Transparency Is Solution to Shameful Lack of Security For US Voting Systems Revealed by NSA Leak

Elections belong to the public. Just as we have the right to understand our overall election process, we have a right to understand the underlying hardware and software involved in electronic voting. We have a right to understand where our votes and voter registrations go, who checks them, and which institutions have access to that information.

The NSA document allegedly leaked by Reality Leigh Winner and recently published by The Intercept suggests that the government is no longer confident about that critical information. The report details a Russian spear-phishing campaign that introduced malware into election contractors’ and officials’ machines, causing them to run “an unknown payload from malicious infrastructure.” According to the report, “It is unknown…what potential data could have been accessed” by Russian hackers. The malicious code was implanted into instructions for EViD, a piece of software that allows poll workers to verify voters’ sensitive personal information, including name, address, registration status, and voting history. The verification is done entirely over the Internet, and all data is communicated to and from EViD’s “secure website.”

After reading the report, I wanted to see for myself how EViD’s creators address information security. Enter the only EViD documentation I could find: an FAQ from EViD’s parent company, VR Systems. Here is VR Systems’ explanation: “Is the EViD system secure? During design and development of the EViD system, VR Systems implemented extensive security measures to protect the EViD system from electronic attack.”

If you’re wondering where the rest is, you’re not alone. Those are the only mentions of security. What are “extensive security measures”? Your guess is as good as mine. Great for their secure design and development, but what about maintenance? Ongoing updates and patches are just as important as the initial product. What kinds of attacks did they account for, specifically? “Electronic attack” is about as meaningless as “physical attack.” OK, maybe you have a bullet-proof vest, but what if somebody drops a piano on your head? In the same way it’s possible to prevent a malicious piece of code from being written into the system, but that doesn’t mean they’ve accounted for vulnerabilities that would allow an attacker to read data, for example. And physical attacks apply here, too—after all, the software is being run on a machine made of wires, boards, and sensors.

So how does the government vet such vital critical infrastructure? Did a security expert look at VR Systems’ hardware and software, and if so, where are the results of the audit?

A researcher named Emily Gorcenski recently compiled an evaluation of federally endorsed certification and testing practices and voting system guidelines, as well as a state-by-state breakdown of electronic voting systems regulations. The physical hardware of voting machines is subject to well-established engineering quality standards, while software is largely evaluated by automated code-checkers for style rather than substance. These surface evaluations do not account for subtle vulnerabilities like memory handling or algorithmic errors that can only be caught by expert evaluation and extensive testing. There is no mention of voter registration systems like EViD (the only state to even mention voter registration in the state-by-state breakdown is Oklahoma).

Moreover, federal regulations are voluntary—and 20 states have chosen not to adopt any of them. The decentralized nature of a patchwork system could work in our favor if each state had its own individually secured infrastructure, but most election infrastructure companies work across state borders and the flaws carry over. Centralized voter registration systems like EViD that are seemingly not subject to any regulation at the state or federal level are especially vulnerable targets. Bloomberg reports that the Russian hackers were able to penetrate poll workers’ systems in 39 states.

And even with extensive testing and review, no one—not even a team of experts—can be aware of all of the flaws in a piece of code. Developers are constantly pushing updates and it’s difficult for security teams to keep pace. Bugs can be hydras—patch one, create three more. Laws and regulations can only go so far in that respect. The software standards, NSA report, and general behavior surrounding the cyberattacks illustrates a catastrophic lack of understanding, testing, and oversight on the government’s part. This is not to say government contractors or officials are incompetent—software security is one of the trickiest beasts around. Good software security relies on transparency and frequent testing. Hiding the code under fluffy language and hoping that nothing goes wrong is the absolute least effective way to achieve security. It would be like a safe salesman telling you to put your life’s savings into a box made of unknown material with a hidden locking mechanism. Nobody really knows how it works and plenty of them have been broken into, but trust him, he took “extensive security measures.”

Voting systems are the same—no government at any level should be relying on proprietary, closed-source software for vital critical infrastructure, especially software that they do not understand themselves.

And even then, the practice of using electronic voting systems at all is questionable, especially if they are connected to the Internet. While cryptographers can provide secure electronic voting algorithms, most security flaws happen at the implementation level—and again, there is no way to anticipate every flaw. Experts emphasize the need to confirm e-voting results by checking them against paper ballots in a statistically meaningful sample of areas across the country (“statistically meaningful” just means they take enough samples in enough diverse areas so that the probability of missing suspicious activity is very low). This simple physical check on our vulnerable electronic infrastructure must be an election process requirement.

This attack was not the first. Not only have researchers hacked into machines in a controlled setting, there have been numerous cases of problems with election infrastructure in the wild:

• The 4-6 million votes lost in the 2000 presidential election.
• The Diebold ban in California preceding the 2004 presidential election, after Diebold committed fraud.
• This executive summary of the 2006 midterm election, in which there were 1,022 reported problems with e-voting equipment in 314 counties across 36 states.

All evidence, both theoretical and empirical, suggests that these electronic voting systems are vulnerable. Ignorance is not an excuse. Federal, state, and local governments know better than to put blind trust in e-voting companies, so why do they continue to do so despite all of their problems? Why do they insist on using proprietary closed-source software instead of open-source software that is vetted by a community of experts? As with most major government contracts, electronic voting has been plagued by a history of questionable policy and shady business dealings that go against expert recommendation. The Washington Post reports that in mid-August 2016, the federal government encountered a “wall of resistance” from state officials in trying to shore up election infrastructure after the Russia hacking story first broke. State officials acted like getting help from the federal government in patching the systems against the well-evidenced threat of election tampering was a political ploy and “an assault on state rights.”

Fair elections are the cornerstone of free society, not cause for political squabbling or corporate enterprise. We fight on behalf of whistleblowers because we need people who are willing to stand up and say enough is enough, now more than ever. Reality Leigh Winner didn’t breach national security, she exposed a breach in national security—one that poses a clear and present danger to us all by threatening the very foundation of our democracy.

The threat to national security posed by electronic voting systems is one perpetuated by Congress, federal, state, and local governments and covered up by the NSA. Yet whistleblowers are the ones charged with the careless handling of defense information. One could bring the same charges against these government institutions for failing to sufficiently vet and maintain the technology used in critical infrastructure, and for allowing our election officials to become sitting ducks for Russian attackers. The only difference is, the government is in control.

Instead of focusing on these real threats to our democracy, legislatures have chased phantom problems like voter impersonation with Voter ID laws, which fail to prevent fraud and overwhelmingly impact poor communities and communities of color. In 2013, the Supreme Court struck down a section of the Voting Rights Act that prevented states like Texas from making changes to voting law without permission from the federal government. In 2016, a federal appeals court ruled that the Texas voter ID law—which had been in place since 2011—violated the Voting Rights Act. This is just one example of many that the ACLU Voting Rights Project fights to address.

It is time we demand with our voices and votes that the innards of electronic voting systems and all other obscured facets of our election process become matters of public record, and that statistically significant audits occur as a matter of routine rather than exception. Hiding from expert opinions and throwing whistleblowers in jail is not the way to make our country more secure. There have always been problems with our election process, but Reality check: the flaws are real, they are exploited, and they may significantly undermine our democracy if we continue to ignore them.