The stakes are always high when it comes to software security, which is why the ongoing debate over open-source vs. proprietary tends to be passionate.
But the stakes rise to a new level when it comes to the security (and integrity) of a nation’s voting systems. Which makes a recent, relatively civil, squabble over the topic – 15 months out from the next national US election – both passionate and significant.
There isn’t much debate that something needs to be done to make voting systems – more than 8,000 jurisdictions in the 50 states – more secure.
While the US intelligence community concluded that Russian hackers were “probably unsuccessful” in tampering with votes in last year’s presidential election, that doesn’t mean they didn’t try, or that their chances of future success are low.
Richard Clarke, White House senior cybersecurity policy adviser for Presidents Bill Clinton and George W Bush, wrote before last year’s election that “the ways to hack the election are straightforward and are only slight variants of computer system attacks that we see every day in the private sector and on government networks in the US and elsewhere around the world”.
And to the argument that a jumble of thousands of different systems would make it difficult, he noted that it wouldn’t require a widespread attack. “In America’s often close elections, a little manipulation could go a long way,” he wrote.
Bloomberg reported two months ago that federal investigators found “incursions into voter databases and software systems” in 39 states – more than twice the number previously reported. The news agency said a classified National Security Agency (NSA) document reported p”otentially deep vulnerabilities in the US’s patchwork of voting technologies …” and cited former FBI director James Comey warning that the Russians are “coming after America. They will be back.”
So, what to do? That’s where the argument begins. According to former CIA director R James Woolsey and Brian J Fox, original author of the GNU Bash shell and longtime free software advocate, the “obvious solution” is to run US voting systems with open-source software.
In an op-ed in the New York Times, the two noted that the National Association of Voting Officials, a California nonprofit, is leading the campaign to “begin to use software based on open-source systems that can guard our votes against manipulation”.
They cited the standard arguments in its favor:
Despite its name, open-source software is less vulnerable to hacking than the secret, black box systems like those being used in polling places now. That’s because anyone can see how open-source systems operate. Bugs can be spotted and remedied, deterring those who would attempt attacks. This makes them much more secure than closed-source models like Microsoft’s, which only Microsoft employees can get into to fix.
But that prompted a rejoinder on the Lawfare blog from Matt Bishop of the University of California, Davis, with contributions from seven other experts at institutions ranging from MIT to the Center for Democracy and Technology, reminding us all of that uncomfortable reality that so far there is no such thing as bulletproof security, no matter what software is being used. As Bishop put it:
Making source code available to everyone for inspection makes it available to the attackers for inspection. And the attackers are often highly motivated to find vulnerabilities. Complicating this is the relative ease of identifying one vulnerability and the difficulty of finding them all. Attackers need to find just a single flaw in order to exploit a system.
Even perfect software doesn’t guarantee perfect security. “Consider a system that uses a difficult-to-guess password, but that password can be found on a website. No amount of scrutiny of the system will reveal this flaw,” Bishop wrote.
The group doesn’t object in principle to open source. “We believe there are excellent reasons to move to open-source voting systems,” Bishop wrote, including:
- Allowing vendor claims to be verified.
- Such software, running on commercial, off-the-shelf hardware, “could be far cheaper to acquire and maintain than proprietary voting systems”.
- Promoting a “competitive market for technical support for local election officials”.
- Making it easier to “audit against the paper trail more efficiently than commercial systems permit”.
“But adopting open-source systems would not by itself provide any assurance that computers used in voting are doing what they are supposed to do,” Bishop wrote.
Clarke provided a short list for what he called “minimal election security standards”:
- Don’t connect any vote-recording machine to any network — including LANs and VPNs.
- Create a paper copy of each vote recorded, and keep them secured for at least a year.
- Conduct a verification audit within 90 days on a statistically significant level.
It is probably also useful to keep in mind that voting systems are designed, run, secured and overseen by humans. Which creates its own challenges that can confound the best technology.
One of them is the clueless worker. The late Kevin McAleavey, cofounder and chief architect of the KNOS Project and a malware analyst, said last fall that most of the recent breaches of campaigns, voter roll lists and other confidential information were “done with malware planted by an unsuspecting, authorized user of the systems who got phished and clicked on the bait”.
And then there is the challenge of those who are not clueless, but malicious. As one of the world’s most lethal dictators, Joseph Stalin, put it: “I consider it completely unimportant who in the party will vote, or how; but what is extraordinarily important is this – who will count the votes, and how.”
Pankhurst
What is lost by returning to paper ballots being put in sealed boxes which are then accompanied to counting centres and opened in front of party agents and counted?
Mahhn
The ability to recount and ensure integrity of votes, plausible deniability by the winner of cheating, exposing corruption in voting process.
Pankhurst
Sorry, but with a manual “public” count of real ballot papers you have a level of transparency that is very hard to replicate in an electronic system.
As a party nominated election agent you watch (from behind a barrier so that you cannot physically touch the ballots)
– the sealed boxes being opened
– the total ballots counted and verified against the number of ballots issued at that polling station and the number of voters marked in the rolls as having voted at that station
– the ballot papers being sorted into piles according to candidate voted for and bundled into 100s (or whatever agreed unit)
– the piles “pile up” on the results table
Dubious, potentially spoilt and “write-in” ballots are examined by returning officers in front of party agents and their disposition agreed.
Recounts can be either:
– verification that bundles are in the right pile, or where the result is very close
– checking that every ballot in every bundle is for the particular candidate.
In the UK, if there are concerns of major interference, each ballot paper has a number and *if necessary* the election court can order these to be traced back to the number recorded against the electoral roll and the ballot paper issued. This is virtually unknown – but is a protection against ballot-stuffing.
Counts tend to be non-contentious and actually relatively friendly (if tense) events – because the system is transparent and trusted. In most constituencies they take place (for Parliamentary elections) overnight. You can’t get a result by pressing a button when the polls close, but you do get this “event” when the parties come together and observe (and accept) the result. In the UK we usually know who the new Governing Party (and Prime Minister) is within 12 hours of the close of polls.
Even in parts of the UK advanced enough to have preference voting (and a ballot may move between a voter’s preferences), a paper based system can be counted in less than a day.
Wilbur
One big thing that is lost is time – election officials are under enormous pressure from the news media demanding election results before the polls even close. Result predictions on US national elections have been announced before some west coast residents have voted. The other thing that is lost is profits for the high-tech industry.
Pankhurst
Which to me all sound like very good reasons for it taking a bit of time!
– News media should not drive the process (especially not demanding results before polls close)
– You could argue that announcing East Coast results before West Coast voters have voted may influence whether West Coast voters even bother to vote
– the involvement of high-tech in the voting process should be potentially worrying – especially if those companies are partisan
In the UK the News Media love the “all-nighter” of election night with hours of speculation and discussion as the results start to come in. I think they would be disappointed if all was revealed at the press of a counting button a few minutes after polls had closed. It is also fun watching partisan pundits and politicians on these overnight results shows trying to adjust their positions as the results come in and they get more and more tired! Hubris!
Many still remember the water-cooler discussions “Were you still up and watching when Portillo lost his seat?” (which I think was 1997)!
DaveC
Time is of the essence. That said, every system can be hacjed. No exceptiobs. Both automated and manual. Accept this as a given and proceed from there. Tech teams on proprietary systems are as competent as those on ‘open source’. But workers on proprietary systems are bound by non-disclosure clauses limiting their ability to ‘out’ a malicious player. Take to heart Stalin’s observation and don’t be fooled. The more (competent and interested)eyes looking at a problem the better chance there is of finding a flaw. But the intelligence behind those eyes must be at liberty of disclosing what they find without fear of repercussions.