Saturday, December 3, 2016

Technology & the 2016 Election Part 2: Voting Integrity

This is my second post on how the 2016 was defined not so much by flamboyant personalities but rather by the influences of technology in the election process. Today, I’m going to take a look at voting integrity, foreign influence and cyber threats.
At this very moment, election officials in Wisconsin are preparing to conduct an election recount requested by 3rd party candidate, Jill Stein. The request came after an blog post appeared written by a professor Alex Halderman who is on the board of advisors for the Verified Voting organization. In that post, Halderman stated that while there was no obvious evidence of voter fraud in the election, there were legitimate concerns regarding voting integrity based on a number of factors that have emerged from this year’s election.
So, why should we care about those concerns, isn’t just politics as usual? Good question. Here are some of the elements of this year’s election which seem a bit unusual:
  • Initial claims that all of the elections (and I refer to elections here because each State manages them somewhat differently, but we’ll come back that in a moment) were going to be rigged – this in itself was very strange and went so far as Trump stating he might not support the results if he lost. I can’t be sure of it, but I’m fairly certain that might be the first time in American history where a major candidate made such a statement.
  • Documented instances of election-related hacking by a foreign power and warnings of potential further acts from the US Intelligence Community. This accusation didn’t come from one party or another – it came from the FBI in October.
  • Potential interference by the same foreign power in other elections – There are indications that Russia may have also been involved in trying to influence the Brexit vote in the United Kingdom and this week, the head of German intelligence made an announcement that Russians may be prepared to launch attacks next year (with the aim of disrupting elections).
  • Discrepancies in exit polling and ballot results in some locations. Only one poll out of 100’s accurately predicted the national outcome and many state level polls turned out to be wrong as well. While this in itself may be explainable due to margin of error and last minute shifts in sentiment, when take into context with the rest of what’s been happening it seems at least a little bit fishy.
It is worth noting here that when we’re talking about potential election Fraud, there is a somewhat bizarre disconnect in the US as to what election fraud actually represents. Let’s take a look at that for a moment…
The Question of Election Fraud – The Big Picture
One thing that has puzzled me over the years, especially since the emergence of electronic voting, is why in the US, almost all discussion of voter fraud happens within the context of individual voter fraud. To me this is bit like saying that the only important crime that occurs is shoplifting at convenience stores while hacking into accounts and stealing billions of dollars isn’t troubling at all. Granted, petty theft is real and it is a problem, but one would have to ask does it represent a threat to our financial system? Obviously, it doesn’t. And perhaps this isn’t the best analogy ever (as there is far more petty theft than documented voter fraud on the individual level) but it helps to make the point in terms of scale and impact. We can’t see the forest for the trees here – we’ve simply been having the wrong conversation. The conversation should be about how intelligent enemies of Democracy, nation-states or terrorists could use their resources to influence or disrupt our political system by manipulating the American electoral process. And we need to keep in mind that this is not a partisan contention tied to any one election – it should be of equal importance to all sides within our political spectrum and applies to all current and future election cycles.
Another key point is the pragmatic nature of effective election manipulation. How would one of these rogue nations or organizations go about interfering in the American election process? Well, it would happen in one of the following ways (or potentially through a combination of them):
  • Through infection / control of individual voting machines with malware designed to manipulate votes. Moderately Effective
  • Through infection / control of election ‘back office’ systems, designated to aggregate vote totals. Now many people may not realize but these systems have been around for quite some time (since the 1960’s).  Most Effective
  • Through interception of vote totals between systems (data in transit). Moderately Effective
  • Through manipulation of Voter Registration information systems / data. Moderately Effective
We could also add to these the relatively intangible types of interference like those mentioned in part one of this article where I described briefly how fake news is being used to help shift voter sentiments. All of these things are hardly new (except that the technology has simply made it easier to manipulate large numbers of votes simultaneously) and have occurred in other countries before – some of them might be considered “Black Ops” and at one time were just standard features of Cold War proxy contests in the American & Soviet spheres of influence. The thing is though, back during the Cold War, these types of things happened elsewhere, not in the United States itself.
Bottom line - If someone really wanted to influence an election, they could do it in a number of meaningful ways and all of those ways involve technology at a system rather than an individual level.
This seems less about politics and more like Cyber Security, doesn’t it? In Cyber Security, the obvious question that one starts with regardless of the industry or context is this; if it is reasonable to assume that a vulnerability exists that someone, sometime, somewhere eventually could exploit – will it actually be exploited? The answer to this question is almost always yes and this has been borne out by events. While there is often a time delay between the appearance of a perceived vulnerability and the exploitation of that vulnerability, eventually the exploit does happen. Moreover, the incentive to perform an exploit is almost always directly proportional to the perceived value of the attack. What could be more valuable than changing the outcome of an American national election? Not much.
Elections and Foreign Interference
One of the most fascinating aspects of this election has been the unprecedented nature of foreign involvement or intervention in the process itself. And almost as surprising perhaps is the reaction or lack of reaction among the electorate in response. Until early this year, China had been the long-time headline grabber in relation to high profile hacks in the US. This year, Russia emerged as the most publicized perpetrator of cyber incursions, but the reality is that there are a number of other nations  and groups that are perhaps equally equipped to cause damage to either our political or economic systems. The identity of this moment’s headliner is much less important than the idea that we have weaknesses that any such attacker could choose to exploit. But that begs the question, what is it about our election process that makes it vulnerable. Here are a few points to consider:
  • We don’t have one election process, the reality is we have 50. Worse, we don’t have an ironclad underlying set of agreed upon technical standards which are consistent across all 50 states and there is no real authority to enforce it if we did anyway. There have been some standards developed by NIST and through a series of bills passed by Congress since 2000. But adherence to the standards (which are still somewhat inadequate) is contingent upon each State’s interpretation of them.
  • Even within a given state, from one State administration to the next, many if not most of the rules can change depending on the political agenda of whomever is in charge.
  • Conflicts of interest regarding who can own and sell electronic voting related equipment have never fully been resolved.
  • Then there is the Electoral College, which presents unique challenges to the country and one glaring vulnerability. The vulnerability boils down to this – given the way the college works – any attacker need only manipulate votes in a handful of states by a relatively small percentage to change the overall national result. Of course, this only applies to the national election but that is our most important one. For this to work, the polls in the targeted states would have to be within the statistical margin of error (1 to 3%), but that’s not uncommon at all. As we’ve seen time and again that margins of popular votes and electoral votes aren’t always aligned so an expected outcome can appear ‘normal.’ And this is why the current recount challenges have been targeted to Wisconsin, Michigan and Pennsylvania as all three came with 1% or less margins of victory. If we added the total of the 3 states’ electoral votes it comes to 46, which conceivably if all awarded to Clinton would flip the outcome of the election. I’m not saying that will happen, but it presents an example of the point here, that 3 states can easily tip a national election one way or the other.
So, what can we do if we do wish to recognize this threat and not dismiss it as politics as usual? Here are a couple of suggestions:
  • Provide tougher standards which ought to be applied uniformly across all 50 states for voting system security.
  • Ensure finally that every voting machine has a paper audit (e.g. prints a paper receipt ballot).
  • Regularly audit, monitor and test voting system security before during and after elections. Such audits must include random recounting of the paper trail (as opposed to an electronic recount) as well as examination of code both at the voting machine and back office level.
  • Give a more active role to America’s intelligence community to detect and counteract foreign threats or intrusions into our political processes. This is the real mission for which these agencies are chartered – it’s time we made election protection a national priority.  
  • Block spam / fake news sites from broadcasting into the US – specifically filtering out content originating from places where such campaigns a known to happen (Eastern Europe, etc.)
  • In situations where large scale breaches are detected, be prepared to redo elections as needed using paper ballots only (and provide funds to support these contingencies).
Ultimately, our form of government is only strong as the processes used to run it. Of those processes, elections are perhaps the most important single component. We can lose confidence in government but there’s always the hope of electing a better one, but if we lose confidence in voting, where does that leave us?

Copyright 2016, Stephen Lahanas


Post a Comment