Beating up on direct record electronic (DRE) voting machines has been popular sport in security circles for more than a decade. But is it a distraction from other, more present and dangerous threats to the integrity of elections? A growing body of evidence says “yes.”
In a little more than a week, some of the world’s best hackers will gather in Las Vegas for the annual DEFCON hacking conference. And once again this year, as has been the case for many of the last 15 DEFCONs, there will be a Voting Machine Hacking Village – which is something like a petting zoo of more than 30 models of direct record electronic (DRE) and other voting hardware that attendees will have the chance to try their hand at hacking.
DEFCON and voting machines: there will be hacks
That these systems will be hacked – and in short order – is a foregone conclusion. “Hackers break into voting machines within two hours” was one headline from last year’s DEFCON. Set the Wayback Machine for 2007 instead of 2017, and you will find the same headline or one similar to it.
There are good reasons for this. First and foremost: the stock of electronic voting machine equipment out there in local school gymnasiums, libraries and other voting precincts hasn’t changed much, despite the outcry in recent years over their insecurity. Much of the hardware in question was purchased with money from the Help America Vote Act, passed in 2002 in the tumult following the 2000 Presidential Election. Fifteen years is a heck of a long time for hardware to hang around in the private sector. But it is not a long time at all in the world of public elections. Those ‘hanging chads,’ if you recall, were created by mechanical punch voting machines that were decades old.
The other explanation of why voting machine hacks are a well that never runs dry is that many electronic voting systems are essentially un-securable: built on top of outdated and no-longer supported operating systems like Windows 2000, or designed insecurely and with application code containing hidden “back door” accounts and exploitable software holes. Its not like electronic voting is impossible. I spoke with Taavi Kotka for our podcast. He spent 4 years as the Chief Information officer for the nation of Estonia where they’ve been voting online since 2005 – accurately, efficiently and without any security incidents. The problem with electronic voting in the U.S. isn’t that it’s electronic, he told me, its that the way we do electronic voting is a joke. They don’t even use the term ‘e-voting,’ he told me because the U.S. has spoiled it. Estonians prefer the term “i-voting,” as in: voting over the Internet.
“You can’t polish a turd,” as the saying goes. In most cases, the fix for vulnerable voting systems in circulation today is just to throw them all out and start over.
Voting system vendors get the jitters
There’s evidence that voting machine makers realize that and are trying to simply stave off the inevitable: threatening vendors who sell second hand voting machines on platforms like eBay (a go-to resource for security researchers). That’s not so surprising. DEFCON has become a predictable font of bad headlines for the industry for more than a decade. The heightened attention to election security following the controversial 2016 Presidential election has tipped the scales even further, prompting states like Georgia and Pennsylvania to eliminate digital voting systems and replace them with those that leave a paper trail.
The bigger question, I think, is whether the well documented security flaws in voting machines are the tip of the spear for would be election hackers, or a big, shiny distraction for researchers, regulators and municipalities.
These aren’t the election vulnerabilities you’re looking for
A growing body of evidence suggests that voting machine vulnerabilities are a distraction from more pressing and serious voting system vulnerabilities.
First, as we noted, the insecurity of voting systems is well established and more or less constant. DEFCON could just as easily host a Windows 2000 or an IE 6 hacking village – but what would be the point? States and municipalities appear to be running away from so-called DRE voting systems rather than putting their faith in vendor assurances about security improvements to them. So the hacking village ends up being light on discovery, heavy on display – like the big, inflatable rat that local industrial unions are fond of inflating outside of non-union workplaces.
Second, there is mounting evidence that would-be election hackers, including state-sponsored actors, are using other means to try to interfere with the U.S. vote. The website The Daily Beast reported last week that Senator Claire McCaskill’s re-election campaign was targeted in phishing attacks that shared similarities with those from the group Fancy Bear, which was involved in the 2016 election hacking and is believed to work on behalf of the government of Russia. Microsoft said that it had spotted and blocked Russian efforts to create look-alike phishing domains similar to those used by congressional campaigns in what it described as an effort to infiltrate political campaigns ahead of the 2018 midterms.
Third: the best and most detailed account of election interference we have is Special Counsel Robert Mueller’s indictment of 12 Russian intelligence officers for their roles in the 2016 Presidential election. But it has no evidence of direct tampering with voting systems and scant mention of DRE voting machines at all. The vast majority of Russian activity involved infiltrating campaigns, stealing and then leaking sensitive data and using social media to sway public sentiment.
Can we talk about something else?
Elections officials get this. Research that Security Ledger has done indicates that much of the money Congress is throwing at states to improve voting is going to projects other than replacing voting equipment. States are hiring coding and security talent to audit systems, shoring up voter registration processes and securing access to critical systems with technology like two-factor authentication.
To be fair to the DEFCON Voting Village and its organizers: while hacking voting machines may be the draw, much of the agenda for this year’s Voting Village tackles broader questions of election security, not the insecurity of voting equipment. Representatives from state elections offices, the Department of Homeland Security, the legal and policy community will all be on hand to talk about what’s being done and what needs to be done to secure our elections.
The problem is this: images and pictures are a great way to tell stories. And the images out of the Voting Machine Village of tattooed hackers having their way with vote recording devices is catnip for media outlets. That’s why its almost certain that – again this year – the images beamed from Las Vegas will focus on vulnerable electronic voting systems that fall to the predations of bearded, pierced, tattooed hackers. And, for all but the few uninitiated, that message will be the “story” of insecure elections: hackers attacking voting machines.
That’s a message that’s wildly out of step with what security professionals would consider the “risk profile” of U.S. elections and that’s why it’s time to change that narrative and to start talking more about what matters. To further that very worthy cause, it may be a good idea to just stop hacking voting systems altogether.