Site Index(Written in 2007, 2008)
Some material on the (in-)security of electronic voting machines. Regarding political campaigns and eternal vigilance, it might be a good idea, in a democracy, for citizens to ensure that votes are accurately counted. What happens when the mainstream media, elections officials, and the manufacturers of electronic voting machines are clueless about computer security? This material documents my attempts to educate technologically-illiterate Americans about the facts, in a polarized political climate.
In 2007, Debra Bowen, the Calif. Secretary of State, engaged a top-notch team of computer security experts to assess the security of the state's electronic voting machines. (Full Disclosure: Matt Bishop, who led the Red Team, is a colleague, with whom I've co-authored several papers.) The 3 reports from Bowen's Sourcecode Review Team at:
are a damning indictment of the underlying architectures. For a brief summary, see Team member Matt Blaze's blog entry at:
A good takeaway message might be these excerpts:
"We found significant, deeply-rooted security weaknesses ... It should now be clear that the red teams were successful not because they somehow "cheated," but rather because the built-in security mechanisms they were up against simply don't work properly. Reliably protecting these systems under operational conditions will likely be very hard. ... The root problems are architectural. ... the designs of these systems expose generously wide "attack surfaces" ... And the defenses are dangerously fragile -- almost any bug, anywhere, has potential security implications. ... strengthening these systems will involve more than repairing a few programming errors. They need to be re-engineered from the ground up."After "sanitized" versions of the security reports were released to the public, a crescendo of controversy arose in the mainstream media. It seemed that a coordinated disinformation campaign was underway, to influence Secretary Bowen and make her reluctant to place security restrictions on the E-voting machines. To counter the disinformation, and give this elected official some "political cover" to do the right thing, I submitted 8/1/07 Written Testimony to Calif. Secretary of State
Secretary Bowen decided to place restrictions on E-voting that, in my opinion (given the state's heavy dependence on terribly insecure E-voting machines), represented a reasonable compromise between security, and being able to conduct elections at all in the near future. For this, she was heavily criticized. I responded with this Op-Ed warning about Faith-based Security, which was rejected by the Sacramento Bee and the San Francisco Chronicle, two newspapers that ran clueless editorials claiming the Calif. Secretary of State had intentionally biased the result of the security analysis. They didn't understand the most basic aspects of electronic security, but that didn't stop them from claiming that the machines were secure, and that anyone who said otherwise must have base political motives. (A 650-word limit meant the Op-Ed had to be oversimplified, i.e, rhetoric and basic concepts had to trump complex definitions, supporting evidence, and analytical rigor. Despite such constraints on communicative bandwidth, it is dangerous to compromise high standards of intellectual honesty. To do otherwise damages the integrity of the sender, and pollutes the cultural environment of the receivers. Lowering standards allows an opponent to justify lowering their standards even more. This dynamic causes a "race to the rhetorical bottom" -- as seen in demagogic political campaign commercials -- and produces a disinformed and dysfunctional democracy.)
Perhaps some in the mainstream media downplayed the issue of security, in order to counter what they saw as "conspiracy theorists", who were claiming that E-voting security flaws had allowed certain elections to be "electronically stolen". A few in the blogosphere did seem to be pushing unwarranted conclusions, so I tried to provide more realistic context, with ideas like this, which described our inability to detect fraud, the possibility that lousy software quality could account for all apparent cases of fraud detected so far, and expanded the Threat Matrix to include entities that, to me, seemed far more plausible Opponents.
America's mainstream media punditocracy seems to feel its role is to be the gatekeeper, protecting "Conventional Wisdom" and "Social Norms" -- no matter how absurd or outmoded. Hence it tends to dismiss anyone who highlights security threats (except terrorism) as a "conspiracy theorist". In the case of E-Voting's scandalously poor security, I suppose they would dismiss Richard Clarke for this statement:
"The fact that our computer systems are not secure has meant the theft of million of American's identity information by criminals. As BRAVE NEW BALLOT shows, the fact that our computerized voting machines are also not secure from hacking means that Americans could also have their elections stolen...and not even know it."
-- Richard A. Clarke, National Coordinator for Security, Infrastructure Protection, and Counterterrorism for Presidents Bill Clinton and George W. Bush, Deputy Assistant Secretary of State for Intelligence under President Reagan, and #1 New York Times bestselling author.
[ http://bravenewballot.org/praise.html ]
============================================================================= Electronic Voting: Science vs. Faith-based Security When Calif. Secretary of State Debra Bowen released scientific studies investigating electronic voting machine security, a firestorm of criticism flared. Press reports were rife with misconceptions, and editorials drew erroneous conclusions. These misconceptions apparently stem from a disinformation campaign, like that denying climate change: Step 1: Attack the scientific studies. (Label them "unrealistic," "unfair," "flawed.") Step 2: Delay; call for new studies. Step 3: GOTO Step 1. (Repeat as necessary.) Meanwhile, laugh all the way to the bank, as election officials buy inadequate "security upgrades" that purport to patch unpatchable architectural design errors. Why is CACEO (Calif. Assoc. of Clerks and Election Officials) leading this disinformation campaign, rather than acting to check and balance the E-voting vendors? Clearly, the revolving door between these insider groups causes pervasive conflicts of interest. But CACEO disputes scientific computer security principles for a deeper reason: Quasi-religious faith in shiny hi-tech hype. Faith-based Security "Security-Through-Obscurity" is a discredited dogma that equates secrecy with security. Granted, sometimes secrecy provides one layer of security. But often, secrecy obscures, or actually constitutes, a security vulnerability. E-voting vendors' "trade secrets" obscured poor quality, and porous security. Gullible registrars bought faith-based "Security-Through-Obscurity": E-voting vendors are its High Priests; mystic federal standards, its Hymnal; and corrupt certification labs, its chanting Choir. Doubters, lacking insiders' faith, must be Luddites, conspiracy theorists, or as Napa Registrar John Tuteur accused Secretary Bowen, have "crass political purposes." Should We Trust E-voting Insiders? In their 2005 report, "Building Confidence in U.S. Elections", former President Jimmy Carter and former Secretary of State James Baker emphasized, "The greater threat ... comes ... from insiders who have direct access to the machines. ... There is no reason to trust insiders in the election industry any more than in other industries, such as gambling, where sophisticated insider fraud has occurred despite extraordinary measures to prevent it." Yet Nevada gambling systems face more stringent security requirements than E-voting systems. MISCONCEPTIONS: CACEO and E-voting vendors attack the studies by claiming that university scientists had too much access to the machines, and too much knowledge of their programs. By removing Election Day security procedures, insiders argue, any voting system would be vulnerable. Moreover, Calif. election officials see no evidence of fraud. FACTS: A securely-designed (and implemented) voting system should NOT be vulnerable to those scientists' specific attacks. Yet even if integrity were compromised (by hackers or election insiders, with lots of access and knowledge), then system audit records should be able to detect evidence of that fraud. The E-voting systems failed to meet both these criteria. The Blame Game Local officials raise the spectre of election chaos. CACEO's President seeks to blame Secretary Bowen: "This election, if it's a failure, it's on her." But that's shooting the messenger. Without speculating on various parties' motives, the fact is that Secretary Bowen documented, via a hurried but fair public process, what computer scientists have known for years: E-voting security is scandalous. Yet despite repeated warnings, E-voting vendors failed to fix many flaws. Blame for any chaos, debacle, or loss of public confidence lies with the E-voting vendors, and with the government officials (federal, state, and local), who naively trusted private companies, but failed to verify their technology was safe for democracy. What's Next? No more billion dollar bailouts for faith-based failures! Software upgrades and operational procedures cannot plug gaping holes in system architecture; complete redesign is needed. (Diebold patched one particular vulnerability twice; yet each patch causes a new vulnerability!) "Security-Through-Obscurity" is a risky faith-based fantasy. Today's E-voting systems are Trojan Horses in our midst. Without transparency, and checks and balances, that secret, unaccountable power threatens democracy. If society chooses to pursue electronic voting, we need "open-software, open-hardware" systems, mandatory interoperability, and ethical firewalls. And we must develop the cultural maturity to recognize technological limitations; not worship technological fantasies. (Rick Crawford has researched reality-based computer security for 18 years. Return to Top =============================================================================
Date: Aug 1, 2007 Subject: Comments on Top-to-Bottom Review of Voting Systems FROM: Rick Crawford Dear Secretary Bowen, BRIEF BIO: My background includes over 18 years as a Computer Security researcher. My research has been funded primarily by federal agencies, including the Air Force Information Warfare Center, DARPA, Dept. of Energy, NIST, NSF, and the National Security Agency. Although some of my research (on malicious code detection) was classified by the NSA, I have 11 peer-reviewed publications in the open literature. My work encompasses the broader social context in which Information Technologies are used: I co-developed and taught what seems to have been the first class on Computer Ethics in the UC system. SITUATION ASSESSMENT: In the 2000 and 2004 presidential elections, this nation's voting systems performed so poorly, that many Americans questioned the legitimacy of the elections' outcomes. In an attempt to bind the nation's wounds, the Commission on Federal Election Reform, co-chaired by former President Jimmy Carter and former Secretary of State James Baker, issued a final report, "Building Confidence in U.S. Elections". In it (http://www.american.edu/ia/cfer/report/CFER_section3.pdf ), section 3.3 on "Security for Voting Systems" states, "The greater threat to most systems comes ... from insiders who have direct access to the machines. ... There is no reason to trust insiders in the election industry any more than in other industries, such as gambling, where sophisticated insider fraud has occurred despite extraordinary measures to prevent it." I would add that computerized insider attacks at America's major financial institutions involving hundreds of millions of dollars are not unusual, despite extensive security precautions. As another example, insider attacks by Aldrich Ames (CIA) and Robert Hanssen (FBI) caused considerable damage, but that harm was limited by those organizations' underlying secure design principles (e.g., separation of privilege). This is why security must be designed into a system, not tacked on as an afterthought. And it demonstrates why we need reliable methods to *detect* manipulations after the fact, even if we are unable to prevent them. Your Red Team leader's overview correctly emphasizes these points (http://www.sos.ca.gov/elections/voting_systems/ttbr/red_overview.pdf ). These points -- insider threats, and multi-layered security-in-depth design -- are among *THE* most elementary aspects of computer security. That is why I am absolutely appalled to read quotes from the 3 voting machine vendors disputing the conditions of the Red Team testing. It is far worse to read similar quotes from the President of the Calif. Association of Clerks and Elections Officials. As though reading from the same playbook, these parties claim that Red Team testing was "unrealistic" because (1) the team had too much access and knowledge, and (2) the Red Team did not face a Blue Team (i.e., operational security procedures). But their claim #1 denies the threat of insider attacks, and their claim #2 denies the need for a multi-layered security-in-depth design! It simply is not credible that voting machine vendors are so ignorant of basic security. And since the President of the Calif. Assoc. of Clerks and Elections Officials was quoted in the San Francisco Chronicle (7/3/07) as saying he personally administers the voting system in his county, I would like to assume he knows a little about computer security. Yet either these parties are woefully ignorant about the most elementary aspects of computer security, or they intentionally are denying that any "realistic" security threats or flaws could exist. Such a denial of reality would be so blatant, as to bring to mind Saddam Hussein's Minister of Information, who insisted to reporters that, "We have them on the run," even though American tanks already were roaming the streets of Baghdad. (Diebold certainly was aware of some of their security flaws: David Wagner's 3/15/07 Congressional testimony described how Diebold had been informed privately about a flaw in 1997, yet despite recurring public reports of this flaw, still had not fixed it 10 years later.) Unfortunately, by denying the problem, these vendors (and apparently also the Calif. Assoc. of Clerks and Elections Officials) have chosen to become part of the problem, rather than part of the solution. SHORT-TERM RECOMMENDATIONS: Democracy requires that the casting of ballots be secret, but that the counting of votes be accurate and transparent to the public. All 3 tested systems revealed security flaws so egregious, that they should be decertified. The InkaVote system (whose manufacturer was unwilling or unable to comply with the testing protocol) likewise should be decertified. These decertifications should be unconditional, i.e., the Secretary should *not* allow County election officials to attempt to "patch" fundamental design flaws by operational procedures. In light of the serious design and configuration flaws found in all systems tested so far, the Secretary should provisionally (de-)certify any other DRE systems in use within the state, subject to the condition that each can be used (in the near term) only if similar design flaws are not found by similar TTBR testing. Such short-term testing should *not* consider any alleged protective effects of County operational procedures. This is because, in the short-term, it is impractical to assess the composite of an insecure design coupled with assorted County procedures that are either secret or only documented informally. Moreover, the adequacy of implementation of those security procedures cannot be verified until the election is already underway. Regarding the Calif. primary election scheduled for Feb. 2008, one option is to mandate absentee ballots. In the Nov. 2006 election, nearly 42 percent of voters chose absentee ballots. A second option is to reschedule the Feb. 2008 election. California should lead the nation in demonstrating, by example, that we will not tolerate a sham election that violates the trust voters have placed in the process. Better to have an election that is late, but reliable. Any other state using similar machines should be shamed into following the Calif. example. Presidential primary candidates should demonstrate their commitment to accurate and transparent elections by pledging to remove their name from the ballot of any state that fails to follow California's standard. LONGER-TERM RECOMMENDATIONS: Every technology is situated in a context comprised of social, institutional, political, and economic factors. Unfortunately, in the case of voting machines, none of these contextual factors currently is favorable for election accuracy and transparency. Clearly the security of voting machine technology must be improved. But that cannot occur in isolation. Therefore, the Secretary should use (provisional) certification *strategically* to transition the marketplace, so that voting machine vendors compete to achieve open standards of security and usability. In conjunction with those changes in technology, the Secretary, working with the Legislature and the Attorney General, should alter the institutional context of use, so that Counties employ a certain minimal level of uniform security procedures, so that election workers are adequately trained in those procedures, so that election-day *implementation* of security is inspected and verified, and so that appropriate legal liability serves as an incentive for compliance. Finally, to achieve a fair and level playing field, it is imperative that the state also transition to a mandate of *interoperability*, SO THAT NEVER AGAIN CAN VOTING MACHINE VENDORS DICTATE THE TERMS OF SECURITY TO OVERLY-COMPLIANT ELECTION OFFICIALS. Return to Top =============================================================================Expanding the Threat Matrix, and the Alternative Explanations
Many people have outlined plausible scenarios for "election engineering" by the GOP. But in the interest of intellectual honesty, I'm going to throw some cold water on these ... and some hot water too.
The facts regarding voter caging, ballot shredding, and pressure/firings of US attorneys speak for themselves. But some are making a big leap of FAITH when they claim *intentional* election fraud via electronic voting machines. (Note: I'm NOT claiming there was no intentional electronic fraud. I AM claiming that such a "fact" has not been established.)
Granted, *intentional* fraud provides a comforting explanation for each piece of the apparent puzzle, but we shouldn't allow comfortingly-simplistic worldviews to lead us into unjustified conceptual traps.
As a computer security expert with 18 years experience, I actually read the (public versions of the) recent studies conducted by UC scientists for Calif. Sec. of State Bowen. My expert conclusion about the state of e-voting security? In layman's terms, it sucks!
Unfortunately, that's not the end of the story. Because not only does the security suck, but so also does the software quality: E-voting vendors' "trade secrets" obscured both porous security, AND poor quality. Some examples from the Sourcecode Reviews at
Hart p.43: "Issue 10: JBC internal version checking is broken" Diebold p. 51: "Issue 5.2.24: AV-TSX startup code contains blatant errors. That this code works at all seems purely accidental." Sequoia p. i (Executive Summary): "The software suffers from numerous programming errors" Sequoia p. 39: "System Unreliability" "Performing normal actions would cause WinEDS to crash" Sequoia p. 41: "Software Testing" "Had any of these routines been tested even once ... the problem would have been discovered."The software quality is so bad, that every instance of unlikely, unfair, or "impossible" electronic voting behavior I've seen *could* be due entirely to poor software quality -- basic bugs. But OTOH, the security engineering was so lousy, that all the above also *could* be due to intentional fraud, either by insiders or by "external" hackers. And unfortunately, the security was so lousy, that a competent professional team could erase all traces of their intentional fraud, and make the results appear to be caused by bugs.
We don't yet know. Most likely, we will never know if past elections were stolen by electronic fraud. (But we damn well better work to ensure we're not in the same position regarding future elections.)
Finally, a little hot water: I'm NOT a conspiracy theorist. However ... IF you believe there was intentional e-voting fraud in 2004, you really need to widen your conceptual horizons regarding who might have been the perpetrator(s). Look at means, motive, and opportunity, but also risk. Granted, various Republican operatives could have done it. But think of the risk if that were discovered! A major downside, not just for 1 election, but for a generation or more.
To my mind, a more plausible perpetrator is a nation-state.
For example, Russia fields a professional team; they can reward the silence of any operatives if they are discovered, and they had a very strong motive for keeping an easily-manipulable "soulmate" in the White House, and keeping the US military mired in Iraq.
Israel is another country with means (a first-class hacking corps), motive (aim the US military at Iran), and opportunity (numerous Israeli-American dual-citizens able to gain insider access to every stage of the electoral process).
I doubt we'll ever know, but it's wise to keep an open mind. The American Empire seems to be crumbling. It's only natural that others want to speed that process, and grab some of the choice pieces for their own benefit.
When the Soviet Union imploded, numerous domestic interests scrambled to grab control of any advantageous "big pieces" within reach. That's how the Russian Oligarchs came to rule the country, with Boris Yeltsin as their figurehead. Only after Yeltsin was succeeded by Vladimir Putin -- a former KGB agent -- was Russia able to gradually weaken the power of the Oligarchs.
Similar dynamics threaten our American Empire as it weakens. We should be especially vigilant against power-grabs by factions and would-be-warlords in our own Intelligence Agencies.
CIA and NSA, for example, are well-positioned to interfere with US elections -- either invisibly or blatantly. Why might they blatantly interfere? Because they can -- while maintaining plausible deniability about their actions.
In that situation, citizens would have ample evidence of election hacking, but we would not know who did it.
CIA, NSA, FBI, or other Intel. Agencies could easily "plant" evidence pointing to Russia or China, or our latest enemy-du-jour. Soon US citizens would be clamoring for CIA or NSA to certify both the E-voting machines, and the integrity of the election results!
Return to Homepage