In this special new blog section, “Election Security”, we will be reporting on the biggest security-related issues and challenges facing our election systems today. Stay tuned for regular coverage, insights and perspectives on election security in the coming weeks.
In 2006, Hugh Thompson was featured in the HBO documentary film called “Hacking Democracy.” The film, which was nominated for an Emmy, focused on the technology powering e-voting machines. How did the systems work? How did the votes get tallied? What were the strengths and weaknesses?
Unfortunately, most of the problems that Thompson and his colleagues spotlighted still plague electronic voting systems today. As fall beckons, so do the much-anticipated off-year elections. But is the system ready to withstand attacks from groups seeking to tamper with the vote count?
Thompson, who became Symantec’s Chief Technology Officer a couple of years ago, sat down recently with CNBC to talk about election security. The following is an edited transcript from that conversation.
Q: What’s your biggest disappointment about the way election security has been treated?
I’d say that national attention to election security has been very episodic. That’s the nature of the problem. The majority of people only think about voting security just before an election, and after it’s over, they don’t. The security community has found a whole bunch of big problems but no sustained energy and attention to get them fixed. There are a lot of problems today that are the same problems we had in previous years’ elections.
Q: Before the last election, Samir Kapuria demonstrated how a machine could be tampered with and could potentially create some distrust. What’s changed since then?
Not much. Maybe nothing. There’s little education around that aspect of security - both for poll workers and for officials in charge of elections. If you asked me what’s changed between now and 10 years ago, I’d say that the problems are pretty similar - similar systems with similar challenges, and our voting systems haven’t made a lot of progress.
Q: Before the last election, there was an attempt to hack the voter roll. How are the secretaries of states and boards doing?
Recently there’s been a lot more attention. I think it’s great that attention is being drawn to the end-to-end processes around voting integrity and security. Also, the Department of Homeland Security has stood up resources and offered to help states defend their voting infrastructure. So, in that respect, there’s been progress. But, more than ever, these systems are being connected in ways where it’s unclear what risks those connections introducing into the process. Many of these systems weren’t initially designed with the idea that they may one day be connected to untrusted networks or potentially to the Internet. As connectivity has grown over time, there’s more risk that a person with malicious intent can gain access.
Q: How are we doing in terms of securing the infrastructure?
There’s an assumption that paper will cure all ills. A problem we face in some of these voting systems is not just attacks against electronic machines that don’t have a paper trail. One of the hacks shown in Hacking Democracy involved manipulating the memory cards on optical scan machines. You can actually scan in a massive stack of paper ballots, but what’s happening behind the scenes is that the votes are being subtly altered by the scanning machine itself. The weak link stems from the connection between the integrity of the vote that was captured in those paper ballots and what vote totals ultimately got delivered to the county office. We need mechanisms we can audit.
Q: Last election, Symantec did a security test called “Hack the Vote.” What are you doing this time?
We have folks looking at infrastructure and they’re also looking at new techniques used by attackers.
Q: Are the people working at the polls adequately educated about cyber security risks?
Most poll workers are well-intentioned people that are volunteering their time, but many of these volunteers aren’t digital natives. They can’t naturally spot the symptoms of suspiciousness. If someone walked in with a trench coat, pulled out a bunch of pieces of paper and stuffed a ballot box, that’s suspicious. But if someone lingers on an electronic voting system or inserts something into a port on the machine, how would poll workers really process that? Is that just as alarming as the person with the trench coat full of ballots? Poll worker education on security is really important, but we haven’t seen that happen at scale.
Q: What’s been done to handle issues with scanning machines?
Some of those vulnerabilities still exist. Even if they fixed the issues we talked about in Hacking Democracy, think about securing the end-to-end process. A bunch of pieces of paper scanned into one of the machines, the results get put on a card and then the card gets transported to another place. People are in charge of moving that memory card, but in most cases those people don’t innately understand the technology or how a bad actor might attempt to tamper with it and therefore don’t apply the appropriate duty of care.
Q: Final thoughts?
It is good to see increased scrutiny around election security. Hopefully this will lead to a sustainable process where we are constantly improving security practices.