CSO Online’s discussion of election security issues focuses less on ballot systems themselves and more on the security of local governments. This is a widespread problem that has gone un-addressed for far too long. Many local and state government bodies, and even Federal agencies, are still running Windows XP on outdated legacy hardware that there is no budget for replacing or updating.
Such government systems, as CSO Online calls out, often fall victim to ransomware attacks – frequently because they are unpatched against known vulnerabilities, and being used by people who don’t really understand the systems that they are using and don’t recognize when something is not behaving as it should or is not what it pretends to be.
This is only part of the problem of election security, though. While we cannot afford to ignore vulnerabilities in the infrastructure that counts the votes, we also cannot afford to ignore vulnerabilities on the systems that record the votes in the first place. In this regard, DRE (Direct Recording Electronic) voting systems have over and over again proven to be shockingly easy to compromise. The manufacturers typically refuse to allow outside audits of their code, and their response to vulnerabilities found by election security researchers has all too often been to try to suppress disclosure of the vulnerabilities rather than fixing them.
In the event that a DRE system is compromised, all votes recorded by that system must be considered lost, because lacking any but the electronic record of the vote, there is no trustworthy way to reconstruct the votes as cast – there is no paper trail to go back to.
Election researchers have designed and proposed electronic voting systems that allow any voter to verify that their vote was recorded and counted exactly as they cast it, while still having deniability (which is to say, voters cannot be later forced to disclose which way they voted). However, no such systems have yet been put into use. When elections are performed using existing DRE voting machines, we are left in the position of simply trusting whatever the voting machine recorded; there is no way to check its counts against the actual ballots, because there is no physical ballot.
Ultimately, we have no way to verify that the votes counted are the same as the votes cast, whether the compromise occurs in the machines that record the votes, or in the government systems that count them. Without that guarantee, we have no way to verify that we can trust our own elections. That, in this day and age, is a very bad place to be.
We can never guarantee to prevent all attacks. But at the very least, we need to be able to know when an attack has happened.
- Phil Stracchino, Principal Architect