-
35C3 preroll music
-
Herald Angel: Mr. Halderman, professor of
computer science at the University of
-
Michigan. Famous for inventing things like
Let's Encrypt, finding the--
-
applause
-
Herald Angel: There's more.
applause
-
Herald: But wait, there's more! Logjam
-- I love buzzword bingo -- and zmap.
-
And now he's going to talk about
American elections. Thank you.
-
J. Alex Halderman: All right. Thank you so
much. It's fantastic to be back at
-
Congress this year. Two years ago I was
here with Matt Bernhard one of my Ph.D.
-
students and we gave an update about what
happened during the 2016 presidential
-
election. Today a lot has changed and a
lot remains the same. And I'm here to let
-
you know what we've learned about what
happened in the 2016 election and what we
-
still need to do to make sure elections in
the U.S. and around the world are well
-
protected. So, a quick flashback. On
November 8th, 2016 Donald Trump became
-
president of the United States by beating
some other person. Now history quickly
-
forgets the losers in presidential
elections. And it really doesn't matter
-
who Donald Trump beat, because today, for
better or for worse, he is the president.
-
But how close was the election? President
Trump likes to talk about how he won by a
-
landslide, but actually he was the fifth
person in American history to win the
-
presidency while losing the popular vote.
In fact his opponent received 3 million
-
more votes in the election than President
Trump did. How can that happen? Well we
-
have this crazy system called the
Electoral College. And in the Electoral
-
College each state has a certain number of
points, and Donald Trump ended up getting
-
more of those points. But if we want to
ask "How close was the election,
-
really?"... well that depends on the way
each state allocates its electoral votes,
-
and most are "winner-take-all". So we
might ask how many votes would, say, an
-
attacker have had to change in the
smallest number of states in order to
-
change the election result in order to,
say, make it a tie instead of a win for
-
President Trump. And it turns out that if
you look at the three closest states, they
-
could be flipped with a very very small
number of votes changing, and changing
-
just any two of these three states would
have been enough to reverse the outcome of
-
the presidential election. If we look at
the next few closest states they also have
-
very small margins, and any three of these
six states would have sufficed to change
-
the election result. In total just
changing twenty seven thousand, five
-
hundred votes from Donald Trump to Donald
Trump's opponent would have changed the
-
outcome of the U.S. presidential election.
There were 137 million votes in total.
-
That's a change of just 0.02 percent. That
is a very close electoral result by even
-
contemporary American standards. And
that's why the possibilities of computer
-
hacking, voting machine manipulation,
information warfare that actually did take
-
place, some of them in 2016, not only have
the possibility to have effected the 2016
-
election result but stand to have the
possibility to affect future election
-
results as well. And that's why election
security is so important right now. But if
-
we go back to 2016, when I was speaking
here two years ago, the main thing I was
-
talking about were recounts in three
states: Wisconsin, Michigan, and
-
Pennsylvania, that I and other election
security advocates had a big role in
-
orchestrating. Well we realized after 2016
that this was a close and unexpected
-
election result, but no one was going to
go back and check the physical evidence of
-
the votes: the actual paper ballots in any
states that really mattered to make sure
-
that the computer election results we have
been told about were right. Well, when I
-
and others pointed this out to the public
it resulted in an overwhelming show of
-
support. And one of the third party
presidential candidate Jill Stein stepped
-
in and had the legal standing to demand
recounts in states where she stood for
-
election, even though she had no chance of
winning. And she raised through small
-
donations from the public more than seven
million dollars to fund efforts to go back
-
and count and check the votes to make sure
things were right. Unfortunately, a
-
recount after an American election is a
politically fraught process, and in all
-
three states we found opposition from the
apparent winner of the election, we found
-
challenges in the courts, and only one of
those states, Wisconsin, ended up
-
recounting all of its ballots and found no
evidence of fraud. In Michigan the
-
recounts were halted after only a few days
with less than half of the votes counted
-
after a court challenge by the
Republicans. Again, no evidence of fraud
-
in the votes that were recounted. And in
Pennsylvania, unfortunately, like many
-
states most of the state had no paper
trail at all. There was nothing to
-
recount: just digital records and
machines. The courts denied the Stein
-
campaign the right to have independent
experts examine the machines, and in very
-
few of the places in the rest of the
state, the small amount that did have
-
paper actually did complete a recount. But
still there was no evidence of fraud. So
-
in all there is no evidence that hacking
of voting machines -- hacking of actual
-
vote counts -- changed the outcome of the
2016 election. But there is abundant
-
evidence that cyberattacks of other forms
had a major influence on the election,
-
certainly could have a huge influence on
future elections. And that's what I'm
-
going to talk about today. So first
looking back at 2016 in the two years
-
since I was last here we have learned a
lot more about what really took place
-
during the 2016 election. Starting just
January of 2017 when the U.S. intelligence
-
community -- the CIA, NSA, and other three
letter agencies -- who often in this
-
community we don't trust, still came out
and released a joint assessment in which
-
they rated with very high confidence the
conclusion that attackers linked to Russia
-
were ordered by Russian President Vladimir
Putin to interfere with the American
-
election in order to weaken Clinton, boost
Donald Trump, and discredit the electoral
-
process as a whole. They called it a
significant escalation of longstanding
-
Russian efforts to undermine the US-led
liberal democratic order. So where's the
-
evidence that this actually happened? And
what actually happened? According to not
-
only the intelligence reports but other
information from other sources we can use
-
to see to see whether it's credible. Well
what happened in the U.S. actually looks a
-
lot like something that happened in 2014
in Ukraine, where, according to other
-
published reports, attackers linked to
Russia engaged in a multipronged attack to
-
try to undermine the presidential election
there. They released targeted leaks of
-
e-mails linked to the presidential
campaign. They attacked the Election
-
Commission's servers in order to cause
them to initially post the wrong
-
presidential winner. And this was
apparently detected and narrowly averted
-
only hours before the winner was to be
announced. And they orchestrated DDoS
-
attacks to try to delay the election
results. In the U.S. in 2016 we saw a
-
similar multipronged attack of targeted
political leaks trolling and message
-
amplification on social media and attacks
against election infrastructure. So the
-
targeted political leaks, you've probably
heard about some of this. You have e-mails
-
stolen from the Democratic National
Committee through a hacking campaign that
-
involved two different Russian-linked
military groups hacking into the DNC
-
servers, installing customized malware and
exfiltrating thousands of e-mails that
-
were then published by WikiLeaks. Later,
John Podesta -- Clinton's campaign
-
chairman -- also had his personal email
compromised, and Podesta's emails were
-
similarly published by WikiLeaks. Whatever
you think about WikiLeaks -- and
-
government transparency, and I myself am a
huge fan of transparency -- there's
-
clearly something subversive and
manipulative about just one side being
-
targeted, and being targeted by other
foreign nations, and having its dirty
-
laundry aired for the world to see. This
is subverting the entire notion of
-
transparency, turning our need for true
information about politicians against us
-
and manipulating the entire process. John
Podesta, since his e-mails were all leaked
-
to the public, well, we can go and see the
phishing attack e-mail that got his
-
password, and here it is. So this mail
sent to John Podesta claims to be from
-
Gmail saying that someone has tried to
sign in with his password and he urgently
-
needs to change it by clicking here. Well
he did click there and Russia got his
-
password. We also see his staff talking
about this e-mail and one of his staffers
-
recognized that this was a phishing
attempt and emailed urgently telling John
-
Podesta to change his password immediately
but he typo'd. In dashing out this e-mail
-
he wrote that this is a "legitimate
e-mail". He has subsequently claimed every
-
time he's talked about it that he meant to
write "illegitimate" not "legitimate".
-
Well, the rest is history. A couple of
extra letters might have changed a lot. So
-
beyond the e-mail leaks we've seen an
orchestrated campaign on social media
-
through trolls and false identities to try
to manipulate people's opinions, to try to
-
create political divisions between people,
to try to amplify certain discordant
-
messages. That could be a whole talk in
itself, and I'm not going to go deep into
-
the trolling and message amplification,
but it's a subject that is an ongoing form
-
of attack that again turns our tools of
communication against us. People need to
-
know whether the information they're
reading is really what other people they
-
know and are like them think, or whether
it's being generated by bots, by attacks.
-
Alright this kind of artificial
amplification and manipulation of
-
messaging turns us against each other.
Finally, and the category of attacks that
-
I want to talk about most today because I
think they're the most relevant for our
-
community, are attacks against election
infrastructure itself: the increasingly
-
computerized systems that we use to run
elections, not just in the US but in
-
countries around the world. There were
attacks against voter registration systems
-
in states across the country, organized by
the same Russian groups. There were
-
attacks against companies that make
technology used in polling places. In all,
-
the intelligence assessment is that up to
21 states had their voter registration
-
systems probed. Now of course how can you
go back in time and know for sure that
-
others were not probed, were not
compromised. That's very difficult, even
-
if you are, say, the NSA and are watching
everyone's network traffic. However we
-
know that in multiple states the attackers
got in through SQL injection, through
-
other attacks, and were able to steal
hundreds of thousands of voters'
-
registration records. More information
came out later in 2017 through leaked
-
information from NSA. So this woman,
Reality Winner, an NSA contractor, leaked
-
to the Intercept a series of intelligence
assessments that showed the Russian
-
attacks went even farther, that they
executed attempts to break into the
-
computer systems of at least one election
computer software vendor, and then after
-
breaking into their systems started trying
to fish their way into the computers of
-
local election administrators, the people
who actually run the technology on
-
Election Day. For sharing this information
with us Reality Winner is currently
-
serving a five year prison sentence for
violating the Espionage Act. But the
-
information that she leaked has since been
corroborated. In July of this year
-
prosecutors in the Special Counsel's
office -- this is the Robert Mueller
-
investigation of Russian interference and
collusion -- indicted a set of GRU
-
officers, Russian military officers, in
conjunction with the voter registration
-
system attacks, the theft of email from
the Democrats, and the attempts to indict
-
local election officials. If you're
interested in this stuff I highly
-
recommend you read this indictment. It's
about 20 pages of very detailed
-
information asserting to apparently
detailing exactly who these people were
-
where they worked what they did. Step by
step.Now it's scary to think that we might
-
have such detailed information about
crimes that took place in the past. It
-
doesn't say how we learned, for instance,
that this certain officer, Anatoly
-
Kovalev, was working for unit 74455 of the
GRU at 22 Kirabo Street Building, the
-
tower, and quite how he pulled off each
step in the attack that's asserted here.
-
But as the Mueller indictments advance, as
the special prosecutor's case comes
-
together, we're likely to learn a lot more.
And what's to come in 2018 as the Mueller
-
investigation winds down, I think we're
going to learn a lot more about quite who
-
ordered what, about who in the United
States was involved, and about whether the
-
attacks went even further than we have so
far discovered. So that's 2016
-
and what we've learned about 2016,
but I'm here today to give you a
-
progress report on 2018. So what happened
during the 2018 election? Well we saw
-
several things during the November
election this year. According to
-
intelligence, once again, we have
allegations of continued social media
-
influence operations, this time allegedly
linked to not only Russia, but China and
-
Iran. Now I think it's very difficult to
independently comment and establish on
-
whether these allegations are true or even
to understand the full extent of the
-
social media involvement, because it's
just a small set of large Internet
-
companies that have the raw data that we
need to analyze. However the best reports
-
we have are these assessments from the
intelligence community that the social
-
media influence is ongoing. We also saw
sporadic breakdowns of voting machines.
-
Now patterns of breakdowns of voting
machines could be the indication of an
-
attack. But in 2018 all of them seem to
have perfectly natural explanations. In
-
New York City for instance many optical
scan machines broke down and jammed and
-
caused long lines but apparently it was
because it was raining and that causes the
-
paper to swell a little bit, these
machines to mis-feed and so on. So this is
-
probably just natural failure. We also had
unfortunate human error for not the first
-
time. An election in Florida potentially
had the result changed because of very bad
-
usability design in just the layout of the
ballot. So in Broward County, Florida
-
3.7 percent fewer voters cast a vote at all
in the U.S. Senate race than the race for
-
governor. This was potentially enough
because of the demographics of Broward to
-
change the outcome of the Florida Senate
race. Here's why: Here's the ballot. So
-
this is the race for governor, which most
voters filled out, as you would expect.
-
Right down there underneath that long
column of instructions is the U.S. senator
-
race. So you imagine this ballot. It's
much larger than a normal piece of paper.
-
At the bottom of that is hanging off your
desk as you're filling it in. I can see
-
how 3.7 percent of voters might have
completely missed that race in the first
-
column. Finally we had the old-fashioned
political fraud. In North Carolina a race
-
for the House of Representatives was
decided by only about 900 votes. But it's
-
come out since then that operatives
working for the Republican candidate
-
allegedly stole or manipulated a large
number of absentee ballots, and the
-
candidate there hasn't been certified yet,
it likely won't be seated on time. There's
-
multiple investigations going on into
exactly what happened, but it goes to show
-
you that political fraud is a reality. And
even outside the domain of computers it
-
continues to this day. Now if you can
imagine an election can be changed by just
-
a few people working on the ground, going
around collecting people's mail in ballots
-
and promising to return them for them,
well imagine what nation state attackers
-
could do to a vulnerable and highly
computerized online infrastructure. But on
-
the whole 2018 was, well, eerily quiet. But
if we go back to 2016... so the U.S. Senate
-
Intelligence Committee, a bipartisan group
controlled by Republicans in the Senate,
-
issued its report earlier this year about
2016. They pointed out that they found
-
that in a number of the states where
Russia attacked the registration systems,
-
the Russian hackers were in a position to,
at a minimum, alter or destroy the voter
-
registration data, which, if undetected,
would have caused massive chaos on
-
election day when people showed up to vote
and were told that they weren't on the
-
election rolls. But those attackers chose
not to pull the trigger. And I think
-
that's exactly what happened in 2018. It
was quiet, not because we've adequately
-
secured our election systems, but because
our adversaries this year chose not to
-
pull the trigger. They're waiting for the
bigger prize in 2020 when we're likely to
-
once again have a close and divisive
presidential contest. So what do I worry
-
about? What I worry about most is not the
last war -- registration systems, all of
-
that -- but the bigger prize: the 2020
election and the vulnerabilities in the
-
way that we cast and count votes in the
U.S. Now I testified about this in 2017 to
-
the Senate Intelligence Committee and --
that's actually not me. that's that's
-
former FBI Director Comey-- but two weeks
later I was sitting in the same chair with
-
far fewer TV cameras and testified that
the real lesson of 2016 is that the
-
threats are real and that the attackers
will be back. And this is the picture I
-
painted: so U.S. voting machines have their
own extreme set of vulnerabilities. I was
-
going to bring one of these machines,
AccuVote TSX with me here today. This
-
machine is still used in many parts of the
U.S., but my machine has been in Germany
-
for about a week and FedEx doesn't know
where it is. So if it shows up I'll have
-
it somewhere for people to play with, but
my advice is if you have to ship something
-
urgent to Germany don't send it via FedEx.
What I would have shown you though is a
-
mock election on this machine and the mock
election I always like to do to keep it
-
from getting too political is between
George Washington, the father of the
-
country, and Benedict Arnold, the traitor
of the American Revolution. And of course
-
everyone likes to vote for George
Washington. But these machines are so
-
vulnerable. So I would have shown you an
attack whereby I can compromise this
-
machine and cause it to report the wrong
election outcome without having any direct
-
physical access to the voting machines.
Instead all an attacker needs to do is be
-
able to infect these memory cards that
election officials use before every
-
election to program the machine with the
design of the ballot -- that is, the
-
races, the candidates, the rules for
counting. If an attacker can infect the
-
memory card there are a whole host of
different ways that the attacker can
-
compromise the machine and install malware
on the voting machine itself. There is an
-
unauthenticated software update mechanism
that can replace the election software.
-
There are buffer overflows in the code
that's used to read the ballot design and
-
process it. There's even an interpreted
programming language that's used to
-
generate the reports of who won. So you
can just replace the honest counting
-
software with dishonest counting software
right on the memory card, and that's what
-
will get executed and determine the
election results. Any of these ways would
-
be sufficient. So when the machine counts
the votes at the end of the election it
-
prints out a little cash register receipt
that becomes the official record of the
-
result. That's controlled by the
interpreted programming language on the
-
memory card. And on my machine, no matter
who you vote for, Benedict Arnold is going
-
to win. And that's because the malware I
install via the memory card is in complete
-
control of the election results. And there
are more problems than that. So these
-
voting machines like the AccuVote TSX have
been studied by academic researchers, by
-
independent researchers, by groups
commissioned by secretaries of state in
-
various states around the country. And
every time the same machine is studied
-
again, groups find new vulnerabilities.
This is part of the table of contents from
-
a report I helped to author ten years ago
about the AccuVote TSX, and you can see
-
just this one page of several pages of
vulnerabilities in this single machine.
-
These things are so poorly designed;
they're so complex. Each of the voting
-
systems has on the order of a million
lines of source code. And that's on top
-
of, in this case, on top of an old and
unsupported version of Windows CE. There's
-
no way that these things could possibly be
secure. But the AccuVote TSX is still used
-
in 18 states. In many of these states it's
still used with software that predates
-
that 2007 report I just showed you. We've
had known buffer overflows and other
-
problems in this firmware for more than 10
years and some states still have not
-
updated the software. That's how bad it
is. But it's not just that one machine. So
-
in the US every state gets to pick its own
election technology. There are no federal
-
rules that requires states to do any
particular kind of technology or testing,
-
and you might ask, especially from the
European perspective, why don't we just
-
count votes by hand like a civilized
country. Well here's part of the answer.
-
This is one example of a ballot from one
part of the country and it's eight pages
-
long. We insist on voting for not only the
federal races but the state and local
-
races and even city races. The joke is
even for dog catcher. And this complexity,
-
well, the counting ballots by hand scales
linearly with the number of questions and
-
our ballots by tradition are just too
complicated to efficiently count manually.
-
So we turn to computers, and about half
the country-- well, really there are two
-
different styles of voting machines that
we use. Some of them are optical scanners
-
where the voter fills in a piece of paper,
and it gets scanned in by a computer. The
-
rest are touch screen machines and others
that we call DREs -- direct recording
-
electronic. On these machines voters cast
a vote on the screen; it gets recorded in
-
electronic memory; some of them will also
generate a print out of each vote, but
-
that's relatively rare. In many cases the
only record of the vote is in a computer
-
memory. So in study after study these
machines have been examined, and in every
-
case, for both the optical scanners and
the DREs, where a machine has been tested
-
by qualified people, well, it's been found
to have vulnerabilities that would allow
-
an attacker to install vote stealing
malware and change the electronic results.
-
Every single case. So how hard would it be
to go from hacking these individual
-
machines to say changing the results of a
presidential election? Unfortunately much
-
easier than we might think. There'd be
three challenges to doing this in a way
-
that would likely be invisible. The first
challenge is that the machines are, well,
-
many different types. They're diverse;
they're decentralized. Each state's system
-
is independent, and thank goodness! Because
that means that we don't have just a
-
single place you can hack into to change
results nationwide. Unfortunately, because
-
of our electoral college system, this
diversity of technology can turn into a
-
weakness in very close elections. So
remember I said that just any three of six
-
states, for instance in 2016, would have
been sufficient to flip the outcome of the
-
presidential election. Well before an
election an attacker can scan all the
-
states, figure out which ones are most
weakly protected, and, if they can find
-
enough weakly protected ones to strike in,
that could be sufficient to change the
-
national results. So the attacker gets to
pick and choose, because our diversity of
-
technology also means a diversity of
strength and weakness. The second
-
challenge is that, as election officials
often point out, the voting machines
-
aren't connected to the Internet, or at
least they're not supposed to be. It turns
-
out that some of them are, because they
upload their results over a 4G cellular
-
modem right after election results are
complete. But let's just suppose they're
-
not connected to the Internet. All right.
It turns out that's still not enough to
-
protect us. So as I said before every
election every single voting machine in
-
the country has to be programmed with the
ballot design and that ballot programming
-
is created by election officials on a
computer workstation somewhere, usually an
-
old Windows PC. Those computer
workstations can sometimes service an
-
entire county, sometimes an entire state.
Sometimes they're controlled by
-
independent external contractors that can
perform work across multiple states. And
-
if an attacker can infiltrate one of those
systems they can spread vote stealing
-
malware on the memory cards to voting
machines across the whole region. So how
-
hard would it be to break into one of
these systems? Well in Michigan, my state,
-
in 2016, about three quarters of counties
outsourced this programming to just three
-
small businesses. These are 10-20 person
companies operating in strip malls and so
-
forth -- the same companies that the
jurisdictions buy their ballot boxes and
-
"I voted" stickers from. Here's the
website of one of them. You can see it
-
doesn't have HTTPS, has lots of nice high
resolution photos of their warehouse in
-
case you want to burglarize it, and,
probably most interestingly to an
-
attacker, they have this nice employee
directory with everyone's name,
-
photograph, job title, and email address.
So if I wanted to break into elections in
-
Michigan I might start by, say, forging an
email from Larry the president there to
-
Sue his administrative assistant and say I
urgently need you to open this file. After
-
she does, of course, it installs my malware
on their network, I'm in. I'm one step away
-
from the election programming system and
spreading malware to machines across a
-
quarter of the state. All right, there's
one more challenge. And that's that today
-
more than 70 percent of US votes are
recorded on a piece of paper. And this is
-
great! This is much more than ten years
ago because officials have been listening
-
to computer scientists and security
experts who have been warning about the
-
dangers of fully electronic voting. And
paper might seem like a step backwards,
-
but it's actually a pretty high tech way
of thinking. In any kind of critical
-
system, if we can afford to have a
physical failsafe in case of technology
-
problems it's a good idea to do that. This
is why if you fly on a commercial
-
aircraft... well, it has a very fancy
satellite-guided navigation system, but
-
also, by law, there's a magnetic compas in
the cockpit. It's also why in your
-
car...well you probably want to have a
mechanical linkage between the brake pedal
-
and the brakes just in case... well, you
know. So paper can be a very sophisticated
-
defense. It's relatively slow and
expensive to tally, but it's something
-
that's verified by the voter and that
can't be changed later in a cyberattack.
-
Meanwhile we also get an electronic record
from systems like optical scanners that's
-
fast and cheap to tally, but unverified.
As long as we make sure that these records
-
agree well then changing the election
result would require you to change the
-
electronic record through a high tech
attack. And the paper records through a
-
low tech attack and in a way that
agrees, and that would require a truly
-
extraordinary conspiracy. And to check
that the paper is right... Well we have
-
high tech approaches to that too. You
don't have to count all of it. In fact
-
over the last ten years computer
scientists and statisticians have
-
developed very sophisticated ways of just
spot checking the paper record to make
-
sure that it's right and these are called
risks limiting audits. A risk limiting
-
audit is a statistical process in which
you can count randomly selected ballots
-
until you establish with high confidence
that hand counting all of them would
-
determine the same winner. There are many
ways to do this but they all turn out to
-
be, or many of them turn out to be
incredibly efficient. In a typical state
-
with a fairly wide margin of victory just
spot checking a handful of ballots might
-
be enough to establish with high
confidence that the winner really did win
-
by a landslide. Of course if the election
result is a tie, logically you do have to
-
look at all the ballots to establish that
it is indeed a tie. So the amount of work
-
you have to do depends on how close the
election was. But in all cases you can
-
find an efficient approach to determining,
without trusting the computer systems,
-
that the paper really does reflect the
true winner. Unfortunately, well, most
-
states don't do risk limiting audits. In
fact most states don't look at enough
-
paper at all to determine that the winner
of a close election was genuine. So
-
hacking a national election would probably
be easier than most of us thought. You can
-
use pre-election polls and scanning to
determine which states to target, hack
-
into the election management systems in
the most weakly protected ones, then
-
infect voting machines with malware to
change, say, a few percent of the vote.
-
The paper records might catch the fraud,
but you can rely on the fact that most
-
states will throw it away without looking
at enough of it to determine who actually
-
won. And that's the sorry situation that
unfortunately in 2018 we are still in. So
-
since 2016, however, there has been a
change in mindset. Increasingly election
-
officials have been listening to the
scientific community when we say you need
-
a paper trail, and they're starting to
think that that is correct. Almost all
-
states that don't have paper trails today
at least have people strongly advocating
-
for replacing the equipment that's there.
And most other states, well, they at least
-
have people starting to look into the
security and testing the security of other
-
election related computer systems, like
their voter registration systems, to make
-
sure that they're shored up. Now you don't
have to take it from me that paper ballots
-
and post election audits are the way to go
to secure our election systems. Just this
-
fall the National Academies of Science
Engineering and Medicine -- the authority
-
on scientific advice to government --
released a report with their highest level
-
of advice -- a consensus report -- urging
the adoption of paper and risk limiting
-
audits, pointing out that this is a
pragmatic, robust, and necessary defense
-
for elections. This report was written in
conjunction with election officials.
-
People with experience administering
elections and it just goes to show you
-
that at least the election officials who
have taken the time to understand the
-
threat are waking up and starting to pay
attention to the path to a solution. The
-
problem is that that solution will take
time to implement. And if we look at which
-
states still don't have a paper trail, it
turns out that there are 14 where some or
-
all votes still aren't recorded on paper,
and it's going to take between 130 and 420
-
million dollars according to credible
estimates to replace all the machines
-
still in those states. Some of them like
Pennsylvania are working to do that now,
-
but in other states there still are no
plans in effect to get rid of the
-
vulnerable machines. If we look at the
national map for post-election audits
-
though the picture is a lot worse. And
this is what concerns me most. Although
-
many states in 2018 did small pilots of
risk limiting audits, the majority of
-
states still do not conduct audits that
can rigorously guarantee the electronic
-
results of an election. And many still
have no plans to do so in time for 2020.
-
Because risk limiting audits are so
efficient, the cost for auditing
-
nationwide is ridiculously small. It would
cost according to my estimates less than
-
25 million dollars a year to audit every
federal race nationally, potentially a lot
-
less than that. But it requires
organizational on the ground. And
-
unfortunately in our system operations on
the ground are conducted by about 13.000
-
local jurisdictions on Election Day. We
need national leadership. We need much
-
more dispersed expertise in order to get
these protections in place, because if you
-
don't actually look at the paper you might
as well not have it in the first place. So
-
this year did see some movement in
Congress. In the spring, as part of the
-
omnibus appropriations process, Congress
gave the states 380 million dollars in
-
emergency election funding in order to
start working to secure their registration
-
systems and polling places. This was great
in that it was money available
-
immediately, and if you've been paying
attention, getting Congress to do much of
-
anything these days is pretty hard. On the
other hand the money came with very
-
limited oversight, with no standards about
how that money should be used, and isn't
-
even enough to eliminate all of the
paperless machines because of the way it's
-
spread out amongst the states. But it's an
important first step. We can look at a few
-
of the states to see how they're doing,
and I pick these as a representative
-
sample of the diversity of progress. In
Maryland, for instance, which until 2016
-
used AccuVote touch-screen machines,
vulnerable to all of those problems I
-
talked about, finally replaced the
machines with paper ballots. That's a huge
-
step forward. Unfortunately Maryland,
instead of auditing them by having people
-
look at the ballots, decided it would be
more efficient to audit them by having
-
people look at digital scans of the
ballots from the voting machines. As I
-
think everyone in this room probably
realizes, but maybe some in a broader
-
audience would not, it's pretty easy to
manipulate digital photographs. In fact I
-
have work from students in an
undergraduate security class I taught this
-
term who implemented a machine learning
algorithm that can take scans of ballots
-
and just automatically change the marked
results to produce whatever outcome you
-
want, and we'll have more on that in
a publication this spring. But
-
unfortunately these audits are security
theater. They might catch human error, but
-
they're not going to catch a sophisticated
attacker who has the ability to manipulate
-
how the machines are reading the ballots,
can be easily fooled by malware. So I give
-
Maryland on the whole maybe a "C".
Pennsylvania, another state that just two
-
years ago during the recounts was
practically a laughing stock of the
-
country for its lack of paper records of
votes and it's byzantine rules about
-
recounting them, well, today is making
really good progress. The state recently
-
committed to replacing all of its
paperless machines with paper ballots in
-
time for the 2020 election, and it's
committed to implementing a robust post
-
election audits by 2022. Unfortunately,
2022 is going to be too late to secure the
-
2020 presidential election, and this just
emphasizes the need to get moving more
-
quickly. There were also questions about
whether the auditing regime they implement
-
will be truly statistically rigorous.
There are a lot of details to get right,
-
but on the whole, Pennsylvania has made so
much progress. I think out of sympathy I
-
can give them a "B". All right, now let's
look at a top performer. This is the state
-
of Colorado. Colorado has become a leader
in election security, because not only
-
does it have paper ballots statewide,
largely vote by mail which has its own
-
problems, but that's a subject for later.
But Colorado also was the first state in
-
the country to implement these
statistically robust risk limiting audits
-
statewide and has been doing it since
2017. They've got both of these critical
-
protections in place, and yes, they
actually do choose the random seed for
-
sampling the ballots during the risk
limiting audit by rolling a set of
-
10-sided dice. So that's a great way to do
it in a public ceremony. So Colorado gets
-
an "A". They're very well protected by
these standards. Then there's Georgia. So
-
Georgia in 2018 voted statewide with the
AccuVote TSX voting machine, the one that
-
FedEx has that I've hacked. They haven't
updated this software in their AccuVote
-
TSX machines since 2005, and they claim
that the machines and their election
-
programming systems are air gapped. But
during a court hearing about this earlier
-
this fall their head of elections
described that their system was air
-
gapped. Yes it's perfectly secure. It's
air gapped. The only way you can get into
-
it is through the bank of modems attached
to it. It's air gapped except the bank of
-
modems. Also it turns out he programs it
by moving a USB stick back and forth from
-
his personal laptop. Sigh Georgia also
of course doesn't have robust audits,
-
because, well, meaningful post election
audits would require a paper trail, and
-
none of those machines have paper. This
alone would be enough to give Georgia an
-
"F". Except there's one more thing: their
voter registration system also was shown
-
in 2018 to have some problems. So you're
not going to believe this story. One more
-
story. So in Georgia they do online voter
registrations through a Web site. And in
-
2018 just a few days before the election
the Georgia Democratic party learned from
-
one of it's-- from someone working for
them, from a volunteer, about a series of
-
vulnerabilities in this voter registration
system. While it turned out that you could
-
read and manipulate anyone's voter
registration records just by changing a
-
sequential ID number in a particular URL.
There was another URL for viewing a sample
-
ballot, that if you just change the path
of the file it pointed to you could read
-
any file and the server's filesystem. Well
these are pretty bad problems, right? Even
-
though Georgia apparently had gone through
the process of having a security
-
assessment of its registration system
performed and didn't catch these, well...
-
So the Democrats less than five days
before the election learned of these
-
problems and disclosed them to the
Secretary of State's office which is
-
responsible for running the election
system. There is Secretary of State Brian
-
Kemp, who, also, it turned out, was
candidate for governor in a very close
-
race. So not only was he running the
election system, but he was the candidate
-
in the most important race in the state
where the polls were projecting that the
-
election was going to be a dead heat. So
an hour after receiving the security
-
disclosure, Secretary Kemp's office put
out a press release with this headline:
-
That after a failed hacking attempt
they're launching an investigation into the
-
Georgia Democratic Party and they've
called the FBI on the Democrats. So...
-
Brian Kemp won the election and is now the
governor elect of Georgia. So this guy who
-
did so well handling the security of the
voting system while he was secretary of
-
state is now the head political officer of
the state of Georgia. I think Georgia's
-
"F" just might stick with them through
2020. So...
-
applause
H: Thank you. So there is hope though. I
-
want to end on a message of hope, because
despite this, with all of these different
-
levels of rigor and of readiness across
the different states I believe we need
-
more national leadership, national
standards, and national resources thrown
-
into securing elections. And a bill to do
just these things made a lot of progress
-
in the Senate during the past term. This
is a bill called the Secure Elections Act
-
that was introduced by Senators Lankford,
Republican of Oklahoma, and Klobuchar,
-
Democrat of Minnesota. And it ended up
gathering a large number of bipartisan
-
sponsors, split evenly between Republicans
and Democrats. It would have required
-
states to adopt paper, to adopt strong
audits, and to adopt stronger information
-
sharing practices to let each other and
the federal government know if they saw
-
signs of people trying to break in. This
bill made it a long way, but unfortunately
-
got stuck in the committee after some
opposition from the White House just days
-
before it was going to be marked up and
hopefully then made it make its way to the
-
floor. But this shows that bipartisan
cooperation is possible even in this
-
Congress, and that there are a lot of
serious people who now realize that
-
election cybersecurity is a matter of
national security and defense. I think in
-
the next Congress there's a good
possibility that we will see effective
-
legislation to provide national standards
and leadership for elections. But it's a
-
question of threading a political needle
and getting Congress to act. So to defend
-
our elections we don't need rocket
science. We need simple steps like
-
applying security best practices and
expertise to secure registration servers,
-
adopting a paper record of every vote, and
applying simple post-election audit
-
techniques to make sure the paper record
is right. If we do these things well we'll
-
have a much more robust and evidence-based
election system that can detect and
-
recover from attack attempts.
Unfortunately today our dialogue about
-
elections isn't based on evidence. It's
largely based on faith: on faith in the
-
democratic process, on faith in the people
and the technology that's responsible. But
-
I think voters deserve better. Voters
deserve, if they're reasonably skeptical,
-
to have it proven to them that the
election result was right, and that is
-
possible with simple and practical
technology that we have today. All it's
-
going to take is national leadership to
make sure that all states, even states like
-
Georgia, adopt the necessary protections
soon. So what can you do? Well as a hacker
-
or a computer scientist you can work with
your election officials to help explain
-
the technology, the threats, and the
defenses. You can work to explain the
-
threats to the public, because we all need
to understand, just as a matter of modern
-
civics, how elections can be attacked and
defended. You can work to build better
-
ways to use technology to make voting on
paper easier and more efficient. While
-
technology can help voting in a lot of
ways, just... we shouldn't trust it is the
-
only way in which votes are counted and
results are determined. And as a citizen,
-
well, you can demand that election
authorities implement paper and risk
-
limiting audits. Get involved through
activist groups to help campaign for
-
protections like this, and especially
please urge the U.S. Congress to pass
-
legislation like the Secure Elections Act
and similar bills to make sure that
-
election systems across our country
achieve these security properties. You can
-
learn more from an online course I have
for free on Coursera called Securing
-
Digital Democracy that provides several
weeks' worth of material about the history
-
and the technology of election defenses.
But we've got to get going. It's only been
-
two years, believe it or not, since Donald
Trump became president, and it's only
-
about 22 months until the next
presidential election. It's time to get
-
moving. Thank you.
-
applause
-
Herald Angel: thank you very much. What I
got from this talk is it takes 27,400
-
people, so we have to scale up Congress.
We're going to do a Q&A. And I think we'll
-
just start with Mic number two
because I can see that one.
-
Question: Thanks for the great talk. What
if someone targets the-- Mic problems
-
Mumbling
Herald: Um, we need mic #2 live.
-
Question: Does this work? Hello?
silence
-
Angel: Try again
Question: Hello? Ok great. Thanks for the
-
great talk. What if someone targets the
randomness in your risk-limiting audit?
-
Q: Doesn't that pose a vulnerability?
Speaker: Oh yes. Definitely you need to have
-
a secure randomness in whatever auditing
method you're doing if it's going to be by
-
a statistical sampling. That's one reason
why the auditing techniques that Colorado
-
practices, they actually have a public
ceremony in which officials throw dice in
-
front of TV cameras in order to pick the
random seed. But a lot of thought has to
-
go into designing that process well, so
that it's not only truly random but also
-
something that people can know and believe
is truly random. Thank you
-
Angel: OK Mic number six
Question: Thank you so much for the talk.
-
You spoke about how in Georgia the
disclosure of vulnerabilities was
-
punished, almost. Is there any talk or
movement towards having something like bug
-
bounties for Election Systems?
Speaker: Yes in fact there is another bill
-
that was introduced in Congress that would
do just that, and establish a kind of bug
-
bounty program. I'm not sure that that
idea yet has a lot of legs, but I think it
-
would help. I think right now though we
don't really need all that much more
-
incentive for people to want to try to
help secure democracy. A lot of people,
-
including I'm sure a lot of people in this
room, would gladly volunteer to do so. We
-
need a way of organizing that effort and
making sure that people can discover and
-
report problems without fear of having it
turn into some political weapon to be used
-
against them.
Angel: Mic number one
-
Question: Hey thanks for the talk. Like
the case in Georgia doesn't sound that
-
terrible because like in Lithuania a couple
of years ago we've had this issue where you
-
just didn't need to change the URL you
just did have to refresh the page and here
-
you go. You have the information about a
different citizen. My question is, like,
-
what if the paper trail leads to the
knowledge that the election was rigged in
-
some particular area like two years after
the election or like one year after the
-
election? What happens then? Does it
change anything?
-
Speaker: A year or so after an election
would be a great catastrophe if we only learned
-
then that the political leaders were not
legitimately elected. We don't really have
-
any precedent for that. That's why the
recommendation and what some states like
-
Colorado are starting to do is, they're
implementing stronger audits, is to make
-
sure the audits are completed as soon as
possible, ideally before the election
-
results is certified. I recently came out
with a paper with Phillip Stark and Ron
-
Rivest that gives an audit system that you
can start doing even the moment polls
-
close on election night and perhaps have,
in a not so close election, a full complete
-
audit by the time results are announced on
election night. So it's possible to do it
-
quickly with sufficient organization.
Angel: OK. Microphone number 8
-
Question: Hi I'm curious about the
attribution of attacks. Is there possibly
-
any instance at which you would be not
sure that it was Russia that performed the
-
attacks, or maybe it was China. So how do
you know that it was exactly Russia, or
-
China or India?
Speaker: So all we have to go by really is the
-
assertions of our intelligence agencies in
the U.S. and in some cases like for the
-
Democratic National Committee breaches the
assertions of private security firms that
-
were involved in the investigations. I
agree with you, attribution in general is a
-
darn hard problem. But if you're willing
to accept the credibility of the
-
intelligence reports and read between the
lines just a little bit it looks like the
-
reason, the basis for their attribution, is
largely not technical but based on
-
intercepted communication of people who
were involved in organizing the attacks in
-
Russia. And I think more information about
that is likely to come out as the Mueller
-
investigations proceed. So I mean there's
some necessary grain of salt. You can see
-
what incentive people might have to try to
trump up, so to speak, the involvement
-
of Russia. But you can also see in the
current political climate why at least the
-
executive branch would have a reason to
try to tone down allegations of Russia's
-
involvement. So you'll have to interpret
the weight of the evidence as you will.
-
Angel: OK, the last question
from the Internet.
-
Angel: We're running out of time. Sorry.
Question: Has any organization or group
-
unveiled a voting machine designed to
address all of the security issues that
-
you have brought up here? Is there a
solution to the problem?
-
Speaker: I'm sorry could you repeat the
beginning of that question?
-
Question: Has any group or organization
unveiled a voting machine that is designed
-
to address all of those security issues
that have grown up?
-
Speaker: OK so there are efforts to
develop voting machines that are based on open
-
source software, that are based on better
validated software. Benedita, a researcher
-
in this area who has done a lot of great
work is one person who's recently launched
-
an effort to do that, although there are
others. And I think that will help. But at
-
the end of the day I think however well-
designed the software and our voting
-
machines is, that can raise the bar for
attacks, but it's never going to be enough
-
to also be able to convince skeptical
voters that everything is OK, because,
-
well, among other things, how do you know
that that software is really what's
-
running in the machines that are counting
your votes? So there's a lot we can do to
-
make voting machines better. At the end of
the day they're also going to have to have
-
that paper trail and those statistical audit
so that everyone can believe the results.
-
Angel: Thank you very much.
That concludes the talk.
-
Speaker: Thank you.
applause
-
Angel: I think you'll be around for a few more
answers on the Congress, so everybody who
-
is here can ask questions in person.
Speaker: I will and hopefully tomorrow
-
there'll be a Diebold voting machine
somewhere around here for everyone
-
to hack themselves. Thank you again.
Angel: Let's hack that thing.
-
postroll music
-
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!
