Main point: Public officials must keep the public both safe and calm.
The danger is when reassurance, not safety, becomes the goal.
Election officials are keeping our voter registration system safe.
They are reassuring us about our vote-counting system.
“Smile, you son of a bitch.” – Martin Brody, to the shark.
Yesterday’s Wisconsin Elections Commission (WEC) meeting was packed with more cameras than I’d ever seen there. A few days earlier, the federal Department of Homeland Security announced that Russian-government backed hackers had tested the security of Wisconsin’s online voter registration system. They hadn’t gotten in. The ‘attack’ was, the computer experts say, like jiggling a locked door knob.
“I don’t get it.” I told a reporter as the meeting got under way. “Hackers are continuously testing every computer system. The Russian government is known for cybercrime. It would be news if they were not testing the security of our elections systems.”
I don’t remember his response, other than it wasn’t convincing. I fear the real answer is that his editors know which stories get the web clicks.
The facts calmed the reporters down. State officials from the WEC and the Wisconsin Division of Enterprise Technology (DET) explained their system of continuous defense against hackers’ efforts. Millions of efforts to get into the system are detected every week, from anonymous Internet addresses all over the world. All unrecognized addresses are locked out. A continuous electronic record is kept of any changes to the system, so that any unauthorized changes can be noticed and reversed. Daily backups and detailed plans are in place so that if some malicious code ever causes the system suddenly to garble or erase our voter registrations on election morning, a correct version can be quickly brought up.
They can tell you exactly how many times the doorknob was jiggled during any given hour. They can tell you the Internet addresses of the jigglers. What state officials don’t know is the jigglers’ true identity, but that doesn’t matter if they don’t get in. No crime committed, no harm done. State officials were convincingly competent and straightforward. The story that later appeared in the paper made the federal officials, not the state ones, look like the Keystone Cops.
The benefit in this whole silly dustup was that WEC and DET got a chance to explain the security of our voter registration system to the press—while the press was willing to listen. When officials are keeping us safe, reassuring the public is usually as easy and effective as just telling the truth.
The officials’ explanation about our voter registration system confirmed my trusting assumptions about its security.
But the security of our vote-counting software is a completely different story.
And the reassurances we always get should be a dead giveaway there's danger in the water.
“As you can see, it's a beautiful day, the beaches are open and people are having a wonderful time. Amity, as you know, means "friendship".” - Mayor Vaughn, to a reporter.
Like ‘baby’ in a pop song, election officials’ remarks yesterday continuously repeated “We’re talking about the voter-registration system, not the vote-counting systems.”
The reporters’ keyboards clicked along to the beat. Yeah, yeah, yeah. We won't talk about the vote-counting systems.
The reporters, on deadline, seemed oblivious to the silence about the vote-counting software.
Is that because there is no jiggling of our vote-counting system's dooknobs?
Are the state officials just too modest to give us the same impressive description of the security for the vote-counting system that they did for the voter-registration system?
Here's why we don't get convincing, impressive descriptions of that security system.
Because it doesn't exist. That's why.
"We've seen no evidence of tampering with the vote-counting system." The furor about Russian testing of our voter-registration system’s security was made possible by federal officials’ looking for it. But neither they nor state officials make any similar efforts to detect any doorknob jiggling of our vote-counting software.
In the United States, the vote-counting software is the proprietary property of the private voting-machine companies. Election officials don't own it, control it, or inspect it. Neither federal nor state officials routinely go into the offices of voting-machine companies like ES&S or Dominion. They don’t download the event record of the companies' internal computers or scan every IP address that came around jiggling their doorknobs.
"Our decentralized vote-counting system makes hacking unlikely." After the vote-counting software is produced at the companies, it's downloaded to the dozens of computers that will be used to design the ballots for each election and to tell the voting machines how to read those ballots. These are the 'election management systems' that reside at the vendor's regional offices, the voting-machine service companies like Command Central, and in the offices of county election officials.
When election officials talk about the security of the vote-counting systems, they often refer to this decentralization. They say it makes the system harder to hack.
Perhaps they imagine a hacker could not steal our Electoral College votes or to pick our next governor unless he designed a hack specifically for every type of voting machine used in Wisconsin, and altered the results in every county--not just Milwaukee. But you can see the silliness of that. (What's Russian for "Darn it, we missed Forest County. Well, maybe next year."?)
Not only does the decentralization provide little protection, it multiplies the possible entry points and places them in the physical control of an army of people with no particular IT security expertise, and often no access to any.
After the software is downloaded to the local election-management computers, it's revised for each new election and then copied onto removable drives--typically, the same sort of USB drive you can buy at the drugstore. The drives are then handed off to the municipal clerks, who load the software onto each voting machine.
On Election Day, it's in the physical control of the poll workers. At this point, we should probably be hoping that the possessors of the software have no IT expertise, rather than wishing that they did.
Between elections, the vote-counting computers are stored in very town, village, and city in the state, under conditions that the election officials themselves don't always control.
No one exercises any oversight of this disjointed system. Computer security expert Bruce Schneier told NPR's Science Friday that federal voting-system security standards were outdated long ago, and no one is now exercising any oversight even if the standards were current. Vendors can coach county clerks on how to maintain security, but they have no way of knowing whether the clerks follow their instructions. To my knowledge (and I asked when I can), no state or local official ever attempts to oversee or even ask about voting-machine company security. They wouldn't know how to evaluate it if they did, or any authority to force corrections.
Johns Hopkins University Computer Security Professor Aviel Rubin made a point of contacting the major voting-machine companies who count America's votes. He reported "I have yet to meet an American voting system manufacturer that employs even one full-time trained expert in computer security."
"Our voting machines are never connected to the Internet." This used to be true, but there's no machine on the market anymore without the capability of electronically transmitting results after the polls close. That, however, is not and never was the big risk. Connecting a voting machine to the Internet or to a cell phone tower after the polls close doesn't give a hacker any opportunity to alter a hard-copy poll tape you've already printed. Having observed more poll-closings than I can count and several canvass meetings, I can vouch for the fact that is the one hack our election officials would likely detect and could easily correct.
The vulnerability comes before the votes are counted, not after. The big risk of manipulation--in fact the one that forensic IT security experts deem the greatest--doesn't come from the Internet at all, but from insiders with authorized access to the software. Because no state or local election officials have the authority or ability to inspect the vote-tabulating software for integrity, even lightly sophisticated individuals--at the voting machine company, the service company, the local official's office, or anywhere along the chain of custody--could alter the software and not be noticed. Thousands of people have authorized access to our vote-counting software or hardware between every election. Many of them, in the testing laboratories, voting-machine companies and service companies, understand the code. Many of the others likely can be bought--they are humans.
But hackers without authorized access can get in. The vote-counting software is created, updated, and maintained not on each individual voting machine, but on computers that are almost certainly, at some time, connected to the Internet.
And local election officials have no way to tell whether and when the individual voting machines are communicating with other machines. Wireless communications capability can be installed inside any computer or voting machine--antenna and all--without their knowledge and controlled by anyone within transmission range. Local election officials never inspect the insides of the voting machines for surreptitiously installed wireless cards, and few would know what to look for if they did.
"No election has ever been hacked." Our election officials have one practical opportunity to check the system's integrity. But they don't use it. If any election ever has been hacked, it's likely no one noticed.
Yet despite the widespread concern about the security of last year’s presidential election, not a single state had routine procedures in place to verify an accurate statewide vote count. Michigan, Pennsylvania, and Florida proved unable to document accuracy even when directly challenged, unable to get a recount even started.
Wisconsin did best. Every county at least double-checked things like the handling of absentee ballots, but only half of the vote totals were checked for accuracy. The other half were just run back through the same computers, so any electronic miscounts would have just been repeated. We know that some were miscounted twice.
State officials in Wisconsin recently scored a first, when in January they detected a few miscounting computers—after the winners from the previous November were already sworn into office. To their credit, they decertified the machines. They are still are not sure what caused the miscounts—they know ink color on the ballots contributed, and that from their size and randomness, the miscounts seem unlikely to be even a trial-run hack.
What to do?
Face it: State and local election officials will never have the authority, skill, or money to maintain strong IT security for our vote-counting software. It's just not going to happen. Elections are too intermittent, the workforce too temporary, the property taxpayers too stingy to make good security possible.
Our only hope for protecting our election results from hackers--and from malfunctions, glitches, and human operator error--is to notice and correct any miscounts before results are certified.
If the polls opened and voter registrations were garbled, we would notice. Perhaps that's why those responsible for the software are so vigilant--they know any laxity will get found out.
But we cannot sit by the television on Election Night and say “Hey! That’s not how we voted!” Voters have no way to tell honest election results from false ones. And maybe that's why checking accuracy is such a low priority for our election officials. If they don't detect the miscounts, they can keep saying--honestly--"We've never known an election to be hacked."
Most states now have paper ballots, or at least paper audit trails, that could be used to check the accuracy of the computer output. National election authorities have developed, and national officials endorsed, efficient methods that don't require a full hand count.
Every other public official takes responsibility for the accuracy of their work product. It's long past time for voters to insist their election officials do the same.