Security

You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier

As it emerges non-internet-connected election systems are actually connected to the internet


Black Hat While various high-tech solutions to secure electronic voting systems are being touted this week to election officials across the United States, according to infosec guru Bruce Schneier there is only one tried-and-tested approach that should be considered: pen and paper.

It's the only way to be sure hackers and spies haven't delved in from across the web to screw with your vote.

“Paper ballots are almost 100 per cent reliable and provide a voter-verifiable paper trail,” he told your humble Reg vulture and other hacks at Black Hat in Las Vegas on Thursday. “This isn’t hard or controversial. We use them all the time in Minnesota, and you make your vote and it’s easily tabulated.”

The integrity of the election process depends on three key areas: the security of the voter databases that list who can vote; the electronic ballot boxes themselves, which Schneier opined were the hardest things to hack successfully; and the computers that tabulate votes and distribute this information.

Election security is a hot topic at the Black Hat and DEF CON hacking conferences this year, and a matter of increasing national concern. Two pieces of legislation, one requiring paper ballots be produced for every vote, and another requiring parties to inform the FBI if foreign governments quietly hit them, passed the US House of Representatives last month.

However, Senate majority leader Mitch McConnell (R-KY) has refused to table the legislation in the upper house, saying the bills were partisan. Entirely coincidentally, it has subsequently come out that "Moscow Mitch" accepted thousands of dollars in lobbying cash from election machine manufacturers.

“The problem with election security is politics,” Schneier said. “We have a party in the US that doesn’t favor voting.”

Warning signs

Schneier's comments came on the same day that investigative reporter Kim Zetter revealed that America's election management systems that are not supposed to be connected to the internet long term were, and still are, in fact connected to the internet.

We're told ten security eggheads found that dozens of back-end election systems manufactured by ES&S had been left facing the internet for ages. The systems are designed to receive preliminary voting tallies from ballot machines after the polls close, remaining online for a very short period, and yet many were still lingering around on the 'net to this day. They do not count up the final results, it must be stressed: those totals are obtained by extracting data from the memory cards in the individual voting machines and processing all that offline.

The idea is that, during election night after the polls close, these back-end internet-connected systems receive initial tallies from e-voting boxes via SFTP behind a Cisco firewall, yet they end up being left online for many months after. If someone were to hack into these back-end computers and tamper with them on a crucial election evening, the preliminary counts arriving from the e-ballot boxes – figures that are quickly handed to the media for live analysis – could be intercepted and altered so that when the official numbers come in from the memory cards, there is enough mistrust among the public that no one believes which result is real.

It is, if you'll forgive us, a bit of a stretch: you'd need to pwn the SFTP server after getting through the filters on the Cisco firewall in order to get anywhere inside. Yet, it would be lovely if officials could get on top of their IT equipment, and take offline systems that are supposed to be offline, as America gears up for the crucial 2020 White House race.

The government is here to help

Schneier also spoke of the importance of technically skilled people getting into government, a topic he has raised before.

The technical knowledge of most congresscritters is sadly lacking, Schneier said, and they need good advice. He pointed to a big improvement in the statements issued by Senator Ron Wyden (D-OR) after the ACLU’s Christopher Soghoian joined his team.

Schneier suggested that technologists can do the most good for the country by avoiding running for public office, and instead join regulatory agencies. Legislators may enact major new laws on technology once a decade or so, but federal agencies are much more flexible and can make policy quickly and often.

Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act

READ MORE

He was blisteringly scathing about the Active Cyber Defense Bill, being considered by Congress. The legislation, introduced by House Representative Tom Graves (R-GA) would legalize “hacking back,” whereby if a company is pwned online, it can legally go after their attacker.

“I’m sure there are some IT managers who would love to break out the attack code but it’s a terrible idea,” he said. “There’s a good reason why we give government a monopoly on violence: vigilante mobs get it wrong.”

He was also dismissive of recent noises from the US and other Five Eyes nations to force technology companies to introduce backdoors into encryption exclusively for law enforcement to use. Such calls have been going on since the 1990s, he pointed out, and so far it had been all talk.

“We’ve seen the Australian law passed, and the UK is moving on it too,” he said. “But in the US we have a very different relationship with government. Americans just don’t trust their governments as much as the UK and Australia.” ®

Send us news
67 Comments

Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job

Also, another fake iOS app slips into the store, un-cybersafe EV chargers leave UK shelves, and critical vulns

Hackers mod a Sony PlayStation Portal to run PSP games

Modders claim GTA: Liberty City Stories and Tekken 6 are running 'very smoothly'

Wikileaks source and former CIA worker Joshua Schulte sentenced to 40 years jail

'Vault 7' leak detailed cyber-ops including forged digital certs

Tesla hacks make big bank at Pwn2Own's first automotive-focused event

ALSO: SEC admits to X account negligence; New macOS malware family appears; and some critical vulns

Think tank report labels NSO, Lazarus as 'cyber mercenaries'

Sure, they do crimes. But the plausible deniability governments adore means they deserve a different label

Red Cross lays down hacktivism law as Ukraine war rages on

Rules apply to cyber vigilantes and their home nations, but experts cast doubt over potential benefits

CLI-beautifying ANSI escape sequences can also make your log files a security threat

When you can't even cat your telemetry safely, who can you trust?

Tesla hackers turn to voltage glitching to unlock paywalled features

Oh, this old thing? Yeah, it's got an AMD processor. Why?

Unsealed: Charges against Russians blamed for Mt Gox crypto-exchange collapse

What a blast from the past, the past being a year before the pandemic

Some potential: How bad software updates could over-volt, brick remote servers

PMFault – from the eggheads who brought you Plundervolt and Voltpillager

Arm acknowledges side-channel attack but denies Cortex-M is crocked

Spectre-esque exploit figures out when interesting info might be in memory

Ex-Uber CSO gets probation for covering up theft of data on millions of people

Exec begged judge for leniency – and it worked