We Don’t Need a National System, but We May Need National Standards
The director of a cybersecurity center reveals surprising information about voting — like how early voting can actually increase the risk of foul play, and how distrust of the current system may be as damaging as actual hacking.
With all the political noise about potentially rigged elections, how secure, really, is the current voting process? Professor Jonathan Katz, director of the University of Maryland Cybersecurity Center, tells WhoWhatWhy’s Jeff Schechtman that the system is rife with risks.
Katz explains how voter rolls can be manipulated; how the growing trend toward early voting increases the risk of foul play; and how the absence of national security standards can impact not only the presidential race but down-ballot contests as well.
Considering what is at stake — our democratic way of life — why do we look at this issue only once every four years?
Click HERE to Download Mp3
Full Text Transcript:
Jeff Schechtman: Welcome to Radio WhoWhatWhy. I’m Jeff Schechtman. If anything has come out of the past several months, it’s an understanding of just how fragile our democracy can be. As Charles Krauthammer recently so eloquently stated: “in democracy, the electoral process is a subtle and elaborate substitute for combat, the age old way of settling struggles for power.” But that sublimation only works if there’s a mutual agreement to accept the legitimacy of the results. In a world in which cyber threats overlay a general trumped up suspicion about the electoral process, it’s more important than ever to understand how we count the votes.
We’re going to look at this today with a guest that has joined us before on Radio WhoWhatWhy, he is Jonathan Katz. He’s a professor in the department of computer science and the director of the Maryland Cybersecurity Center. He’s worked in numerous areas of cryptography, computer and network security and complexity theory and it is my pleasure to welcome him here to Radio WhoWhatWhy. Jonathan, thanks so much for joining us.
Jonathan Katz: Well thank you very much, it’s great to be here.
Jeff: When we look at the diversity of different processes for counting votes around the country; three thousand one hundred and something counties, different systems, different methods, are we overstating the danger of anything being hacked or controlled or in any way, broken into, from a cyber perspective first of all?
Jonathan: Well, I think you hit on one of the main points, which is that the way things are now, every county, every municipality basically gets to decide on their own; how they want to run elections and how they want to count votes and there are no standards in place. There are no national level standards in place for defining minimum levels of security for the voting that’s taking place and so the problem is that, you know from an attacker’s point of view, they may be looking and what they’ll do is they’ll try to hone in on whichever municipality is running the least secure system and perhaps try to focus their attention there. And I think that just makes the challenge that much harder because even if you had a system which were secure and which were being used by a small handful of municipalities, many of the others might not adopt that system and so all of those efforts would be, sort of wasted.
Jeff: In a national election where the result isn’t necessarily terribly close, it seems that it becomes less of a problem because even if somebody were able to break into those few municipalities, their impact, perhaps would be more limited.
Jonathan: So I think you’re right and you’re not right because I think on the one hand, in this election, the way the polls are going right now, it looks like there’s a pretty clear favorite but you have to only remember back to the 2000 election, where essentially the election results came down to one state and I don’t remember the exact statistics within the state, but it wouldn’t surprise me if there were only a small number of counties that had a huge influence on the vote totals within that state. And so if you are able, as an attacker to focus your attention on exactly those that would have the greatest influence on the vote, then that might have affected even a presidential election.
Now the other part of your question is even if we have, say the situation that we’re in today, where the vote may not end up being close, you still have the risk that attackers might be able to manipulate senate elections, congressional elections or even state level elections which can of course be very important in the long run.
Jeff: Do we have any reason to believe or any evidence that leads us to believe that elections in the past have been hacked in this way or in some way involving cybersecurity?
Jonathan: There’s certainly no smoking gun. There’s no proof that any election has been hacked, I think there are some reports of suspicious cases that people sort of don’t know exactly what happened and there may be some people who suspect that it might have been the result of malicious behavior, but in those cases it could have equally well been errors that occurred during the voting process that weren’t necessarily malicious. Now of course, the fact that there were those errors shouldn’t make us happy either because whether an election gets the wrong result because of an attacker or whether it gets the wrong result because of computer or human error is sort of equally bad in some sense. But no, there’s no smoking gun with incontrovertible proof that something happened like that.
Jeff: And yet it’s interesting if we look back historically, the elections that we think of where there was rigging or tampering, we think of 1960 and Texas, we think of Chicago. When we look historically at elections that we think people have messed with, there’s no computer or cybersecurity involved at all.
Jonathan: Well, that’s right and I think people were and should be bothered by those examples as well. It’s not only a concern about attackers with cybersecurity threats influencing elections, we really have to be concerned with the entire process, which includes things like false voter registration or voting twice or even preventing voters from getting to the polls. All those things should concern us. I think the issue really is whether the current set of electronic voting machines might provide an easier way for attackers to influence an election. The signs point to possibly yes and I think we have to remember that when you talk about influencing an election, it’s not only tampering with the vote total that’s sitting on the ballot box, it’s also these things like I’ve been talking about, for example preventing voters from voting by deleting their records from the voter registration records or adding false voters to the registration records and thereby allowing people to come in and vote, even who don’t live in that state. So all these things come into play and the question really is whether the current set of voting machines are making these attacks any easier and I think they are.
Jeff: How do we begin to turn this on its head? How do we use the technology which is available to us, and it is abundant and certainly there are so many experts that you come in contact with, I’m sure all the time? How can we turn this into an advantage? How can we use technology to prevent the kind of things we’re talking about?
Jonathan: Well, one of these things to keep in mind is that a lot of these voting systems that are insecure, it’s not just that the attacker is being super clever and that they’re able to evade the most state of the art defenses that are put into place. The problem with a lot of these systems is that they’ve been in place for 10-15 years, even at the time they didn’t follow known security practices and they’re just egregiously bad examples of how to build a secure system. So I think really it starts with having some kind of national standards in place for what security of voting should mean and I know that there’s been some pushback from the states and I know that they’re reluctant to have one voting system imposed on them from the federal level, but I don’t think that’s what we need. I think what we do need is some set of standards and then states or municipalities would have to show that they meet those minimal standards in any voting system that they employ. There is a lot of work being done in the academic community, within startups and within industry to develop more secure machines, so I think the technology is there, they just have to get put into place and one way to do that is by having the standards in place to follow.
Jeff: What do those standards begin to look like with the variety of the machines that are out there, whether it’s levers or optical scanning or touch screen, talk a little bit about how the standards might be applicable to so many different kinds of systems.
Jonathan: It’s a great question, actually. I think ultimately the standards are not going to be mandating any particular technology, and they’re not going to be mandating even any security solution. I think instead what they’re going to have to talk about is in terms of threat. What kind of threats are a concern? What kinds of threats need to be defended against? What type of attacker, how many resources are we assuming the attacker will be able to deploy and attempt to attack the system? Again, we can imagine leaving the defenses up to the individual state, but the defenses have to be addressing this set of five different threats that we’re concerned about and I think in addition to that, some kind of discussion about the process. Once votes are tabulated, where does that machine go? Who has control of them? How many people have control of them? How are those people vetted? All of these kind of questions become important and I think are things that need to be thought through.
Jeff: Do the machines, again whether they’re any of the systems out there; levers or optical scanners, what have you, do those machines have to be online in any way? They tabulate their individual results, are there things that we can do with those individual results that prevent them, that secure them from being online and therefore able to be hacked into?
Jonathan: Certainly these voting machines are not supposed to be online anyway during the election. The question really is whether they’re ever online at some point prior to the election, number one, and whether they can be attacked during that time period, but the other question is who has physical access to the machines because you can have machines that are never connected to the internet but if you can bribe an election official to upload your version of the software to that machine, that could also compromise the election. So the fact of whether or not they’re online or offline is not the key distinguishing factor as to whether they’re secure or not.
Jeff: When we think about it that way, is there such a thing as perfect security? I mean, whether it’s bribing an election official or not vetting one particular individual, is there such a thing as perfect security or are these just risks that we have to take within the context of a democratic system?
Jonathan: Yeah that’s a great question. I mean there are some systems that have been developing in academia that I would say have – I don’t want to claim that anything has perfect security – but I think they have security to the extent that it would sort of cost too much or require too many resources or just be infeasible to do without detection. There would not be any way to bias the election results without being detected after the fact. But you’re right, you know ultimately if you can bribe the right set of people, it might be possible to swing the election results and I think what you want to do is you want to change the calculus. What you want to do is you want to make it such that there’s no one person that you have to bribe in order to change the results, but maybe you’d have to bribe ten different people in order to change the results and once you’re talking about bribing ten different people, it becomes not only more expensive, but also more risky in terms of being caught because you only need one of them to be a whistleblower and the cover is blown and then an investigation can begin. So I think you just have to raise the bar and make it more difficult, maybe it requires more training of these election officials who are potential victims, but perfect security is a challenge because you’re also balancing it off with things like usability and efficiency and various other things that are maybe more important. It’s hard to say, or it’s hard to see that we’re ever going to have a perfectly secure system but we need one that’s good enough to counter the known threats.
Jeff: Of course the other side of that is the speed that people expect and the fact that they want results virtually instantaneously.
Jonathan: Yeah, that’s true also, and it’s even worse I think when they start releasing projected numbers in the middle of an election.
Jeff: To that point, what impact do you think early voting is having in terms of these security threats because we’re certainly seeing more and more of it throughout the country?
Jonathan: Yeah, it’s hard to say because I think it has become more popular only recently. But I do think certainly with absentee voting, if you look at how absentee voting has been done and is done, you can imagine it would be sort of easier to stuff ballots through an absentee ballot or to prevent ballots from reaching their intended destination or to vote multiple times or things like that, just because the controls are very different. They’re not the same level of controls that are in place for voting in person on election day and for absentee ballots. Now I don’t know, again it depends municipality by municipality how early voting is being done, but my guess is that it would be easier there too to influence the results of early voting because the controls are not the same, because the votes are sitting on the machines for a longer period of time, we don’t know who’s watching them over the 30 days or so that people are allowed to vote early and so my guess is that might be an easier attack sector for an attacker.
Jeff: If you and your colleagues in academia were to design the perfect system, what does it look like?
Jonathan: Well that’s a great question. Like I said, people have been looking at that and have been studying this and one of the things that people have talked about is having a voting system where every voter can see a full record of every vote in the system, including their vote and be assured that their vote was counted in the final tally, while simultaneously maintaining privacy of the entire process. So this sounds like it’s really unbelievable and it shouldn’t be possible, but through the magic of cryptography, we can do this, where essentially you could imagine voters posting an encryption of their vote onto some giant bulletin board or maybe throwing it on a block chain, now that that’s become popular and then having an automatic method whereby anybody could download some software and verify that the election result was tabulated correctly without violating their own individual level of privacy. So these are the ideas that people have been talking about although to be honest, it’s not clear that those would ever scale to a national election or would ever be cost efficient enough to be implemented in a national election. In theory, those kinds of things are possible.
Jeff: Would the problem be scaling it or would the problem be costs, as you say?
Jonathan: Well, the problem might be scaling it. I mean these kind of things, they exist in theory and people have implemented them on a small scale, let’s say a hundred to a thousand to ten thousand voters but scaling that up to an entire state or the entire country would be more difficult.
Jeff: Is there, in your view given how much money is awash in the political system today and this goes to the bribery conversation and some of the other things we’ve been talking about, given how much money is awash in the system, does that create a greater potential threat?
Jonathan: Well, what I see is that the value of an election seems to have gone up. The value of winning an election, the amount of money you need to spend to win an election legitimately has increased and so that changes the calculation and makes it more worthwhile to an attacker to spend an equivalent amount of money to sway the election result. If you’re in a situation where winning an election requires an investment of tens of millions or hundreds of millions of dollars, then doing things to illegally win the election, if it costs you fifteen million dollars to do that, it might be a worthwhile investment in that case.
Jeff: Talk a little bit about the old fashioned notion, the old fashioned idea and you and I have talked a little bit about this before, paper ballots. Is that something to seriously consider?
Jonathan: Well I think when people talk about paper ballots, they’re mainly talking about using them in conjunction with another system. For example, you have the systems that will use optical scans of a voter’s vote and then tabulate the result and there is a paper ballot as a backup to that, but not as a primary method of counting. And so the advantage of these paper ballots really is that they provide you with an audit trail so in case something does go wrong, in case the power goes out during an election, in case a machine is lost, in case there’s some suspicion of bribery after the fact, you can at least in principle always go back to the paper record and use that to verify the totals that have been computed. I think that’s really the advantage of the paper ballot system, it gives you this fallback mechanism in case there’s the suspicion that something went wrong.
Jeff: Of course with respect to punch cards as a paper system, that didn’t work out too well in Florida.
Jonathan: Well, you could argue it didn’t work well, but it did work. People were able to look at those and get some result that satisfied everybody, so you’re right that it could have been done better and there was a lot of debate about that, but in the end, imagine if they weren’t there at all.
Jeff: To what extent do you theorize that some of this is going to be going on, that we are going to have some irregularities in the coming national election?
Jonathan: Well, it’s impossible to really speculate about that. What I think though is that people are now hypersensitive to the idea that things may be going wrong and it’s not just because of conversations that we’re having, it’s because of conversations that the candidates are having; speculation whether Russia is meddling in the elections or whether or not Trump will accept the results of the election and so I think people are going to be looking for irregularities in the system and they may actually be noticing irregularities that were always there, that may have been the last time around and two times ago but now they’re going to be called out and they may be investigated and they may be brought to the media’s attention and we’ll have to see how that plays out.
Jeff: Is there a danger on the other side in your view, that too much attention is being focused on this and that it undermines faith in the democratic process?
Jonathan: I think that’s a problem. I don’t want to say it’s bad to pay attention to these things, but what I do want to say is even the suspicion of an attack can be almost as damaging as an attack because if there were a suspicion among a large group of the population that the election results are incorrect, then that calls in question the whole election and what do you do at that point? At what point do you have a recount and what do you do if the recount comes out with a different result? How do you adjudicate that and how do you decide how to go forward? So I do think that you do run the risk of people being overly sensitive and finding things that they view as irregularities, which actually like I said are not irregularities, things that have happened many times in the past but because of all the debate and all the discussion going on, get blown out of proportion and again we’ll have to see how that develops and how that plays out.
Jeff: As I mentioned earlier on you and your colleagues at the University of Maryland are working on this, to what extent are we seeing anybody working on this in Silicon Valley and should we? Should there be more attention there?
Jonathan: Well I do know, like I said earlier, there are some professors who have tried to market the technologies that they have developed and they have been successful in limited ways in getting different municipalities to adopt the systems that they’ve developed and I think again, the challenge is that if you come up with a great system and you work for a year or two years to both develop it and then convince somebody to actually use it, that’s only a point in the universe because you’ve only convinced one municipality to use it, now you’ve got to go to the other 500 or so and convince them to use it as well. So there are some efforts in that direction, I think they have not been very profitable, which might discourage people from continuing to develop in this space, but people who really care about the integrity of elections are very serious about working on the next generation of solutions.
Jeff: Are you and your colleagues and some of these people you’re talking about really looking closely at this coming election to use it as a kind of example of what goes right and wrong?
Jonathan: Well I know there’s been a lot of discussion and a lot of analysis of many of the electronic voting systems that are being used. It’s always great when it’s brought to people’s attention right, so every four years we get worried about it and then for the next three and a half years we sort of forget about it. I think maybe what we’d like to do is keep the attention on the issue past this election. Let’s assume everything goes fine and we get a result and everyone is happy with it and there are no irregularities detected, that doesn’t mean that we stop worrying about what’s coming four years down the line and so I think maybe the key thing is to keep it in people’s consciousness so that we can continue to actively work on these standards and develop new systems and get people to adopt more secure systems so that we don’t have these same discussions four years from now.
Jeff: And finally, of the systems that are out there, which ones do you believe are the most secure right now? Which ones are the best systems that you can buy, that a municipality can buy off a shelf?
Jonathan: Well I don’t want to name any particular ones, but what I would say is just that the ones that have a paper ballot are better than the ones that don’t because they do allow you this fallback and the possibility of an audit trail.
Jeff: Professor Jonathan Katz, he’s the director of the University of Maryland’s Cybersecurity Center. Jonathan, I thank you so much for spending time with us today on Radio WhoWhatWhy.
Jonathan: Thank you, it was a real pleasure.
Jeff: Thank you. Thank you for listening and joining us here on Radio WhoWhatWhy. I hope you join us next week for another Radio WhoWhatWhy podcast. I’m Jeff Schechtman.
If you liked this podcast, please feel free to share and help others find it by rating and reviewing it on iTunes. You can also support this podcast and all the work we do by going to WhoWhatWhy.org/donate.