Protecting Our Voting Infrastructure - The Critical Weaknesses

by Mark G. Graff, BlackRidge Senior Technical Advisor and CEO of Tellagraff.com

I don't know about you, but I have been worried sick for years about our elections getting hacked. And it's clear to me that the Russians, in 2016, made a serious effort to influence the presidential election. While I don't think they changed any vote totals this time [1], we had damn well fix the problems we know about before the next presidential election. If we don’t, cyber vulnerabilities in our election systems could end up destroying what’s left of our trust in government, with dire consequences.

U.S. elections today are a composite of three separate systems: voter registration, vote casting, and vote canvassing (counting and reporting). Each has one or more serious vulnerabilities.  It’s the third one -- vote canvassing – that has me the most worried, so I’ll quickly sketch the problems and solutions I see in the first two, then show you the issues with the third.

Centralized Voter Registration
Before you can vote, you must register. One of the few aspects of America's voting system that actually entails national standards is the voter registration process. The Help America Vote Act of 2002 (HAVA), enacted after the fiasco of the presidential election in 2000, requires a “single, uniform, official, centralized, interactive computerized statewide voter registration list defined, maintained, and administered at the State level.”

These “Centralized Voter Registration” (CVR) systems make great targets for attackers, and the Feds tell us that the Russians attacked and penetrated the CVR’s of several states in the run-up to the 2016 election [2, 3]. I mean, if you wanted to disrupt voting, what better way than to reach around the world and mess up giant computerized lists of who can vote? That’s scary as hell, all right, and we’re sure to see a lot of disruption — denial of service, as it were — from it. But I don’t think these attacks can bring us down, for the simple reason that so long as we retain separate independent lists of eligible voters at the local level, we can always reconstruct after the fact what the right list should have been.

Brain-Dead Voting Machine Technology
The best source I have found for facts about how America votes is the nonprofit organization Verified Voting. Their website, http://www.verifiedvoting.org, allows you to look up, precinct by precinct, exactly what sort of machines are in use, and where [4].

It’s an astounding tale: Vast numbers of our voting machines are poorly designed, out of date, and out of maintenance. For a bone-chilling read about the state of our voting machines nationwide, check out the 2016 report from the Brennan Center for Justice called “Our Voting Machines at Risk” [5]. Or, if you just want to cut to the chase, acquaint yourself with the vote-hack doings at DefCon 2017, the hacker conference in Las Vegas this summer. Voting reformers assembled an ad hoc laboratory full of real voting machines, and let computer security expert attackers (“white hats”) have at them for several days. Well, I say "several days", but not many machines lasted that long before collapsing in a heap of unsecured bits, levers, and gears. [6]

The saving grace of this part of the catastrophe though, is that generally, you need physical access to tamper with actual voting machines, and it's fairly hard to screw with more than one at a time. So local elections and key precincts might be vulnerable — and, just maybe, whole states that use Direct Electronic Recording (DRE) voting machines with no paper audit trail, like Pennsylvania — but once again, sheer numbers and the mere fact we have such a crazy quilt of voting machine types make a national-scale machine-based swindle pretty hard to pull off. Appropriate investments of time and money can substantially reduce this set of risks.

Remember, I said the first two classes of problems — voting registration and vote casting —were relatively easy to address. Ready for the worst one?

The Vote Counting Hierarchy
Votes are cast in hundreds of different ways in this country, but generally voting booths are arrayed in a polling room, inside a polling place somewhere within a precinct. Once the votes are cast, how are they counted and reported?

Commonly, a preliminary vote aggregation from voting machines and paper ballots is compiled at the precinct, and then communicated to a canvassing center. Usually, this center is operated by a county. Counties (or, in Louisiana, “parishes”) report their accounts up to the official at the state level responsible for reporting the vote, usually the Secretary of State. In national elections, it is ultimately Congress that receives and certifies vote counts from the states.

Now if you were going to try to tamper with vote totals in a swing state, where would you concentrate your efforts? If, as discussed earlier, you were to concentrate on the voting machines in the polling places, you’d have a hard time changing hundreds of thousands or millions of votes. If, on the other hand, you managed to break into the systems of the Secretary of State, you might be able to change the vote totals — but then they would not match the numbers reported up from the counties. Similarly, tampering with county systems might find you disagreeing with the totals reported up from the precincts or canvassing centers. It is precisely at that point in the aggregation of votes where they are first summed up, first aggregated, that you could change vote totals with a prospect of affecting a great many votes at a relatively low risk of detection.

It is the systems in the canvassing centers, at the first level of aggregation, that must be protected at all costs. Today, incredibly, many of the computer systems across the nation that comprise our voting infrastructure — our “electoral enclaves” — are connected directly to the Internet, and are thus susceptible to attack across the Internet.

We can protect this critical part of our voting infrastructure with the following steps:

  1. Ensure that canvassing and aggregation systems are not connected directly to the Internet
  2. Ensure that all computers involved in amalgamating vote totals perform only election-related functions (not email, not accounting, not serving Web pages).
  3. Perform integrity checking and the change detection on every file and piece of software on all systems in the electoral enclave
  4. Ensure that canvassing and aggregation systems can connect only with systems that are part of the electoral enclave, and are rendered invisible to any machine not positively identified as part of that enclave

On that last point: the best solution I’m aware of today to ensure that a system only “talks to” the computers it’s supposed to is from BlackRidge Technology, where I am a senior member of the technical advisory board. BlackRidge First Packet Authentication™ [7] conceals systems from network scanning and discovery and would allow only identified, authorized systems in the voting enclave to talk to each other.

Wrapping Up
U.S. elections today are a composite of three separate systems: voter registration, vote casting, and vote canvassing (counting and reporting). Each has one or more serious vulnerabilities. But we have had legal disputes over voter registration and vote-casting methodologies since Day 1 of the Republic, and have a well-established legal framework to handle such disputes.

The assault scenario that keeps me up at night is where a determined nation-state adversary attacks, across several battleground states, those election systems where raw canvasses are first aggregated. Changing totals at this stage, before they can easily be cross checked, is the sweet spot I see for hard-to-detect, large-scale vote tampering. (It would introduce legal novelties, too, cutting across state boundaries in an unfamiliar way. Can Nevada share the details of its cast ballots with Missouri?)

We should protect this critical part of our voting infrastructure by making sure that they are not connected to the Internet, but rather only connect to and from other parts of electoral enclave, and are rendered invisible to any machine not positively identified as part of that enclave.

Our Constitution assigns to the individual states and commonwealths the duty of conducting and securing elections. The federal role in this process is limited by design, and I am not here advocating a national standard, or national legislation. I do strongly urge the nation’s election officials to acquaint themselves with the technical risks I have discussed here, and take immediate steps to secure our voting infrastructure.

Resources for Further Reading

  1. “How Many Votes Do the Russians Get?”, speech by Mark Graff at the 2016 NYIT Cyber Conference, September 22, 2016. http://cybermattersradio.com/election2016/
  2. “Election Hackers Altered Voter Rolls, Stole Private Data, Officials Say". Time, June 22, 2017.http://time.com/4828306/russian-hacking-election-widespread-private-data/
  3. “Top Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election”. The Intercept, June 5, 2017, https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russi…
  4. "The Machinery of Democracy". Analysis by Verified Voting, 2017. https://www.verifiedvoting.org/
  5. "America's Voting Machines at Risk". Brennan Center for Justice, 2016.
  6. "To Fix Voting Machines, Hackers Tear Them Apart", WIRED magazine, August 1, 2017. https://www.wired.com/story/voting-machine-hacks-defcon/
  7. “BlackRidge First Packet Authentication”, BlackRidge Technology International, Inc., 201 https://www.blackridge.us/products/technologies