Information
Equipo Nizkor
        Bookshop | Donate
Derechos | Equipo Nizkor       

14Sep16


Sowing Doubt Is Seen as Prime Danger in Hacking Voting System


Russian hackers would not be able to change the outcome of the United States presidential election, the nation's most senior intelligence and law enforcement officials have assured Congress and the White House in recent weeks.

But disrupting it, they acknowledge, would be far easier — causing doubts in battleground states, prompting challenges to results and creating enough chaos to make Florida's hanging chads seem like a quaint problem from the analog age. By some measures, in fact, the disruption has already begun.

And meddling around the edges of an election could sow doubts about the legitimacy of the results — especially in a year in which the Republican nominee, Donald J. Trump, has told his supporters that the only way he will lose is if the election is "rigged," and while campaign officials for his Democratic opponent, Hillary Clinton, have held a series of meetings about preparing for the possibility that the vote will be hacked.

The White House has declined to name Russia publicly as the chief suspect in a series of recent hacks, and has worded its public warnings carefully. The greatest danger, Lisa O. Monaco, President Obama's domestic security adviser, said on Wednesday, is from attempts to cause "concern or confusion" about the voting system.

The systems most vulnerable to cyberattacks are large, centralized databases, where breaking into one part of the system can often give access to all of it. That is what happened to the Office of Personnel Management, which was unaware for more than a year as Chinese hackers stole credentials to get into its system, copied the highly sensitive security-review documents for nearly 22 million federal employees and contractors, encrypted the data and transmitted it out of the country.

By contrast, the American voting system, with its hodgepodge of state and local polling places, is protected by being decentralized and disconnected. "That makes it extremely disparate, extremely diffuse and, as a consequence, extremely difficult to have an effect across the board that would result in a change in results," Ms. Monaco said.

At a meeting last week that attracted many of the nation's top intelligence leaders, the F.B.I. director, James B. Comey, described the voting system as "clunky as heck," but a blessing "because it makes it more resilient and farther away from an actor who might be looking to crawl down a fiber-optic cable."

A recent attempt to steal voter registration rolls in Arizona by what the F.B.I. told state officials were Russian hackers, and a successful theft of voter information in Illinois, raised the question of whether the lists of registered voters at polling stations could be manipulated. One fear is that newly registered voters could be struck from the rolls. They could still cast provisional ballots, but the result would be long lines and delays. Another is that nonregistered voters, foreigners or felons who have been barred from voting might be able to enter the voting booth, leading to challenges.

The attempted breach in his state led Senator John McCain, Republican of Arizona, to charge in a Senate hearing this week that the Obama administration had been far too sanguine about the dangers facing the electoral process.

"Any attempt to interfere with American elections must be treated as a threat to our vital national security interests," Mr. McCain said after questioning Adm. Michael S. Rogers, the director of the National Security Agency, at the hearing. "Yet so far, the only response from the Obama administration has been a warning from the secretary of defense."

It is unclear if Mr. Obama raised the issue with President Vladimir V. Putin of Russia when they met 10 days ago in China. If an F.B.I. investigation finds overwhelming evidence of Russian government responsibility in the hacking of the Democratic National Committee or other recent breaches, the president would have to decide whether or how to respond.

Any response may not be made public, since Mr. Putin is seen as responding better to private warnings, or demonstrations of retaliation, than to anything that openly challenges his authority.

One reason officials like Mr. Comey have expressed confidence in the security of the vote is that most states (Pennsylvania is a notable exception) keep a paper backup of votes as they are cast. Paper trails are not foolproof. But their existence means that after a lengthy audit — even one as politically paralyzing as the 2000 recount in Florida — an accurate count would probably be made.

Voting machines are not supposed to be connected to the internet (though there are some exceptions), providing some additional measure of protection. But results are reported online, and one fear that federal cyberexperts have discussed is that a sophisticated "man in the middle" attack could allow hackers to take over internet systems used to report unofficial results on election night. Such a breach might not alter the official ballot count, but it could sow deep mistrust about the numbers that are broadcast.

"If I were a bad guy, I know I could manipulate the system," said Stuart McClure, the author of "Hacking Exposed" and the chief executive of Cylance, a company that uses artificial intelligence techniques to repel attacks on networks. "But the problem here is not really about manipulation. It's about the damage you can do with disruption, so that people lose confidence in the system."

Mr. McClure likened the problem to causing a blackout that would bring down part of a power grid. Chaos ensues, but eventually power is restored. The difference is that the nation's utilities now conduct twice-yearly "stress tests" of their resilience.

But the voting system has never been designated "critical infrastructure" by the Department of Homeland Security, something it suggested recently may soon change. And only a few states have even tried to subject their voting systems to a serious test attack, called "red teaming," by the military and intelligence agencies that regularly try to replicate how the systems would hold up against a sophisticated cyberattacker.

The two states that have conducted the most comprehensive top-to-bottom reviews of their voting systems, drawing on computer scientists, are California and Ohio. But those largely involved systemic audits, and they took place in 2007 — almost another era in the world of cybersecurity. And many other states have not even gone that far.

So far, the kinds of attacks on voting machines themselves have seemed pretty unsophisticated — they would embarrass any serious hacker working for Russia's old K.G.B., now called the F.S.B. — but have sometimes been extremely effective.

In Clay County, Ky., eight local election officials were convicted in 2010 of fooling voters who used "iVotronic" election machines, which resemble A.T.M.s. After casting their ballots, the voters pressed a big red button on a screen marked "Vote." But some of the machines then required the voter to touch another button, "Confirm Vote."

The officials were accused of trying to hide this last fact from voters, having them leave the booth as soon as they touched "Vote." When they left, the officials would review and sometimes change the votes, then confirm the selection.

The fraud left no paper trail and preyed on voters unfamiliar with the machines. But it also required hands-on tinkering with the actual machines. And since the machines are offline, that could not be done en masse, or from afar.

Keeping voting machines off a network is critical, but it is hardly a guarantee against hacking. The Iranians kept their nuclear centrifuges off any network, and it did not stop the United States and Israel from putting malware in the system — but again, it was a single, central system.

And there have been some isolated cases where states discovered they had machines that were not as insulated from the networked world as they thought. Last year, Virginia decertified the use of a certain brand of voting machines that had a wireless internet capacity, said Lawrence Norden of New York University's Brennan Center for Justice. He said he was unaware of any equipment currently in use that still had that vulnerability.

"When you think about someone in Moscow hacking into the voter registration database or D.N.C. email server, they are not going to be able to do that for voting machines" because they would have to gain access to each machine, said Mr. Norden, who has written several reports about election systems as deputy director of the Brennan Center's Democracy Program.

After the initial attack on the Democratic National Committee, the Department of Homeland Security began offering states a "computer hygiene" check that would automatically scan the internet addresses of any networked servers an election agency uses. That scan would look for malware or vulnerabilities, and the department would assist in patching them. The department will also send half a dozen or so specialists to the election agency's facility to perform a risk and vulnerability assessment.

The department also intends to have specialists working on election night at its National Cybersecurity and Communications Integration Center, which serves as a clearinghouse for information about cyberattacks.

So far, at least nine states have reached out to the department for consultations, the agency said.

The issue traces back to the botched 2000 vote count in Florida. The "hanging chads" defeated electronic vote-reading machines: The tiny bit of punched-out cardboard remained, and the machines could not count them accurately. Sometimes alternative systems are just as bad. While optical scanners avoid the chad problem, they can be confused when voters fill in the oval of a preferred candidate and then circle it for emphasis.

The first versions of A.T.M.-style touch-screen machines did not produce backup printouts, and many of those machines are still in service around the country. That makes it impossible to conduct a meaningful audit. Election officials and voter integrity advocates have been studying such gaps and trying to fix them over the past decade.

Still, some states have lagged, in part because buying new machines can be costly. Several other states, including Virginia and Florida, still have a few paperless machines available to provide special access to voters with vision problems.

Until recently, said Pamela Smith, the president of Verified Voting, a San Diego-based nonprofit that advocates improvements to voting equipment and systems, a manipulated election seemed more like a theoretical problem than a real possibility.

But the hacking of the Democratic National Committee's internal emails and of voter registration databases in Arizona and Illinois has focused minds.

"It's a reality check for the whole country," Ms. Smith said.

[Source: By David E. Sanger and Charlie Savage, International New York Times, Washington, 14Sep16]

Bookshop Donate Radio Nizkor

Privacy and counterintelligence
small logoThis document has been published on 29Sep16 by the Equipo Nizkor and Derechos Human Rights. In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.