(Image: Getty)In February, the 2020 RSA security conference quickly settled on a cohesive narrative: America had, more or less, figured out how to do secure elections.
Fears of hacked voting machines were fading away and new challenges—protecting electronic voting rolls and mass disinformation campaigns from foreign powers—were emerging.
Voting machines are now "more of a reluctant ally" than a villain, Tod Beardsley, Rapid7’s Director of Research, said at RSA.
Instead, Beardsley voiced concern about ransomware locking up critical voter data and creating chaos on Election Day.
Indeed, the coming election will almost certainly face a host of threats, from foreign-sponsored disinformation campaigns to the logistics of counting the inevitable surge in COVID-driven mail-in ballots.
How can Americans be sure their votes are secure and accurately counted? The nation’s top security experts have been working on that.
New Doesn't Mean Secure
The embarrassing confusion of the 2000 US Presidential election led to some reforms in 2002 with the Help America Vote Act, which pushed states to adopt more modern methods of voting and did away with hanging chads and other grim reminders of the past.
Newer voting equipment, however, doesn’t always mean more secure equipment.
When security researcher Carsten Schuermann examined WinVote voting machines, which were used in the commonwealth of Virginia from 2004 to 2014, he found a security disaster.
They ran on an unpatched version of Windows XP; their wireless password was "abcde"; and, curiously, they contained audio-ripping software and a Chinese MP3.
Up close with WinVote at Black Hat 2018, allegedly the worst voting machine in the world. Even so, security problems with US elections remained largely theoretical until 2016, when we experienced a massive influence campaign that would eventually be traced back to Russia.
Hackers purloined emails from the Democratic National Committee and leaked them slowly for weeks via WikiLeaks, adding fuel to an already contentious election.
Other Russian elements engaged in a massive campaign primarily through social media that fed bogus information to voters and widened societal rifts.
Less well-known was an effort by Russia to attack election infrastructure.
The Senate’s Select Committee on Intelligence determined that, “The Russian government directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against US election infrastructure at the state and local level.”
Senate Intelligence Committee ranking member Sen.
Mark Warner and Chairman Richard Burr (Photo By Tom Williams/CQ Roll Call) The Senate report defines the attacked infrastructure as more than just voting machines: "storage facilities, polling places, and centralized vote tabulation locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
Attacks are suspected to have happened against all 50 states, although the consensus is that no votes were changed.
The Senate report speculated that Russia may have been probing for vulnerabilities to exploit later—but also may have aimed to undermine confidence in the election results.
Whether an effort at fraud was defeated or it was simply meant as a shot across the bow, our democracy was cut open and laid bare.
In 2018, Congress appropriated $380 million in grant money for the states to bolster cybersecurity and replace voting machines that were believed vulnerable to manipulation.
But armed with a Congressional mandate and solid solutions to secure elections, getting those changes implemented would have been a daunting task—even without a global pandemic.
Can Paper Ballots Save the Election?
(Image: Shutterstock) The solution to secure elections has two parts, according to Matt Blaze, the McDevitt Chair in Computer Science and Law at Georgetown University.
The first half is software independence, which means an undetected change or error in the software of a voting machine shouldn't cause an undetectable change or outcome in the final vote cast.
In practice, this means paper ballots or some kind of auditable trail.
How widespread paper ballots will be in 2020 is complicated by the fact that individual jurisdictions within the same state can have different voting systems.
According to Verified Voting, 65.5 percent of registered voters will hand-mark a paper ballot, and only 14 percent of voters will use a voting machine that's entirely electronic, although some may produce paper trails.
And 20.5 percent of voters will use a digital machine to mark a paper ballot.
Judge Robert Rosenberg examines a dimpled chad, November 2000.
(Photo by Robert King/Newsmakers) At this year's virtual Black Hat security conference, Blaze pointed to Florida’s hand recount and hanging chads in the 2000 Presidential election.
At the time, it was embarrassing, but Blaze said those notorious ballots could at least be examined by humans who could better discern something about the voter's intent than an optical machine.
It might be easy to dismiss any computerized presence in voting as too dangerous, but doing so isn't helpful.
For instance, electronic voting machines can make it much easier for disabled and elderly voters to cast their ballots.
While there are many issues with digital election security, the benefits cannot be ignored.
The Easiest Way to Detect Irregularities
(Photo by Bonnie Jo Mount/The Washington Post via Getty Images) The second critical improvement to elections that Blaze described at Black Hat is the risk-limiting audit, originally developed by Philip Stark.
This builds from the idea of software independence and paper ballots.
Once you have that paper trail, you need an effective means of confirming the outcome of an election.
Stark's risk-limiting audit allows for the outcome of the election to be verified without the labor-intensive process of counting every single ballot.
Instead, a subset of the votes are sampled using a statistical method and then compared to the final outcome.
"If they're the same, and if you do this enough, you can have very high confidence—that can be mathematically quantified—that your reported election results are the same results as you get hand-counting all the ballots," said Blaze.
Because risk-limiting audits don't require the Herculean effort of a total recount, they can be used to detect irregularities in the final count.
Every voting jurisdiction could run a risk-limiting audit as standard procedure to double-check the vote count.
If the audit matches the outcome, people can be assured that the results are sound.
If the audit doesn't match, a recount on the comparably small portion of the ballots can be initiated.
Securing voting machines is important, but using risk-limiting audits is a critical (if less exciting) endeavor.
"We are supportive of any kind of post-election audit," said Geoff Hale, Director of the Election Security Initiative at the Cybersecurity and Infrastructure Security Agency (CISA).
The agency, perhaps best known for its US-CERT alerts, is organized under the Department of Homeland Security and is charged with understanding and managing cyber and physical risk to critical infrastructure.
It released an open-source, risk-limiting audit tool and is seeking to make audits more efficient over the next decade.
"The first step is to get the stakeholders bought in on the idea of audits," Hale said.
"Any of them are better than none, and we’ll look to continue to improve on that."
The Cyber Risks in US Voting Infrastructure
In the world of election cybersecurity, voting machines have sucked up a lot of the oxygen for several years.
But the voting machine is just a small part of any election.
To Hale and CISA, the riskiest elements of a US election are the bits that connect to the internet.
This includes voter-registration databases, websites with important information on how and where to vote, as well as election-night reporting systems.
CISA has been pushing for investment in intrusion detection but also for offline backups, Hale said.
J.J.
Thompson, senior director of managed threat response at cybersecurity company Sophos, emphasized the wide range of potential targets for attack.
"The opportunity to strike with ransomware touches everything," he said, highlighting malicious software that encrypts victims' data and holds it hostage for ransom.
"The registration systems; the networks of contractors involved; the people building the voting systems, shipping them, and managing the e-poll books locally; associated cloud infrastructures; vendor infrastructures; associated mobile devices; each candidate’s campaign; and countless other independently managed systems."
Ransomware can tie up systems and has an obvious profit motive that could hide even more sinister intentions.
In 2017, the NotPetya ransomware seized control of computers across the globe, demanding cash in return for freeing the machines.
This was eventually linked to the Russian military, with the apparent target being Ukrainian industrial and government systems.
"NotPetya in 2017 was made to look like a standard ransomware attack, when in fact its objective was an attempt to disrupt the political environment in Ukraine," said Thompson.
"These attacks have significant nuance and layers, but we cannot forget our priority—mitigating any and all potential threats."
Attacks on these systems wouldn't necessarily have to change votes directly to swing an election.
A denial of service (DoS) attack against reporting systems could delay results.
Attacks against poll-book systems could create massive delays, perhaps convincing people it would be better just to head home.
Defacing official websites and sending bogus tweets can trick some voters into thinking the day or place of the election has changed or that they can vote by text (they can't).
These attacks could cause chaos, and if strategically targeted districts see enough depressed turnout, that could have an outsize effect on America's increasingly close elections.
Sam Curry, CSO of cybersecurity company Cybereason, spends a lot of time thinking strategically.
He and his team have carried out several election tabletop wargames: One team takes on the role of aggressors and attacks a hypothetical local election with the goal of casting doubt on its outcome.
The other team plays as defenders who must think fast to outwit the attack.
These games cover enormous ground—attackers wage online influence campaigns but also take action against the less obvious supporting infrastructure of elections.
Causing a traffic jam, for example, can depress turnout just as effectively as a direct attack on election systems.
Curry has overseen attack after attack on US democracy—safely simulated, of course.
He's observed numerous strategies and has advice on how best to protect an election.
The people playing the role of defenders, usually given the role of law enforcement, “must create open lines of communication between government departments and also media sources and social media companies," said Curry.
Knowing who to call and when to call them and having a reliable back-up system in case one fails (or is intentionally sabotaged) are all critical.
Voting by Snail Mail
Before COVID-19 hit, the use of paper ballots was already becoming more widespread as part of the effort to secure American elections.
The coronavirus outbreak means even more voters will probably use paper ballots—roughly 80 million, according to the New York Times—but they'll be delivered through the mail.
Every state allows for mail-in ballots for absentee voting, but how that works varies.
Five states rely primarily on voting by mail (Colorado, Hawaii, Oregon, Utah, and Washington).
Some states allow voters to request an absentee ballot for any reason.
Others require voters explain why they need an absentee ballot, such as illness or travel outside the country.
A mail-in ballot has most of the security advantages of a paper ballot cast in person.
It can be counted by machine but verified by hand.
There are also unique security features to mail ballots—for one, some mail ballots may use ultraviolet inks, making them harder to counterfeit.
But the sheer volume of mail-in ballots cast this year will present new challenges.
Mail ballots require greater investment to ensure they are handled correctly on every step of their journey.
The logistics of paper and envelopes could also pose a major hurdle, as states scale up their mail-in voting operations to meet demand.
It's also an open question as to whether the US Postal Service can guarantee that ballots will be delivered and received in time to be counted.
The issue recently became a political hot potato, but even when ballots are sent and received on time, there are challenges to getting them counted.
(Photo by Lane Turner/The Boston Globe via Getty Images) Some regions may not have enough ballots, enough machines to count those ballots (a critical point, as the machines for counting absentee ballots are generally not the same as those that count in-person ballots), or even enough envelopes for mailing in the ballots.
"It's likely that most jurisdictions will not have the funding to do this," according to Blaze.
Thankfully, the work to secure elections from 2016 to today hasn't been wasted.
"When we assess risk [for] the sector, we think it’s quite similar between in-person voting and mail-in voting," said Hale.
"All that effort before COVID is still reaping rewards."
While no one can know for certain what Election Day 2020 will look like, an increase in mail-in voting will almost certainly mean that Americans will wake up on Nov.
4 and not know who won the election—not because of chicanery but simply because voting by mail is an entirely different process from voting in person.
When a mail-in ballot is received from a voter, it's generally in two envelopes.
The outer envelope contains information about the voter as well as a signature.
That signature is usually compared to one on file, and if it's a match, the outer envelope is discarded and the ballot is sent to be batch-scanned by machines.
If the signature on the outer envelope is not a match, it's set aside for "curing." That means reaching out to the voter and verifying that the ballot is legitimate.
On top of all that, some states require that votes received by mail may not be allowed to count mail-in ballots before Election Day, preventing them from getting a head start.
Combine that with the need to cure ballots and the fact that many states will likely be counting more mail-in votes than ever before, and complete election-night results may not be available.
A representative from a technology company with knowledge of election infrastructure told us that...
(Image: Getty)In February, the 2020 RSA security conference quickly settled on a cohesive narrative: America had, more or less, figured out how to do secure elections.
Fears of hacked voting machines were fading away and new challenges—protecting electronic voting rolls and mass disinformation campaigns from foreign powers—were emerging.
Voting machines are now "more of a reluctant ally" than a villain, Tod Beardsley, Rapid7’s Director of Research, said at RSA.
Instead, Beardsley voiced concern about ransomware locking up critical voter data and creating chaos on Election Day.
Indeed, the coming election will almost certainly face a host of threats, from foreign-sponsored disinformation campaigns to the logistics of counting the inevitable surge in COVID-driven mail-in ballots.
How can Americans be sure their votes are secure and accurately counted? The nation’s top security experts have been working on that.
New Doesn't Mean Secure
The embarrassing confusion of the 2000 US Presidential election led to some reforms in 2002 with the Help America Vote Act, which pushed states to adopt more modern methods of voting and did away with hanging chads and other grim reminders of the past.
Newer voting equipment, however, doesn’t always mean more secure equipment.
When security researcher Carsten Schuermann examined WinVote voting machines, which were used in the commonwealth of Virginia from 2004 to 2014, he found a security disaster.
They ran on an unpatched version of Windows XP; their wireless password was "abcde"; and, curiously, they contained audio-ripping software and a Chinese MP3.
Up close with WinVote at Black Hat 2018, allegedly the worst voting machine in the world. Even so, security problems with US elections remained largely theoretical until 2016, when we experienced a massive influence campaign that would eventually be traced back to Russia.
Hackers purloined emails from the Democratic National Committee and leaked them slowly for weeks via WikiLeaks, adding fuel to an already contentious election.
Other Russian elements engaged in a massive campaign primarily through social media that fed bogus information to voters and widened societal rifts.
Less well-known was an effort by Russia to attack election infrastructure.
The Senate’s Select Committee on Intelligence determined that, “The Russian government directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against US election infrastructure at the state and local level.”
Senate Intelligence Committee ranking member Sen.
Mark Warner and Chairman Richard Burr (Photo By Tom Williams/CQ Roll Call) The Senate report defines the attacked infrastructure as more than just voting machines: "storage facilities, polling places, and centralized vote tabulation locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
Attacks are suspected to have happened against all 50 states, although the consensus is that no votes were changed.
The Senate report speculated that Russia may have been probing for vulnerabilities to exploit later—but also may have aimed to undermine confidence in the election results.
Whether an effort at fraud was defeated or it was simply meant as a shot across the bow, our democracy was cut open and laid bare.
In 2018, Congress appropriated $380 million in grant money for the states to bolster cybersecurity and replace voting machines that were believed vulnerable to manipulation.
But armed with a Congressional mandate and solid solutions to secure elections, getting those changes implemented would have been a daunting task—even without a global pandemic.
Can Paper Ballots Save the Election?
(Image: Shutterstock) The solution to secure elections has two parts, according to Matt Blaze, the McDevitt Chair in Computer Science and Law at Georgetown University.
The first half is software independence, which means an undetected change or error in the software of a voting machine shouldn't cause an undetectable change or outcome in the final vote cast.
In practice, this means paper ballots or some kind of auditable trail.
How widespread paper ballots will be in 2020 is complicated by the fact that individual jurisdictions within the same state can have different voting systems.
According to Verified Voting, 65.5 percent of registered voters will hand-mark a paper ballot, and only 14 percent of voters will use a voting machine that's entirely electronic, although some may produce paper trails.
And 20.5 percent of voters will use a digital machine to mark a paper ballot.
Judge Robert Rosenberg examines a dimpled chad, November 2000.
(Photo by Robert King/Newsmakers) At this year's virtual Black Hat security conference, Blaze pointed to Florida’s hand recount and hanging chads in the 2000 Presidential election.
At the time, it was embarrassing, but Blaze said those notorious ballots could at least be examined by humans who could better discern something about the voter's intent than an optical machine.
It might be easy to dismiss any computerized presence in voting as too dangerous, but doing so isn't helpful.
For instance, electronic voting machines can make it much easier for disabled and elderly voters to cast their ballots.
While there are many issues with digital election security, the benefits cannot be ignored.
The Easiest Way to Detect Irregularities
(Photo by Bonnie Jo Mount/The Washington Post via Getty Images) The second critical improvement to elections that Blaze described at Black Hat is the risk-limiting audit, originally developed by Philip Stark.
This builds from the idea of software independence and paper ballots.
Once you have that paper trail, you need an effective means of confirming the outcome of an election.
Stark's risk-limiting audit allows for the outcome of the election to be verified without the labor-intensive process of counting every single ballot.
Instead, a subset of the votes are sampled using a statistical method and then compared to the final outcome.
"If they're the same, and if you do this enough, you can have very high confidence—that can be mathematically quantified—that your reported election results are the same results as you get hand-counting all the ballots," said Blaze.
Because risk-limiting audits don't require the Herculean effort of a total recount, they can be used to detect irregularities in the final count.
Every voting jurisdiction could run a risk-limiting audit as standard procedure to double-check the vote count.
If the audit matches the outcome, people can be assured that the results are sound.
If the audit doesn't match, a recount on the comparably small portion of the ballots can be initiated.
Securing voting machines is important, but using risk-limiting audits is a critical (if less exciting) endeavor.
"We are supportive of any kind of post-election audit," said Geoff Hale, Director of the Election Security Initiative at the Cybersecurity and Infrastructure Security Agency (CISA).
The agency, perhaps best known for its US-CERT alerts, is organized under the Department of Homeland Security and is charged with understanding and managing cyber and physical risk to critical infrastructure.
It released an open-source, risk-limiting audit tool and is seeking to make audits more efficient over the next decade.
"The first step is to get the stakeholders bought in on the idea of audits," Hale said.
"Any of them are better than none, and we’ll look to continue to improve on that."
The Cyber Risks in US Voting Infrastructure
In the world of election cybersecurity, voting machines have sucked up a lot of the oxygen for several years.
But the voting machine is just a small part of any election.
To Hale and CISA, the riskiest elements of a US election are the bits that connect to the internet.
This includes voter-registration databases, websites with important information on how and where to vote, as well as election-night reporting systems.
CISA has been pushing for investment in intrusion detection but also for offline backups, Hale said.
J.J.
Thompson, senior director of managed threat response at cybersecurity company Sophos, emphasized the wide range of potential targets for attack.
"The opportunity to strike with ransomware touches everything," he said, highlighting malicious software that encrypts victims' data and holds it hostage for ransom.
"The registration systems; the networks of contractors involved; the people building the voting systems, shipping them, and managing the e-poll books locally; associated cloud infrastructures; vendor infrastructures; associated mobile devices; each candidate’s campaign; and countless other independently managed systems."
Ransomware can tie up systems and has an obvious profit motive that could hide even more sinister intentions.
In 2017, the NotPetya ransomware seized control of computers across the globe, demanding cash in return for freeing the machines.
This was eventually linked to the Russian military, with the apparent target being Ukrainian industrial and government systems.
"NotPetya in 2017 was made to look like a standard ransomware attack, when in fact its objective was an attempt to disrupt the political environment in Ukraine," said Thompson.
"These attacks have significant nuance and layers, but we cannot forget our priority—mitigating any and all potential threats."
Attacks on these systems wouldn't necessarily have to change votes directly to swing an election.
A denial of service (DoS) attack against reporting systems could delay results.
Attacks against poll-book systems could create massive delays, perhaps convincing people it would be better just to head home.
Defacing official websites and sending bogus tweets can trick some voters into thinking the day or place of the election has changed or that they can vote by text (they can't).
These attacks could cause chaos, and if strategically targeted districts see enough depressed turnout, that could have an outsize effect on America's increasingly close elections.
Sam Curry, CSO of cybersecurity company Cybereason, spends a lot of time thinking strategically.
He and his team have carried out several election tabletop wargames: One team takes on the role of aggressors and attacks a hypothetical local election with the goal of casting doubt on its outcome.
The other team plays as defenders who must think fast to outwit the attack.
These games cover enormous ground—attackers wage online influence campaigns but also take action against the less obvious supporting infrastructure of elections.
Causing a traffic jam, for example, can depress turnout just as effectively as a direct attack on election systems.
Curry has overseen attack after attack on US democracy—safely simulated, of course.
He's observed numerous strategies and has advice on how best to protect an election.
The people playing the role of defenders, usually given the role of law enforcement, “must create open lines of communication between government departments and also media sources and social media companies," said Curry.
Knowing who to call and when to call them and having a reliable back-up system in case one fails (or is intentionally sabotaged) are all critical.
Voting by Snail Mail
Before COVID-19 hit, the use of paper ballots was already becoming more widespread as part of the effort to secure American elections.
The coronavirus outbreak means even more voters will probably use paper ballots—roughly 80 million, according to the New York Times—but they'll be delivered through the mail.
Every state allows for mail-in ballots for absentee voting, but how that works varies.
Five states rely primarily on voting by mail (Colorado, Hawaii, Oregon, Utah, and Washington).
Some states allow voters to request an absentee ballot for any reason.
Others require voters explain why they need an absentee ballot, such as illness or travel outside the country.
A mail-in ballot has most of the security advantages of a paper ballot cast in person.
It can be counted by machine but verified by hand.
There are also unique security features to mail ballots—for one, some mail ballots may use ultraviolet inks, making them harder to counterfeit.
But the sheer volume of mail-in ballots cast this year will present new challenges.
Mail ballots require greater investment to ensure they are handled correctly on every step of their journey.
The logistics of paper and envelopes could also pose a major hurdle, as states scale up their mail-in voting operations to meet demand.
It's also an open question as to whether the US Postal Service can guarantee that ballots will be delivered and received in time to be counted.
The issue recently became a political hot potato, but even when ballots are sent and received on time, there are challenges to getting them counted.
(Photo by Lane Turner/The Boston Globe via Getty Images) Some regions may not have enough ballots, enough machines to count those ballots (a critical point, as the machines for counting absentee ballots are generally not the same as those that count in-person ballots), or even enough envelopes for mailing in the ballots.
"It's likely that most jurisdictions will not have the funding to do this," according to Blaze.
Thankfully, the work to secure elections from 2016 to today hasn't been wasted.
"When we assess risk [for] the sector, we think it’s quite similar between in-person voting and mail-in voting," said Hale.
"All that effort before COVID is still reaping rewards."
While no one can know for certain what Election Day 2020 will look like, an increase in mail-in voting will almost certainly mean that Americans will wake up on Nov.
4 and not know who won the election—not because of chicanery but simply because voting by mail is an entirely different process from voting in person.
When a mail-in ballot is received from a voter, it's generally in two envelopes.
The outer envelope contains information about the voter as well as a signature.
That signature is usually compared to one on file, and if it's a match, the outer envelope is discarded and the ballot is sent to be batch-scanned by machines.
If the signature on the outer envelope is not a match, it's set aside for "curing." That means reaching out to the voter and verifying that the ballot is legitimate.
On top of all that, some states require that votes received by mail may not be allowed to count mail-in ballots before Election Day, preventing them from getting a head start.
Combine that with the need to cure ballots and the fact that many states will likely be counting more mail-in votes than ever before, and complete election-night results may not be available.
A representative from a technology company with knowledge of election infrastructure told us that...
