Today's news brought a tale of a new security breach, this one at Anthem, a health insurance company that manages terabytes of health and financial data and has annual revenue of $73.9 billion--yes, billion with a b. Just imagine the cyber-security resources available to Anthem and the likes of Sony, Staples, Home Depot, JP Morgan Chase, Michaels, and Target--all real-world victims of hacking.
If none of these companies were able to prevent malicious interference, what chance do our shoestring-funded elections officials and their vendors have? How can we possibly expect them to protect our election results, with their voting-machine keys earnestly locked in the clerk's desk and their tamper-evident plastic seals carefully placed on every voting machine stored in the courthouse basement?
We cannot. The only prudent course of action is to assume that unauthorized programmers can get into our voting-machine software any time they want. We don't stand a chance of marshaling the IT resources needed to keep them at bay.
That might sound defeatist, but it's actually empowering. Once we realize we don't have to sink our resources into an unaffordable, unwinnable technology war with hackers, we can turn our attention to the fight we can win.
The Machinery of Democracy: Protecting Elections in an Electronic World, by the Brennan Center Task Force on Voting Security, Lawrence D. Norden, and Eric L. Lazarus, is a layperson's summary of a report by a national task force on voting-system security convened by the Brennan Center in 2007. Electronic elections technology has evolved at a snail's pace over the past decade, so the eight-year-old material is still current.
A group of "internationally renowned government, academic, and security professionals" came together to perform an NIST-approved methodical, systematic threat analysis of the three most common types of voting systems used in the US--direct-recording electronic machines (DREs) with and without paper trails and precinct-count optical scan systems (PCOs).
In threat analysis, experts pool information about the known strengths and weaknesses of each system and the possible skills, resources, opportunities and actions of those who have reason to tamper with the system. This task force identified 120 different types of attacks that might successfully alter the outcome of a statewide election. With this information, they identified which of these attacks would be the least difficult. They then identified and assessed possible countermeasures that elections officials might take to increase the difficulty of each threat, its likelihood of detection, or both.
As the book talks its way through the most likely of these threats--how many informed participants would be needed? What sorts of skills and access would be needed?--the reader almost feels as if he or she is eavesdropping on the planning of a crime. Few of us--thankfully--have much practice in thinking like a criminal, and it gives the reader a little guilty thrill to be taken down that mental pathway.
But my purpose in writing this blog isn't to sell books, so--spoiler alert!--here's the conclusion to this crime thriller. The most likely attack on our voting machines is the insertion of corrupt software into the machines before Election Day, likely through some pathway involving the vendor. The attack is most likely to involve only one programmer--and the person who hires him or her, if it's a contract job. That single programmer is likely to have worked at some time for a voting-machine vendor, independent testing authority, or government certification agency. The hacker would not need access to even one voting machine; he or she would insert the malicious software into a system that at some point communicates with or reprograms voting machine software through patches, updates, or set-up for each new election. The hack itself would switch no more than 7.5% of the votes; would not operate in every precinct; and would activate only on Election Day during voting hours.
State and local election authorities don't have the authority, time, money, or expertise to inspect every piece of software active on Election Day in every precinct. But that's not a problem because the best countermeasure against this most-likely attack (and against many of the less likely attacks) doesn't involve IT skills at all.
The number-one most effective security measure against the number-one most likely attack is to conduct routine audits comparing the voter-marked paper ballots against the electronically tabulated record on the day after every election. Conducting the audits promptly allows little time or opportunity for ballot-tampering and provides election officials opportunity to correct the manipulated results before they are declared final. In addition, the routine audits serve as a powerful deterrent, because subverting the audit in addition to hacking the software dramatically increases the difficulty of the attack because additional people need to be involved and paper records--not just electronic bits and bytes--need to be manipulated.