CD178: Election Insecurity

Since the 2016 election, our country has been questioning whether our elections are secure, fair, and accurate. In this episode, we examine the threats to our election administration, both real and overblown.


Please Support Congressional Dish – Quick Links

5753 Hwy 85 North Number 4576 Crestview, FL 32536

Please make checks payable to Congressional Dish

Thank you for supporting truly independent media!


Recommended Congressional Dish Episodes


Additional Reading


Resources


Sound Clip Sources

Hearing: Election Security Preparedness, Senate Rules and Administration Committee, C-SPAN, June 20, 2018.

Witnesses:

  • Matthew Masterson – National Protection and Programs Directorate at the Department of Homeland Security
  • Jim Condos – Vermont Secretary of State
  • Jay Ashcroft – Missouri Secretary of State
  • Steve Simon – Minnesota Secretary of State
  • Connie Lawson – Indiana Secretary of State
  • Shane Schoeller – Clerk for Greene County, Missouri
  • Noah Praetz – Director of Elections for Cook County, Illinois
  • 2:40 Senator Roy Blunt (MO): January of 2017, the Department of Homeland Security designated our country’s election infrastructure to be critical infrastructure. This designation began the formalization of information sharing and collaboration among state, local, and federal governments through the creation of a Government Coordinating Council, some of our witness this day are already sitting on that newly formed council. More recently, in the 2018 omnibus, Congress appropriated right at $380 million to the U.S. Election Assistance Commission to help states enhance their election infrastructure. As of this week, 38 states have requested $250 million of that money, and about 150 million of it has already been disbursed to the states.
  • 6:45 Senator Amy Klobuchar (MN): So, we have a bill, Senator Lankford and I along with Senator Harris and Graham and Warner and Burr, Heinrich, and Collins. It’s a bipartisan bill called the Secure Elections Act, and we have been working to make changes to it along the way and introduce it as amendment, but it really does four things. First of all, improves information sharing between local election officials, cyber-security experts, and national-security personnel. Second, providing for development and maintenance of cyber-security best practices. We all know, I think there’s five states that don’t have backup paper ballots, and then there’s something like nine more that have partial backup paper ballots. And while we’re not mandating what each state does, and we do not want each state to have the exact same election equipment—we think that would be a problem and could potentially lend itself to more break-ins—we think it’s really important that we have some floor and standards that we set that given what we know, I don’t think we’d be doing our democracy any good if we didn’t share that and we didn’t put in some floors. Third, the bill will promote better auditing our election’s use of paper backup systems, which I mentioned, and finally, it’s focused on providing election officials with much-needed resources. As you all know, we were able to get $380 million to be immediately distributed to the state, not play money, money that’s going out right now to states across the country, based on populations. We didn’t have some complicated grant process that would have slowed things down. The money went directly to state election officials as long as the state legislature authorizes it to get accepted and get to work to update their systems.
  • 11:50 Jay Ashcroft: But before we move forward, we should briefly look back to the impetus of why we are all here today: allegations that outside actors threaten the integrity of our elections during the 2016 election cycle. While these are serious allegations, it is vitally important to understand that after two years of investigation, there is no credible—and I could strike “credible” and just put “evidence”—there is no evidence that these incidents caused a single vote or a single voter registration to be improperly altered during the 2016 election cycle. It was not our votes or our election systems that were hacked; it was the people’s perception of our elections.
  • 30:50 Matthew Masterson: For those voters who have questions or concerns regarding the security or integrity of the process, I implore you to get involved. Become a poll worker; watch pre-election testing of the systems, or post-election audits; check your registration information before elections; engage with your state- and local-election officials; and most importantly, go vote. The best response to those who wish to undermine faith in our democracy is to participate and to vote.
  • 1:08:00 Senator Roy Blunt (MO): Should the federal government make an audit trail, a paper audit trail, a requirement to have federal assistance? Jay Ashcroft: I don’t think so. Jim Condos: I do think so. Steve Simon: I think there is a federal interest in making sure that there’s some audit process. Sen. Blunt: Well, now, what I’m asking about is, should there be a way to recreate the actual election itself? And I don’t know quite how to do that without paper, even if you had a machine that was not accessible to the web. Jay Ashcroft: I believe states are moving to do that, without federal legislation. So that’s why I don’t think that federal legislation needs to be done to that.
  • 1:23:30 Shane Schoeller: I do want to address one area that concerns Secure Elections Act, that is on page 23, lines three, four, and five. It says, “Each election result is determined by tabulating marked ballots, hand or device.” I strongly recommend for post-election auditing purposes that a state-marked paper ballots, because I believe the opportunity for fraud in electronic ballot-casting system that does not have a paper trail’s too great.
  • *1:32:00 Shane Schoeller: Even if you do a post audit with the machine, how would you know if something’s been compromised if you can’t at least compare the results of the paper ballot. And I think that’s the assurance it gives. Clearly, the machine, when you have an accurate election, does do a better job of counting the ballots. I’m talking about in the case where clearly fraud has occurred, then the paper ballot is going to be the evidence you need in terms of if your system inside that machine is compromised.
  • 1:32:30 Senator Amy Klobuchar (MN): I think for a while people were talking about, well, why doesn’t everyone just vote from home, which is great when you can mail in a ballot, we know that, but vote from home just from your computer, and that would mean no paper records of anything. Could you comment about that? Noah Praetz: I think that’s 100% inappropriate for civil elections. Sen. Klobuchar: Got it. Shane Schoeller: I find it ironic because this is my first term, although I ran for this office in 2014, that was actually a common theme that I heard. Sen. Klobuchar: Right. I was hearing it, and I was—I kept thinking— Schoeller: Mm-hmm. Sen. Klobuchar: —about our state with, they’re not going to keep dwelling on it, with that high voter turnout. But, you know, that involved a paper ballot— voice off-mic: incredible integrity. Sen. Klobuchar: —and incredible integrity. But it involved people—they could vote by mail, and we’ve made that even easier, but they had actual paper ballots that they did, and then they were fed into this machine to count, with auditing. But you’re right. That’s what people were talking about. Why can’t you just do it from your home computer and have no backup, right? Schoeller: Right. And that was one of the things I actually had to disagree when that viewpoint was put forth, particularly in one city that I remember. And even after I became elected, I went to a conference of other elected officials, and there was a group of speakers, and they all were talking about this, and there was actually one speaker— Sen. Klobuchar: Like voting from Facebook. Schoeller: Correct. Sen. Klobuchar: Just kidding… Schoeller: But they actually disagreed, and I went up, and I think I was the only election official that day—this was prior to 2016—that didn’t think that it was a good idea. But I think we have evidence now from 2016 that clearly—that’s a convenience that we just can’t afford.
  • 1:35:05 Noah Praetz: We’ve got a piece of paper that every voter looked at. Senator Amy Klobuchar: Mm-hmm. Praetz: So worst-case scenario, a Sony-type attack with full meltdown of all systems, we can recreate an election that’s trusted and true.
Hearing: Election Security, Senate Judiciary Committee, C-SPAN, June 12, 2018.

Witnesses:

  • Adam Hickey – Deputy Assistant Attorney General for the National Security Division at the Department of Justice
  • Matthew Masterson – National Protection and Programs Directorate at the Department of Homeland Security
  • Kenneth Wainstein – Partner at Davis Polk & Wardwell, LLP
  • Prof. Ryan Goodman – New York University School of Law
  • Nina Jankowicz – Global Fellow at the Wilson Center
  • 9:00 Senator Dianne Feinstein (CA): We know that Russia orchestrated a sustained and coordinated attack that interfered in our last presidential election. And we also know that there’s a serious threat of more attacks in our future elections, including this November. As the United States Intelligence Community unanimously concluded, the Russian government’s interference in our election—and I quote—“blended covert intelligence operations, such as cyber activity, with overt efforts by the Russian government agencies, state-funded media, third-party intermediaries, and paid social-media users or trolls.” Over the course of the past year and a half, we’ve come to better understand how pernicious these attacks were. Particularly unsettling is that we were so unaware. We were unaware that Russia was sowing division through mass propaganda, cyber warfare, and working with malicious actors to tip scales of the election. Thirteen Russian nationals and three organizations, including the Russian-backed Internet Research Agency, have now been indicted for their role in Russia’s vast conspiracy to defraud the United States.
  • 39:40 Senator Mike Lee (UT): First, let’s talk a little bit about the integrity of our election infrastructure. We’ll start with you, Mr. Masterson. Were there any known breaches of our election infrastructure in the 2016 election? Matthew Masterson: Thank you, Senator. Yes, there was some publicly discussed known breaches of election infrastructure specifically involving voter-registration databases. Sen. Lee: Are there any confirmed instances of votes being changed from one candidate to another? Masterson: There are no confirmed instances of that. Sen. Lee: And were any individual voting machines hacked? Masterson: No, not that I know of.
  • 42:55 ** Senator Mike Lee**: One approach to some of this, to the threat, the possibility of election infrastructure or voting machines being hacked from the outside is to go low-tech. Some states have gravitated toward that. For example, some states have started making moves back toward paper ballots so that they can’t be hacked. Is this something that’s helpful? Is it something that’s necessary that you think more states ought to consider? Matthew Masterson: Yeah. Senator, the auditability and having an auditable voting system, in this case, auditable paper records, is critical to the security of the systems. In those states that have moved in that direction have implemented means by which to audit the vote in order to give confidence to the public on the results of the election. In those states that have non-paper systems have indicated a desire—for instance, Pennsylvania—to more to auditable systems. And so at this point, resources are necessary to help them move that direction. Sen. Lee: By that, you mean either a paper-ballot system or a system that simultaneously creates a paper trail. Masterson: An auditable paper record. Correct, sir.
  • 1:22:08 Senator Kamala Harris (CA): Will you talk a bit about what you have seen in terms of the risk assessments you’ve been doing around the country? I believe 14 states have been completed. Is that correct, 14? Matthew Masterson: I believe it’s 17 states have been completed— Sen. Harris: Right. Masterson: —thus far, as well as 10 localities. Sen. Harris: And what generally have you seen as being the vulnerabilities— Masterson: Sure. Sen. Harris: —in those assessments? Masterson: Thank you, Senator. Generally speaking, within the election’s infrastructure sector, we’re seeing the same typical vulnerabilities you’d see across IT systems, so managing software updates, outdated equipment or hardware, as well as general upgrades that need to take place as far as what configuration management within systems to limit the damage that could be done if something were to take place. And so— Sen. Harris: Resilience. Masterson: What’s that? Sen. Harris: Their resilience. Masterson: Yeah, their resilience. Sen. Harris: Mm-hmm. Masterson: Exactly. Thank you, Senator. And so this sector is no different in what we see in the work we’re doing with them.
  • 2:15:00 Senator Sheldon Whitehouse (RI): But what I want to talk about in my time is the problem of shell corporations, because for all of the emphasis that the witnesses have put on policing and prosecuting foreign influence in our elections, you can neither police or prosecute what you cannot find. And at the moment, we have both a shell-corporation problem, which was emphasized by Mark Zuckerberg in his testimony when he said their political advertisement-authentication program would only go to the first shell corporation and not seek any information about who was actually behind it. I don’t think Putin is stupid enough to call it Boris and Natasha, LLC. It’s going to sound more like Americans for Puppies and Peace and Prosperity. But it’s a front group, and it’s got Putin or whomever else behind it, and until we can know that, we cannot enforce effectively, period, end of story. Similarly, when our election system has these colossal channels for dark money, anonymized funding, if you can’t find out what special interest is behind anonymous money, you can’t find out if there’s a foreign interest behind that money. Darkness is darkness is darkness, and it hides malign activity, both foreign and domestic. And I’d like to ask each of you to comment on that. We’re concerned about trolling. Obviously, that’s facilitated by shell corporations. You talked about general propaganda campaigns. Obviously, facilitated by shell corporations. Campaign finance laws, you’ve called out for a need for effective disclosure. You can’t have effective disclosure if the only thing you’re disclosing is a front corporation and you don’t know who’s really behind it. So, if I could ask each of you three on that, then that’ll be the end of my time. Kenneth Wainstein: Sure, I’ll go first, Senator Whitehouse. And thank you for kind words, and good to work with you again. Always is. Sen. Whitehouse: We were good adversaries. Wainstein: We were. Adversaries who were working for the same goal. Sen. Whitehouse: Yes. Wainstein: Look, as a prosecutor, former prosecutor, looking at this issue, of course you want to know more about the corporations than less. There are obviously First Amendment issues and other concerns out there in the election context, but absolutely, there’s no way to sort of resist your logic, which is we’ve seen the use of corporations in a variety of contexts, whether it’s money laundering or otherwise, but we’ve seen here in the election interference and disinformation context, and a lot of that— Sen. Whitehouse: In fact, they’re widely used in the criminal context for money-laundering purposes and to hide the proceeds of criminal activities, correct? Wainstein: Absolutely. Sen. Whitehouse: So to the extent that what Putin is running is essentially a criminal enterprise of himself and his oligarchs. Why would they not look to what criminal enterprises do as a model? Wainstein: Yeah, it’s meat-and-potatoes criminal conduct. Sen. Whitehouse: Yeah. Wainstein: No question. And all intended to hide the fact of the source of this malign activity.
Hearing: Election Security, Senate Armed Services Subcommittee on Cybersecurity, C-SPAN, February 13, 2018.

Witnesses:

  • Robert Butler – Co-Founder and Managing Director, Cyber Strategies LLC
  • Heather Conley – Director of the Europe Program Center for Strategic and International Studies Former Dep. Asst. Sec. of State for EU & Eurasian Affairs in GWB admin, 2001-2005
  • Richard Harknett – Professor of Political Science and Head of Political Science Department, University of Cincinnati
  • Michael Sulmeyer – Director, Cyber Security Project, Belfer Center for Science and International Affairs, Harvard University
  • 7:15 Senator Ben Nelson: First, the department has cyber forces designed and trained to thwart attacks on our country through cyberspace, and that’s why we created the Cyber Command’s National Mission Teams. A member of this subcommittee, Senator Blumenthal, Senator Shaheen, we all wrote the secretary of defense last week that they, the department, ought to be assigned to identify Russian operators responsible for the hacking, stealing information, planting misinformation, and spreading it through all the botnets and fake accounts on social media. They ought to do that. That’s—the Cyber Command knows who that is. And then, we ought to use our cyber forces to disrupt this activity. We aren’t. We should also be informing the social-media companies of Russia’s fake accounts and other activities that violate those companies’ terms of service so that they can be shut down.
  • 18:20 Heather Conley: You asked us what role DOD could play to protect the U.S. elections, and I think, simply, DOD working with Congress has got to demand a hold of government strategy to fight against this enduring disinformation and influence operation. We don’t have a national strategy. Unfortunately, modernizing our nuclear forces will not stop a Russian influence operation. That’s where we are missing a grave threat that exists in the American people’s palm of their hand and on their computer screens.
  • 19:05 Heather Conley: As one of the most trusted institutions in the United States, the Department of Defense must leverage that trust with the American people to mitigate Russian influence. Simply put, the Department of Defense has to model the bipartisan and fact-based action, behavior, and awareness that will help reduce societal division. This is about leadership, it’s about protecting the United States, and as far as I can see, that is in the Department of Defense job description.
Hearing: Cybersecurity of Voting Machines, House Oversight Subcommittee and Government Reform Subcommittee on Intergovernmental Affairs, C-SPAN, November 29, 2017.

Witnesses:

  • Christopher Krebs – Senior Official Performing the Duties of the Under Secretary National Protection & Programs Directorate, Department of Homeland Security
  • Tom Schedler – Secretary of State of Louisiana
  • Edgardo Cortes – Commissioner of the Virginia Department of Elections
  • Matthew Blaze – Associate Professor, Computer and Information Science at the University of Pennsylvania
  • 4:24 Representative Robin Kelly (IL): In September of this year, DHS notified 21 states that hackers affiliated with the Russian government breached or attempted to breach their election infrastructure. In my home state of Illinois, the hackers illegally downloaded the personal information of 90,000 voters and attempted to change and delete data. Fortunately, they were unsuccessful.
  • 5:05 Representative Robin Kelly (IL): Earlier this year, researchers at the DEF CON conference successfully hacked five different direct-recording electronic voting machines, or DREs, in a day. The first vulnerabilities were discovered in just 90 minutes. Even voting machines not connected to the Internet still contained physical vulnerabilities like USB ports that can be used to upload malware. Alarmingly, many DREs lack the ability to allow experts to determine that they have been hacked. Despite these flaws, DREs are still commonly used. In 2016, 42 states used them. They were more than a decade old, with some running outdate software that is no longer supported by the manufacturer.
  • 20:30 Tom Schedler: In terms of voting-machine security, remember that with the passage of the Help America Vote Act in 2002, states were required to purchase at least one piece of accessible voting equipment for each polling place.
  • 23:55 Edgardo Cortes: Virginia has twice has been put in the unfortunate position of having to decertify voting equipment and transition to new equipment in a condensed timeframe, based on security concerns of previously used DREs. These steps outlined in detail in my written testimony were not taken lightly. They place a financial and administrative stress on the electoral system. They were, however, essential to maintain the public’s trust and the integrity of Virginia elections. The November 2017 general election was effectively administered without any reported voting-equipment issues. Thanks to the ongoing partnership between the state, our hardworking local election officials, and our dedicated voting-equipment vendors, the transition to paper-based voting systems on a truncated time line was incredibly successful and significantly increased the security of the election.
  • 25:45 Edgardo Cortes: To ensure the use of secure voting equipment in the future, Congress should require federal certification of all voting systems used in federal elections. This is currently a voluntary process. Federal certification should also be required for electronic poll books, which currently are not subject to any federal guidelines.
  • 28:20 Matthew Blaze: Virtually every aspect of our election process, from voter registration to ballot creation to casting ballots and then to counting and reporting election results, is today controlled in some way by software. And unfortunately, software is notoriously difficult to secure, especially in large-scale systems such as those used in voting. And the software used in elections is really no exception to this. It’s difficult to overstate how vulnerable our voting infrastructure that’s in use in many states today is, particularly to compromise by a determined and well-funded adversary. For example, in 2007 our teams discovered exploitable vulnerabilities in virtually every voting-system component that we examined, including backend election-management software as well as particularly DRE voting terminals themselves. At this year’s DEF CON event, we saw that many of the weaknesses discovered in 2007, and known since then, not only are still present in these systems but can be exploited quickly and easily by non-specialists who lack access to proprietary information such as source code.
  • 38:40 Matthew Blaze: The design of DRE systems makes their security dependent not just on the software in the systems but the hardware’s ability to run that software correctly and to protect against malicious software being loaded. So an unfortunate property of the design of DRE systems is that we’ve basically given them the hardest possible security task. Any flaw in a DRE machine’s software or hardware can become an avenue of attack that potentially can be exploited. And this is a very difficult thing to protect. Representative Gary Palmer: Do we need to go to, even if we have some electronic components to back it up with paper ballots because your fallback position is always to open the machine and count the ballots? Blaze: That’s right. So, precinct-counted optical-scan systems also depend on software, but they have the particular safeguard, but there is a paper artifact of the voter’s true vote that can be used to determine the true election results. DRE, paperless DRE systems don’t have that property, and so we’re completely at the mercy of the software and hardware.
  • 47:00 Christopher Krebs: When you characterize these things as attacks, I think that is perhaps overstating what may have happened in the 21 states, as was mentioned, over the course of the summer. The majority of the activity was simple scanning. Scanning happens all the time. It’s happening right now to a number of probably your websites. Scanning is a regular activity across the web. I would not characterize that as an attack. It’s a preparatory step.
  • 58:15 Matthew Blaze: There is no fully reliable way to audit these kinds of systems. We may get lucky and detect some forensic evidence, but ultimately the design of these systems precludes our ability to do a conclusive audit of the voter’s true intent. That’s why paperless systems really need to be phased out in favor of things like optical-scan paper ballots that are counted at the precinct but backed by an artifact of the voter’s true intent.
  • 1:02:42 Tom Schedler: The system that we’re looking at, we’re not out for bid yet, would be one that would produce, even though you would vote on an electronic machine, it would produce an actual paper ballot that you could hold in your hand—Representative Paul Mitchell (MI): My concern with that— Schedler: —and then cast ballot only with that point when you put it into a secure box. Rep. Mitchell: My concern with that, and Dr. Blaze makes the point, is that if you produce a paper result after you put something into the machine, if in fact the machine is tampered with, you could in fact end up with just confirming the tampered information. Schedler: Yes, sir.
Speech: Hillary Clinton on National Security and the Islamic State, Council on Foreign Relations, November 19, 2015.
  • 12:35 Hillary Clinton: So we need to move simultaneously toward a political solution to the civil war that paves the way for a new government with new leadership and to encourage more Syrians to take on ISIS as well. To support them, we should immediately deploy the special operations force President Obama has already authorized and be prepared to deploy more as more Syrians get into the fight, and we should retool and ramp up our efforts to support and equip viable Syrian opposition units. Our increased support should go hand in hand with increased support from our Arab and European partners, including Special Forces who can contribute to the fight on the ground. We should also work with the coalition and the neighbors to impose no-fly zones that will stop Assad from slaughtering civilians and the opposition from the air.

 

Hearing: Electronic Voting Machines, House Administration Committee, C-SPAN, September 28, 2006.

Witnesses:

  • Edward Felton – Computer Science Professor at Princeton University
  • Keith Cunningham – Board of Elections Director of Allen County, Ohio
  • Barbara Simons – Association for Computer Machinery, Public Policy Committee Co-Chair
  • 19:54 Edward Felten: Two weeks ago my colleagues, Ari Feldman and Alex Halderman, and I released a detailed security analysis of this machine, the Diebold AccuVote-TS, which is used in Maryland, Georgia, and elsewhere. My written testimony summarizes the findings of our study. One main finding is that the machines are susceptible to computer viruses that spread from machine to machine and silently transfer votes from one candidate to another. Such a virus requires moderate computer-programming skills to construct. Launching it requires access to a single voting machine for as little as one minute.
  • 1:45:23 Keith Cunningham: Can they be improved? Absolutely, and I think throughout my comments I was very definite to say that these machines, as they currently sit, are not reliable. My question back to you, though, in that regard is, who’s going to pay to fix it, because one of the problems we have right now is in the last 24 months every election jurisdiction in this country has spent the $3 billion we spoke about earlier on new election equipment, and that’s what’s in place. So without somebody stepping forward to fund that enterprise, I don’t know how we’re going to improve them ourselves.
  • 1:51:00 Barbara Simons: I wanted to remind the panelists of what happened in Carteret County, North Carolina, in, I believe it was, ’04, where paperless DREs were used and over 4,000 votes were lost. I mean, there’s this concern about being able to reprint paper ballots or paper VVPATs. When you lose votes in a DRE, which has no paper, there is nothing you can do, and in fact, there was an election for—the statewide election—for agricultural commissioner, where the separation between the two candidates was such that the results could have been reversed by those missing votes. And it went to court, it went to two different courts, where they first tried to hold a recount just for the county itself. That was thrown out. Then it went for a statewide recount, and that was thrown out because we had no laws to deal with what happens when DREs fail. And finally, there were a number of people who submitted subpoenas or petitions say they had voted for one of the candidates, and based on those submissions, it looked like the judge was going to declare that candidate the winner, and so that was how the election was decided. This is not a way to hold elections in this country.

Community Suggestions

See Community Suggestions HERE.


Cover Art

Design by Only Child Imaginations

alt text


Music Presented in This Episode

Intro & Exit: Tired of Being Lied To by David Ippolito (found on Music Alley by mevio)