Senators act to SAVE voting machines

Looks like it’s at least a possibility that DefCon won’t be the only place hackers can compete for prizes by exposing flaws in US voting systems.

Proposed legislation with bipartisan sponsorship – US senators Martin Heinrich (D-NM) and Susan Collins (R-Maine) – would empower the Department of Homeland Security (DHS) to sponsor a competition similar to DefCon’s “Voting Machine Hacking Village” this past summer that – not surprisingly – resulted in white-hat hackers finding numerous vulnerabilities in voting machine software.

Not that it’s even close to a done deal. The bill [PDF], with the title as usual crafted to yield an easy-to-remember acronym – the Securing America’s Voting Equipment Act (SAVE) of 2017 – hasn’t even been assigned a number. The space for which committee will be assigned to consider it is blank.

Still, the fact that such a bill has even been drafted is a declaration from the sponsors that, protests in some states notwithstanding, it is time for a national effort to ensure that electoral results are credible – which means giving voters good reason to believe the systems are secure from tampering.

“Until we set up a stronger set of protections for our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable,” Heinrich told reporters.

The bill calls for the “Cooperative Hack the Election Program,” to be in place one year after the bill is enacted. Its purpose is:

… to strengthen electoral systems from outside interference by encouraging entrants to work cooperatively with election system vendors to penetrate inactive voting and voter registration systems to discover vulnerabilities of, and develop defenses for, such systems.

The program would offer awards for finding the most significant vulnerabilities, but doesn’t specify how much they would pay.

It also gives hackers a pass from the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), which is in the middle of a three-year waiver for researchers, as long as they don’t exploit the flaws for their own purposes or reveal them publicly before providing the information to the DHS.

Beyond the hacking competition, the bill would also:

• Formally designate voting systems as “critical infrastructure” – something DHS did last January.
• Provide grants to help states improve the security of their voting systems.
• Require voting system integrity audits, beginning in 2019 and continuing every four years after that. Only systems that passed the audit criteria could be used in future elections.
• Improve classified information sharing from the federal government to the states regarding security threats to voting systems. This would be accomplished by Director of National Intelligence (DNI) providing security clearances up to the “top-secret” level to each “chief eligible state election official” plus one more designee of that official, who would then be able to receive the information.

The bill gets a reasonably good review from Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, who calls it, “a pretty strange-looking bug bounty program,” but adds that given that it is, “brand-new territory for both legislators and election officials, it’s understandable it might need some tweaking.”

He applauds the exemptions from the CFAA and DMCA, but says some of the restrictions – on exploiting vulnerabilities and public reporting, “could use some attention.”

It’s often necessary to exploit a vulnerability in order to adequately evaluate the security system in the face of that flaw. I think the most important question here is what would this do above and beyond what we can do with things like the DefCon Voting Village or non-federal bug bounty programs from state or local election officials.

Still, even given that, selling it in Congress might seem to be a layup, even in the current contentious political environment – who doesn’t want secure, credible election results? But not all states have welcomed federal involvement, even if well intentioned.

When former DHS secretary Jeh Johnson offered last August to inspect state voting systems for online vulnerabilities, several states rejected the overture. Georgia Secretary of State Brian Kemp branded it a “vast federal overreach,” declaring in an email to Nextgov that, “the question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security.”

Even though it seemed pretty obvious they needed the help. Zeynep Tufekci, a University of North Carolina information and library science professor, had recently told National Public Radio that Georgia’s electronic voter machines, which provided no paper trail:

… are more than a decade old, so the hardware is falling apart. And the operating system they’re using is Windows 2000, which hasn’t been updated for security for years, which means it’s a sitting duck.

Ironically enough, Kemp is now the lead defendant in a lawsuit, Curling v. Kemp, that seeks to annul the results of a 20 June 2017 special election in Georgia for Congress in which Republican Karen Handel beat Democrat Jon Ossoff. The plaintiffs allege that the voting systems used were out of date and insecure, and provided no paper backups.

The latest news in that case is that even electronic information may have gone missing – a server and its backups that were said to be key evidence in the case were deleted. But Kemp’s office contends there was nothing nefarious going on, since the data still exist elsewhere. Ars Technica reported that according to Ryan Germany of the Secretary of State’s office:

Current indication is that the FBI retained an image of the data on those servers as part of their investigation and that it will be available for use in the ongoing litigation.

Still, that is yet another reminder that until (or if) electronic voting systems become more secure through the SAVE Act or other initiatives, a lot of headaches and legal expenses could be avoided simply by using paper.

As we reported a few weeks ago, Lawrence Norden, co-author of a September 2015 report for the Brennan Center for Justice titled “America’s Voting Machines at Risk,” called it the most effective security measure at the moment:

The most important technology for enhancing security has been around for millennia: paper. Specifically, every new voting machine in the United States should have a paper record that the voter reviews, and that can be used later to check the electronic totals that are reported.