Video With too many electronic voting systems buggy, insecure and vulnerable to attacks, US election officials would be well advised to keep paper trails handy.
This is according to Dr Matt Blaze, a University of Pennsylvania computer science professor and top cryptographer, who spoke to Congress this week about cyber-threats facing voting machines and election infrastructure.
Among Blaze's recommendations is that rather than rely on purely electronic voting machines to log votes, officials use optical scan machines that retain a paper copy of each voter's ballot that can be consulted if anyone grows concerned about counting errors or tampering. In other words, due to the fact that everything has bugs and flaws, truly paperless voting systems should be a no-no.
"In many electronic voting systems in use today, a successful attack that exploits a software flaw might leave behind little or no forensic evidence. This can make it effectively impossible to determine the true outcome of an election or even that a compromise has occurred," Blaze told [PDF] the House Committee on Oversight and Government Reform.
"Unfortunately, these risks are not merely hypothetical or speculative. Many of the software and hardware technologies that support US elections today have been shown to suffer from serious and easily exploitable security vulnerabilities that could be used by an adversary to alter vote tallies or cast doubt on the integrity of election results."
It took DEF CON hackers minutes to pwn these US voting machinesREAD MORE
The recommendation was one of several Blaze made to Congress to address what he says is a problem compounded by both the increasing sophistication of cyber attacks and the inherent complexity of managing voting systems in multiple jurisdictions over long areas, as is the case with US elections.
Blaze also believes regular audits need to be performed on election systems, including after every election. Those audits would be able to help spot potential software failures in voting machines as well as spot possible attacks on voting machines and networks.
Finally, Blaze said, the training and resources afforded to both local and state voting officials needs to improve. In particular, training on how to spot and avoid sophisticated cyber attacks that would seek to sway an election either by manipulating the vote tally itself or with more subtle tactics.
"Electronic voting machines and vote tallies are not the only potential targets for such attacks. Of particular concern are the back end systems that manage voter registration, ballot definition, and other election management tasks," Blaze told Congress.
"Compromising any of these systems (which are often connected, directly or indirectly, to the Internet and therefore potentially remotely accessible) can be sufficient to disrupt an election while the polls are open or cast doubt on the legitimacy of the reported result."
He also appealed on Twitter to fellow computer security experts to help shore up tabulation system defenses, cautioning them, though, to understand the tricky rules and red-tape involved in the administration of American elections:
Plea for infosec folks interested in voting system security: Your expertise is valuable and welcome, but will likely be ignored if you don't take the time to learn something about the (complex and highly constrained) problems and existing work in the field.— matt blaze (@mattblaze) November 30, 2017
Or as one election clerk summarized: please help, but please don't assume officials are morons...
Acid etch this tweet on the copper plate of your memory, people. Most of the folks on my side(elex admin) genuinely love talking shop with tech people. We just don't want to be told we're incompetent. https://t.co/ayeNtS4kkB— Clerk of Election (@ElectionBabe) November 30, 2017
You can catch the committee hearing in the video below, and read written statements from panel chairman Will Hurd (R-TX) here; Homeland Security official Chris Krebs, here; Secretary of State of Louisiana Tom Schedler, here; Virginia Department of Elections Commissioner Edgardo Cortés, here; and Brookings Institution national security law expert Susan Hennessey, here. ®