August 2, 2017 | By Joel Odom
Attendees at this year's DEF CON saw the first Voting Machine Village, a room dedicated to allowing conference attendees to have hands-on access to about a dozen different electronic voting machines. Hackers were invited to explore the systems for security vulnerabilities. The goal of Voting Machine Village was to raise awareness about the vulnerable state of eVoting and to promote the need for more transparent security assessment of the systems. Matt Blaze, co-founder of Voting Machine Village, promises that an expanded Village will be on the agenda for next year's conference.
IISP Analyst Joel Odom: "Unfortunately, 'vote hacking' in recent news has been a muddled issue. The media has conflated foreign interference in elections with electronic attacks against electronic voting infrastructure. I'm not going to speak to the topic of foreign interference in elections nor to the political discussion surrounding that topic, but I am interested in electronic attacks against voting machines, which is the focus of this commentary.
One of the goals of my opening lecture for a computer security course at Georgia Tech is to help students to develop a healthy pessimism about the security of electronic systems. Security is hard because of the asymmetry between attackers and defenders. Defenders cannot envision all of the possible ways that an attack against a system could happen. Attackers can cheat, and complexity is the enemy of security. In the words of engineering hero Montgomery Scott, 'the more they overthink the plumbing, the easier it is to stop up the drain.'
A voting system is necessarily complex. It consists of thousands of polling places, each with a handful of machines, each of which must serve hundreds of voters. Different machines in different locations require different ballot configurations, and different polling places must somehow transmit their votes to tabulation centers, the data from which must be amalgamated into a final election result. Confidentiality, integrity, and availability are all of primary concern. Additionally, the election results must be open for audit, and certification of millions of votes cast in this system must take place on a reasonably short time scale. And this notional system hasn't even assumed that the election system is electronic. When we base this entire system on modern computers running complex modern operating systems, we have a system of such complexity that I would assert that it is practically impossible for it to be completely secure.
In general, I find that the computer security community is not entirely opposed to electronic voting machines, but there are two things that experts in the field tend to call for. First, the experts want systems that are open to detailed scrutiny by independent security researchers who can help to find the flaws in the systems before the flaws are exploited. This is what DEF CON's Voting Machine Village promotes. Some of my colleagues on my software assurance team attended the event, and we all agree that it's a good idea.
Secondly, security professionals typically want a human-readable paper trail for audit purposes. My ideal situation looks like this. First, I vote at my polling place using an electronic interface. After I cast my ballot, I receive a printed card that shows me how I voted. If I choose to do so, I can read this card to be sure that the machine recorded my votes correctly. I then hand this card to the election official, and the card is handled as paper ballot. The electronic record can be used for quick tabulation of the overall vote, but the unhackable paper card (which I verified with my own eyes) serves as the official ballot of record. If there is any question about the integrity of the electronic result, a complete or statistical tabulation of the physical cards could be used as an integrity check for the election.
A democracy depends not only on the actual security of an election system, but on the perceived security of the system. An attacker who wants to undermine confidence in a democracy need only to start with undermining confidence in its election system. Humans are not designed to trust bits, but we have learned to trust physical constructs, such as words on paper. It may seem antiquated, but keeping election systems simple and human-readable is important for this critical social function. Allowing transparent audit of voting system security is another important aspect in maintaining confidence in the system."
For further reading
- Wired Magazine: https://www.wired.com/story/voting-machine-hacks-defcon/
- The New York Times: https://www.nytimes.com/2017/08/02/technology/a-solution-to-hackers-more-hackers.html