Live From Black Hat: Stress-Testing Democracy – Election Integrity During a Global Pandemic with Matt Blaze

Technology and elections are heavily interrelated ??? but it wasn???t always that way. We started to adopt technology once weツ?weren???t able toツ?fit everyone into a town hall. The first piece of technology was simply a piece of paper and a ballot box. We may not think of it asツ?technology,ツ?but the ballot box can be tampered with.ツ?ツ?

That technology gave us ballot secrecy, a trait that aツ?handraiseツ?in the town hall didn???t. This raised the barツ?to a level that is expected from other voting technologies since then, which can be tougher with voting machines and electronic evaluation of ballot boxes. Our Confidence in the outcome of an election depends on the integrity of the methodology we use to do this.

Stress Testing Democracy at Black Hat 2020???ツ?ツ?

Matt Blaze, this year???sツ?Black Hat keynoteツ?speaker,ツ?is a researcher in the areas of secure systems, cryptography, and trust management. He is currently the McDevitt Chair of Computer Science and Law at Georgetown University.ツ?ツ?

Blazeツ?has been working on election security for years. He???s neverツ?encounteredツ?a problem bigger andツ?moreツ?complexツ?than democraticツ?elections. The reason for this is that the requirements are contradictory: Weツ?don???t want to be able to figure out how someone voted, but we wantツ?transparencyツ?into whether or notツ?our vote was counted as cast and that the system is not corrupted. The paper ballot box seems to do thisツ?pretty well, and other technology solutions require you to be a lotツ?more clever.ツ?Another snag is that you cannot recover from a bad election very easily. You can???t redo it easily before the term is up.ツ?ツ?

U.S.ツ?voting isツ?highlyツ?decentralizedツ?due to size

The federal government has remarkably little to do with the election process; each state has their own rules and requirements. The elections are carried out by over 3,000 counties and voting takes place inツ?precincts in these counties. It???s a very decentralized process. Even within a precinct, there may be different ballots for various local elections. The county???s budget is paying for elections, so improvements in election technology competes with improvements to roads and the fire department.ツ?In the 2016 election, about 24% were cast by mail and 17% cast in person before election day. Most states allowツ?someツ?formツ?of absenteeツ?voting.ツ?ツ?

Campaigns andツ?foreignツ?foesツ?outspendツ?operationalツ?electionツ?budgetsツ?

Election campaignsツ?vastly outspend the money that???s spent on carrying out the elections.ツ?In addition, foreign state adversaries have recently entered the game, sometimes simply with the goal of disrupting elections and undermining the legitimacy of an election. That???sツ?actually easierツ?than influencing a particular outcome.ツ?ツ?

The question is: Does new voting tech enable or prevent mischief? The answer is: both.ツ?ツ?

Votingツ?technologyツ?hasツ?alwaysツ?hadツ?challengesツ?

Paper ballots are more effective in re-assessing aツ?particular voteツ?and agreeing on an outcome. If we remember voting machines in Florida that led to the re-count inツ?2000, they didn???t even involve a computer. It was simply a punch card with a manual punch to vote. However, the mechanical design was flawed, andツ?it became more difficult to vote for a popular in the end of the day because punched out paper from previous votes were blockingツ?the punch.ツ?ツ?

Florida Election Official???

A Florida election official trying to interpret a paper ballot during the 2000 U.S. presidential elections.ツ?

As a result, Congress passed the Help America Vote Act (HAVA). It provided funding to modernize voting and to make it more ???accessible??? to a wide range of voters. Most of the current equipment did not comply.ツ?However, the technology wasn’t broadly available.ツ?ツ?

The DRE voting machine was a common new form of computerized voting that works similarly to an ATM. It counts the votes in an internal computer. Looking at the entire journey, software touches each part of the voteツ????ツ?such as voter registration databasesツ?andツ?software to check who???s already votedツ?orツ?to count and report the votes. The security of this software is critical to theツ?legitimacyツ?of the election.ツ?At the same time, software is designed to be replaceable and easily changed. It???s aツ?really hardツ?problem to solve.ツ?ツ?

Theツ?votingツ?systemツ?attackツ?surface isツ?hugeツ?ツ?

Software security and reliability is hard, even under the best of circumstances.ツ?In practice, the attack surface is huge: county election management software, voting machine firmware, communications, procedures, physical security,ツ?and people. Attacksツ?includeツ?anything fromツ?denial of service to forging the vote. Every piece of computerized voting technology so far has been terrible.ツ?ツ?

The DMCA Security Research Exemption makes it legal to buy surplus voting machines, hack them, and to report on your findings. The DEFCON Voting Village does this, and everything is worse than we thought.ツ?ツ?

Hand-countedツ?paperツ?ballots vs.ツ?blockchainツ?

We haveツ?two options:ツ?We could just hand-count all votes on paper or amp up the technology (blockchain FTW!). The size of the US election is so large thatツ?handcounting would be extremely hard. It would beツ?very difficultツ?to eliminate all reliance on software for the entire election.ツ?ツ?

On the other side, the blockchain makes us more dependent on software.ツ?Also, the blockchain is decentralized while elections have a central oversight, which is a contradiction. Just detecting election fraud is not helpful either, we need to prevent it to start with.ツ?ツ?

Twoツ?breakthroughsツ?since 2020ツ?ツ?

There were two breakthroughs since 2020 that help us:ツ?ツ?

  • Ron Rivestツ?inventedツ?software independence. A voting system is software-independent ifツ?anツ?undetected change or error in its software cannot cause an undetectable change or error in an election outcome.ツ?ツ?
  • Stark et al developed a new statistical method to sample a subset of voting machines (e.g. paper ballot optical scanners) for post-election hand audits to ensure they reported correct results. If not, the other ones can be handcounted.ツ?ツ?

These two ideas have become the gold standard for securing elections since 2020. Progress is positive but slow, and it addresses the key concernsツ?computer scientistsツ?wereツ?worried about in past elections.ツ?If you???d like to read up on election security, Blaze recommends theツ?National Academy of Scienceツ????Securing the Vote??? (2018) study.ツ?

Matt???s talk would have ended here if it wasn???t for the pandemic…ツ?

…Andツ?thenツ?theツ?pandemicツ?changedツ?everythingツ?

The pandemic changed everything because it???s disrupting the vote.ツ?ツ?

Generally, there are several reasons whyツ?aツ?vote may be disrupted:ツ?ツ?

  • Voter-level:ツ?Individualツ?voters are unable to makeツ?it to the pollsツ?
  • Local or regional emergencies:ツ?Earthquakes, floods, 9/11ツ?
  • National-scale emergencies:ツ?Wars, pandemics, large-scale cyberattackツ?

Postponing elections is absolutely the worst-case option. There are often no rulesツ?forツ?this. It may be preferable to hold an election that people regard as illegitimate.ツ?ツ?

A huge logistical challengeツ?ツ?

Emergencies (such as a pandemic) likely require scaling up mail-in voting. Absentee voting exists in every U.S. jurisdiction, but they often require a reason, such as being out of town ??? unlikely during the pandemic. Some places allow absentee ballots without an excuse.ツ?ツ?

The question is how we scale up absentee voting during an emergency, and this is a resource and logistics problem.ツ?ツ?

Absentee Ballots???

The voter-side of an absentee ballot is reasonably easy but the workflow on the system side is relatively complex.ツ?It???s aツ?fairly labor-intensiveツ?process that involves checks by multiple people and can involve some technology. Exception handling, like signature mismatches, is even more laborintensive because they require reaching out to the voter. Simple logistics of theツ?number of envelopes and ballots and the throughput of your counting machines may provide restrictions. Ballots themselves have security features so they can???t simply be printed at a localツ?copy shopツ?either.ツ?ツ?

Booth Scanning Machine???

Vote batch scanning machines are big, bulky and hard toツ?massproduce.ツ?ツ?ツ?

Your local election officials need your skills ??? ask how you can help!ツ?ツ?

There are reasons to be optimistic and pessimistic. We don???t know how many people need paper ballots, so we???ll have to over-produce just to be sure. Most jurisdictions don???t have the funding to do this. Time isツ?really shortツ???? less than 100 days away.ツ?This problem isツ?similarツ?toツ?some computing problems. This community is going to be needed by the local election officials. Phone them, find out how you can help.ツ?ツ?

*** This is a Security Bloggers Network syndicated blog from Application Security Research, News, and Education Blog authored by ckirsch@veracode.com (ckirsch). Read the original post at: https://www.veracode.com/blog/security-news/live-black-hat-stress-testing-democracy-election-integrity-during-global