You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier

As it emerges non-internet-connected election systems are actually connected to the internet

Black Hat While various high-tech solutions to secure electronic voting systems are being touted this week to election officials across the United States, according to infosec guru Bruce Schneier there is only one tried-and-tested approach that should be considered: pen and paper.

It's the only way to be sure hackers and spies haven't delved in from across the web to screw with your vote.

“Paper ballots are almost 100 per cent reliable and provide a voter-verifiable paper trail,” he told your humble Reg vulture and other hacks at Black Hat in Las Vegas on Thursday. “This isn’t hard or controversial. We use them all the time in Minnesota, and you make your vote and it’s easily tabulated.”

The integrity of the election process depends on three key areas: the security of the voter databases that list who can vote; the electronic ballot boxes themselves, which Schneier opined were the hardest things to hack successfully; and the computers that tabulate votes and distribute this information.

Election security is a hot topic at the Black Hat and DEF CON hacking conferences this year, and a matter of increasing national concern. Two pieces of legislation, one requiring paper ballots be produced for every vote, and another requiring parties to inform the FBI if foreign governments quietly hit them, passed the US House of Representatives last month.

However, Senate majority leader Mitch McConnell (R-KY) has refused to table the legislation in the upper house, saying the bills were partisan. Entirely coincidentally, it has subsequently come out that "Moscow Mitch" accepted thousands of dollars in lobbying cash from election machine manufacturers.

“The problem with election security is politics,” Schneier said. “We have a party in the US that doesn’t favor voting.”

Warning signs

Schneier's comments came on the same day that investigative reporter Kim Zetter revealed that America's election management systems that are not supposed to be connected to the internet long term were, and still are, in fact connected to the internet.

We're told ten security eggheads found that dozens of back-end election systems manufactured by ES&S had been left facing the internet for ages. The systems are designed to receive preliminary voting tallies from ballot machines after the polls close, remaining online for a very short period, and yet many were still lingering around on the 'net to this day. They do not count up the final results, it must be stressed: those totals are obtained by extracting data from the memory cards in the individual voting machines and processing all that offline.

The idea is that, during election night after the polls close, these back-end internet-connected systems receive initial tallies from e-voting boxes via SFTP behind a Cisco firewall, yet they end up being left online for many months after. If someone were to hack into these back-end computers and tamper with them on a crucial election evening, the preliminary counts arriving from the e-ballot boxes – figures that are quickly handed to the media for live analysis – could be intercepted and altered so that when the official numbers come in from the memory cards, there is enough mistrust among the public that no one believes which result is real.

It is, if you'll forgive us, a bit of a stretch: you'd need to pwn the SFTP server after getting through the filters on the Cisco firewall in order to get anywhere inside. Yet, it would be lovely if officials could get on top of their IT equipment, and take offline systems that are supposed to be offline, as America gears up for the crucial 2020 White House race.

The government is here to help

Schneier also spoke of the importance of technically skilled people getting into government, a topic he has raised before.

The technical knowledge of most congresscritters is sadly lacking, Schneier said, and they need good advice. He pointed to a big improvement in the statements issued by Senator Ron Wyden (D-OR) after the ACLU’s Christopher Soghoian joined his team.

Schneier suggested that technologists can do the most good for the country by avoiding running for public office, and instead join regulatory agencies. Legislators may enact major new laws on technology once a decade or so, but federal agencies are much more flexible and can make policy quickly and often.

Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act


He was blisteringly scathing about the Active Cyber Defense Bill, being considered by Congress. The legislation, introduced by House Representative Tom Graves (R-GA) would legalize “hacking back,” whereby if a company is pwned online, it can legally go after their attacker.

“I’m sure there are some IT managers who would love to break out the attack code but it’s a terrible idea,” he said. “There’s a good reason why we give government a monopoly on violence: vigilante mobs get it wrong.”

He was also dismissive of recent noises from the US and other Five Eyes nations to force technology companies to introduce backdoors into encryption exclusively for law enforcement to use. Such calls have been going on since the 1990s, he pointed out, and so far it had been all talk.

“We’ve seen the Australian law passed, and the UK is moving on it too,” he said. “But in the US we have a very different relationship with government. Americans just don’t trust their governments as much as the UK and Australia.” ®

Send us news
Get our Security newsletter

Keep Reading

China-linked hacking gang ‘APT10’ named as probable actor behind extended attacks on Japanese companies

Campaign even targeted branch offices inside China and sought secrets of automotive and engineering companies

Soft press keys for locked-down devs: Three new models of old school 60-key Happy Hacking 'board out next month

Good news if you're a fan of Topre switches

Happy Hacking Professional Hybrid mechanical keyboard: Weird, powerful, comfortable ... and did we mention weird?

Review Once you're over the learning curve, it's a cross-platform all-rounder

VMware reveals critical hypervisor bugs found at Chinese white hat hacking comp. One lets guests run code on hosts

ESXi, Cloud Foundation, and desktop hypervisor users should get patching

Chinese hacking competition cracks Chrome, ESXi, Windows 10, iOS 14, Galaxy 20, Qemu, and more

VMware warns of incoming security fix after attackers get root on host

Stuck inside with time on your hands? The US govt would like to remind you it's paying $5m for Nork hacking scalps

US-Cert issues new report on misdeeds of North Korean groups

Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools

Not a great look

Good: US boasts it collared two in Chinese hacking bust. Bad: They aren't the actual hackers, rest are safe in China

Ugly: And it's all about video game robberies at this stage

Doctor, doctor, got some sad news, there's been a bad case of hacking you: UK govt investigates email fail

Former trade minister Dr. Liam Fox named as source of leaked trade docs

Want to stay under the radar for a decade or more? This Chinese hacking crew did it... by aiming for Linux servers

BlackBerry says Winnti-derived group is playing it quiet with rootkit attacks

Tech Resources

A Blueprint For Modern Monitoring

Get your copy of IDC’s A Blueprint for Modern Monitoring to learn more about the benefits and strategies of modern monitoring

Breakthrough Efficiency in NLP Model Deployment

As Natural Language Processing (NLP) models evolve to become ever bigger, GPU performance and capability degrades at an exponential rate, leaving organizations across a range of industries in need of higher quality language processing, but increasingly constrained by today’s solutions.

Four Key Tips From Incident Response Experts

While nothing can fully alleviate the stress of dealing with an attack, knowing what to do in advance will help you defend your organization.

The Role of Machine Learning and Automation in Storage

There has been lots of hype around the increasing role that machine learning, and artificial intelligence more broadly, will play in how we automate the management of IT systems.