Technically they are known as Direct Record Electronic Voting machines or DREs, but when they run Windows, have touch screens and in many cases come with USB ports, they are for—all intents and purposes—computers. And just like any other computer, they are subject to crashing, freezing, and of course, malware and cyberattacks.
Despite voting computer security becoming a hot topic every two years and a very hot topic every four years, there has been very little progress in the area for almost two decades. A recent study by the Institute for Critical Infrastructure Technology (ICIT) shows just how easy it still is to breach a voting computer. In most cases, someone just needs unobserved physical access to the machines for a few minutes. But if they can get that, the systems aren’t very hard to compromise.
There is very little incentive for manufacturers to care about security
Fingers often get pointed at the manufacturers for failing to include even the most basic levels of security in voting computers, but the fingers should really be pointed at the American public for not demanding that these companies produce better products. Voting computer companies don’t sell security—they sell voting systems. And there is very little incentive for manufacturers to care about security. So far, the purchasers of voting computers—your local election boards—have not demanded much in the way of security; and even when they do, many don’t have the level of knowledge needed to evaluate if the systems actually come properly installed with their security requests. Unless this changes, we won’t see security being included in new voting computers.
Still, physical voting computers are safer than Internet-based voting systems. It is much more cost-effective for attackers to compromise voting computers remotely, either to change the vote or vote total as it is being transmitted, or to alter the results once they have been stored at the destination. As states transition to electronic online voting, security needs to be a primary concern.
What’s the answer?
There are many proposed answers to these problems, but most are technologically or financially difficult to execute. One solution is to create verification using a voter-verified paper audit trail (VVPAT), which is easy to implement and hard to dispute. Despite the extra work, VVPATs are the preferred method for people who want a verifiable audit trail. This method is already being used in some jurisdictions but it is not a required method.
Traditionally, elections in the United States have been handled at the local level, run by your own neighbors and volunteers, who staff the polling stations, tally the votes and communicate the results to the state. This idea of community, and of being able to freely cast your vote in the company of your friends and neighbors, instead of a large government bureaucracy, is part of what makes U.S. elections unique in the world. This decentralized approach also makes U.S. state and national elections very difficult to tamper with, because people will notice when their small community vote totals suddenly increase by several thousand votes from one election to the next.
In order to support the security and integrity of elections at the local level, the federal government passed the Help America Vote Act in 2002, which tasks the Election Assistance Commission (EAC), assisted by the National Institute of Standards and Technology (NIST), with issuing guidance, advisories and best practices to help officials conduct local elections. The EAC is also mandated with accrediting voting system test laboratories and certifying voting equipment. However, getting assistance from the EAC is completely voluntary, and local election boards are not required to have their voting computers audited for security issues. This means that if local boards don’t take advantage of these programs, many of these voting computers will remain insecure and susceptible to a cyberattack that could potentially compromise sensitive information, or worse, alter the election outcome.
The good news is that there is currently a two year exemption to the Digital Millennium Copyright Act (DMCA) on voting machines. This prohibits manufacturers from suing researchers for circumventing access controls while searching for vulnerabilities in voting computers. Creating an incentive for well-intentioned researchers should encourage security researchers to investigate the security of voting computers and is a good way to identify vulnerabilities and fix them before any damage to a U.S. election system can occur. The bad news is that this exemption is only good for two years.
Recently two new bills were introduced by Rep. Hank Johnson (D-Ga): the Election Infrastructure and Security Promotion Act of 2016 and the Election Integrity Act. The first bill will require the Department of Homeland Security (DHS) to designate voting systems as critical infrastructure. While this would probably free up some budget to help secure elections, it could also fundamentally change how elections are currently run. It also requires the National Science Foundation to create an election technology development program. We will have to replace paper ballots some day, and conducting research into new technologies now could help that process along and be secure at the same time.
We will have to replace paper ballots some day, and conducting research into new technologies now could help that process along
The second bill prohibits voting computers from being connected to the Internet, which sounds great but in reality would have little impact. The real danger is connecting Election Management Systems (EMS) to the Internet. These systems are used to configure the ballots for the voting computers, to tabulate the votes, and for other administrative tasks of an election. EMS software in most cases runs on standard PCs and is often connected to the Internet. Comprising an EMS could allow an attacker to change the configuration files used to program voting computers, mess with the results, or other nefarious deeds. Prohibiting the voting computers themselves from connecting to the Internet is fine, but doesn't go nearly far enough.
Prohibiting voting computers from connecting to the Internet doesn't go nearly far enough
Unfortunately for both of these bills, they are unlikely to see a vote before this year's election. With interest in voting computer security quickly trailing off immediately following an election, these bills will have a tough time becoming law after November.
As we march into the future and our lives become more and more computerized, how we vote will need to move along with us. Eventually we will need to trust voting computers and even eventually, voting over the Internet. For now though we really need to rely on a method we can all trust: paper. Let’s not wait another four years before we look at voting computer security again.
And most important of all, go vote.