Sign In

Communications of the ACM

ACM News

­.S. Election System Security Still Vexing

Some election observers believe the best way to guarantee election security is to use paper ballots, audits, and other procedural safeguards.

Technical defenses will not guarantee election security, says Douglas Jones, a professor of computer science at the University of Iowa, so "We need administrative and procedural defenses."


Recent news reports that electronic voting systems could be or had been hacked by people as disparate as 11-year-old conference attendees and Russian intelligence operators do not signal anything new to experienced observers of the machines. E-voting security, or the lack of it, has been a hot topic since the mid-2000s.

Douglas Jones, professor of computer science at the University of Iowa and one of the leading researchers into the topic in the U.S., said he agreed with an observer's recent comments that a lot of the vexing questions about voting systems' security and transparency were still largely unanswered more than 10 years after they first caused concern.

"I agree," Jones said. "We really haven't moved."

Fear and doubt about the security of the nation's voting systems were prominent enough when attacks were largely theoretical and those who launched them unknown. However, overwhelming evidence that Russian intelligence agents had attempted to penetrate voter registration databases before the 2016 presidential elections have moved those doubts front and center.

How those threats are being met in this year's Congressional mid-term elections, however, is not completely clear. The complicated organizational framework of elections, which are run by each state and administered at county and local levels with federal input regarding security vulnerabilities, has resulted in a hodgepodge of policies about how much information to release.

Open government advocates have expressed frustration with the combination of an election systems market dominated by a small number of vendors with proprietary technology and a conflict of philosophies over how secure platforms can best be maintained. For Jones, the tension is an example of the disconnect between the bureaucratic understanding of how to assure secure technology and that of computer scientists, particularly academic researchers.

"Basically, the bureaucratic understanding of security is to minimize the number of people who have contact with this material, make sure they've passed the highest standards of security clearance, and do everything behind closed doors," Jones said. "And this understanding of security, that security means minimizing observation and minimizing transparency and maximizing secrecy, is exactly wrong for elections, and yet it is exactly what the instincts of every bureaucrat lead to."

Jigsaw puzzles and road maps

Minnesota secretary of state Steve Simon, one of 20 state election officials granted "secret" level security clearance by the federal government, said he does not have a well-defined "red line" of detail he will not disclose. Instead, he said, the amount of detail he is comfortable releasing is akin to former U.S Supreme Court Justice Potter Stewart's observation about obscenity, that "I know it when I see it."

"I don't want to give a road map to the bad guys," Simon said.

Information on some of the details behind security testing—such as U.S. Department of Homeland Security (DHS) penetration testing methodology and voter registration database monitoring—is available online, and can be put together like a jigsaw puzzle for a more-complete picture of voting systems security.

For example, at the 2018 RSA Conference, Rob Karas, director of the National Cybersecurity Assessments and Technical Services (NCATS) program at DHS, outlined some of the most common vectors antagonists use to try to penetrate a network, and how his team simulates those actions. Through phishing tests, Karas said, the DHS testers get an average response rate of 12% (one phishing email that enticed readers to click on a link to reveal the identities of those with accounts on the Ashley Madison extramarital affairs database got a click rate of more than 90%, almost crashing the testing unit's servers).

Karas also said the NCATS team offers its clients aggregated statistics to help drive home the speed with which a phony email can circulate. He said on average it takes just 13 minutes from the time a phishing email is sent for a target to click on it, while it takes nearly three hours for security operations centers to become aware of it.

"These are the kind of data-driven scenarios and information we are gathering, so we can see and identify trends and start putting out guidance," he said.

At the state level, mandated reports such as one Simon's office sent to chairs and ranking minority members of the Minnesota Legislature's committees with primary jurisdictions over elections in December 2017, also offer insight into specific steps taken to protect elements of the election system, particularly voter registration databases and absentee ballot platforms, that could be most vulnerable to remote hacking attempts.

For example, the report includes procedures used to check legitimacy of online registrations:

"The office maintains a log of each Internet Protocol address used to submit an online voter registration and online absentee ballot application, and reviews those logs for suspicious activity. The office also reviews applications that failed verification against a government database for indicators of suspicious activity. This review includes, but is not limited to, reviewing those applications for suspicious activities such as fictitious-looking names (e.g., "Mickey Mouse"), same name numerous times, and multiple applications at the same address."

The report also classifies information that is considered confidential, such as "database designs," while stipulating that certain elements of the databases, such as operating systems and transactional or reporting data structure design approach, may be disclosed.

For Jones, however, the almost total jurisdiction of states in running elections signals, by and large, a lack of technical expertise and spotty coordination of best practices. In Iowa, for instance, he said a three-person board is charged with inspecting new voting machines.

"Two are elected county auditors and one is required by law to have some expertise in computers and/or auditing," Jones said. "So it's nothing like the kind of staff you would hope to have to oversee any significant software-driven venture."

Technical solutions sputter

There has been no shortage of efforts to address voting systems security from a technical standpoint. Even so, some initiatives, such as common data formats for various components of election systems, have made slow progress, while others, such as a drive to make election systems open source and freely available for inspection, have virtually sputtered out.

"I was actually involved with founding the Open Voting Consortium (OVC)," Jones said. "I was one of the founders. And I gave up on them over a decade ago."

Jones said he had hoped "to build a framework for an open source marketplace for ideas for how to run elections, and instead, what quickly emerged was one strong personality who had the OVC model of how to run elections, and his personal thing became the approved OVC development path; in effect, the Open Voting Consortium began to evolve toward becoming a vendor, though it never really became one. There are also some other open voting groups competing with it that are also behaving like vendors. The thing is that unlike the vendors in the private marketplace, these open-voting vendors don't have the depth or capital to explore anything sensible, and they are just as dumb as the other vendors."

"I would be really happy with a genuinely disclosed source," Jones said, "where you keep the source code under copyright, you keep the source code under strict intellectual property control but your disclose it completely, so anyone can look at it."

The Common Data Format (CDF) collaborative effort begun by the IEEE and now under the aegis of the U.S. National Institute of Standards and Technology (NIST) represents one ongoing prong of a more transparent and interoperable elections ecosystem, according to Katy Owens Hubler, founder of policy consultancy Democracy Research and former senior policy specialist at the National Conference of State Legislators.

Of six digital election subsystems undergoing CDF development, election results reporting is the most complete (Version 1 is complete and work is ongoing for Version 2). Hubler noted in commentary in electionlineWeekly that Virginia elections officials were able to leverage connections to Google because the state had adopted the CDF standard: "One advantage that Virginia saw in forming this partnership was the amount of Web traffic absorbed by Google, reducing direct Web hits on the Department of Elections page," Hubler wrote. "Reducing the traffic load on the state's site can save money on Web hosting, and also decrease the risk of the Website failing on election night."

Blockchain enters, paper prevails

In keeping with the groundswell of startups attempting to establish themselves in blockchain deployment, Cleveland, OH-based Votem, founded in 2016 on the premise of delivering an end-to-end verified election system, recently published its Proof of Vote protocol, which the company said will serve as both its platform and an open-source specification for blockchain-based voting. Votem operations manager Jeffrey Stern said the company is currently trying to figure out how to introduce the blockchain concept to parties with vested interests, be they partisan or observational.

"To foster transparency, many states include representation from all political parties during tabulation and some even open it to the public and electoral monitoring groups," Stern said in addressing concerns that Votem-controlled servers could not be independently verified. "We are building a system whereby those organizations have the opportunity to be more directly involved in securing elections in a more structured way. We're working through the difficulties of having these third parties who may are not be technologically capable of running validation nodes, how to facilitate this onboarding process, and we are in the process of understanding the threat model to make sure that deployments are verifiably secure."

Eventually, the Votem platform is intended to enable authenticated voting from mobile devices, ideally eliminating disenfranchisement of remote voters who may be service members stationed overseas, first responders on the scene of an emergency, or even residents of rural areas far from traditional polling places.

For the foreseeable future, however, Hubler, Jones, and other veteran election observers believe paper ballots (used by a preponderance of states, and which may be counted by devices such as optical scan readers), audits, and procedural safeguards such as same-day registration and provisional voting are the best guarantors of secure elections. The great variable, however, is human lapse of judgment, on the part of both election officials (who may open a phishing email without noticing it came from a domain not connected with its purported business, for example, and voters, who may fall victim to a "Hey, you can text to vote" scam).

"I don't rely on technical defenses," Jones said. "Technical defenses aren't going to get us there. We need administrative and procedural defenses. People seem to be all too willing to accept glib assurances from their favored technology people."

In Minnesota, Simon said his office has started training election officials at the state and local levels to make them more aware of the typical routes hackers use to try to gain access to systems. "One of our hopes ongoing is that with new federal election security money, we will be able to sustain some kind of partnership between us and our partners at counties, cities, and townships that will enable us to teach those best practices and make sure they are baked in to election administrators' actions," he said.

"The biggest worry, and I think anybody who does this kind of work will tell you this, is voters won't come out because they are worried there will be something wrong," Hubler said. "There is really a balance here of acknowledging there are threats to the system, and I think elections officials are doing what they can to mitigate those threats. But if voters don't come out and vote, if they don't believe we are doing all we can, if they don't have confidence their votes will count, that's what keeps people up at night."

Gregory Goth is an Oakville, CT-based writer who specializes in science and technology.


No entries found