Tweet
Originally posted by URL1
By Miles Parks
Sep 4, 2019
A group of guys are staring into a laptop, exchanging excited giggles. Every couple minutes there's an "oooooh" that morphs into an expectant hush.
The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process.
Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard.
"That's a new vulnerability!" someone yells.
The laptop that's drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia.
"Right now, we're trying to develop a way to remotely control the voting machine," said a hacker named Alex.
He's seated next to Ryan, and like a lot of the hackers at the Defcon conference, they didn't feel comfortable giving their full names. What they're doing — messing around with voting equipment, the innards of democracy — falls into a legal gray area.
The voting machine looks sort of like a game of Operation. The cover is off and dozens of cords are sticking out, leading to multiple keyboards and laptop computers.
No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren't indicative of problems that actually could be exploited during an election.
All the same, hackers like Alex and Ryan say the work they're doing is important because it's the highest profile public investigation of the equipment U.S. citizens use to vote.
And if they can exploit it, so could government-sponsored specialists working for another nation's intelligence agency.
Governments contract with private companies to provide voting equipment and other services and there are no laws requiring any sort of breach disclosure or third party security auditing. Even the governments themselves are usually barred from hiring a security firm to investigate the machines they serve to voters.
At this year's Defcon, it was Alex's first time looking at the technology that voters use to cast their ballots — and he wasn't impressed.
The machine he's investigating is a ballot-marking device used to help people with physical impairments or language barriers vote, and it's running a version of Windows that is more than 15 years old.
"These systems crash at your Wal-Mart scanning your groceries. And we're using those systems here to protect our democracy, which is a little bit unsettling," he said.
"I wouldn't even use this to control a camera at my house. Or my toaster."
The paradox
Russian cyberattacks targeted a number of voter databases, election vendors and other such systems in the 2016 presidential election. There's no evidence anyone's vote was changed, but the Russians did compromise a few key systems and extract some data.
And less than six months before voters head to the polls in early primary states for the 2020 election, American voting is stuck in a paradox: States have spent hundreds of millions of dollars on security improvements, and yet the overall system remains vulnerable in some of the same ways it was four years ago.
Cybersecurity expert Bruce Schneier, a fellow with Harvard's Berkman Center for Internet and Society and the author of more than a dozen books, was asked how much security has improved since 2016. He cut off the question.
"Oh, we have done nothing," Schneier told NPR. "We've done absolutely nothing."
He isn't being literal, but this sentiment was pervasive at Def Con.
People who spend their lives thinking about computer security said they feel the government still isn't taking the threat of a major breach seriously enough. Congress allocated $380 million towards election improvements in 2018, but even at the time, technical experts scoffed at what they called such a low number.
Because technology is constantly changing, cyber advocates say new funding needs to arrive regularly — not as a once-in-a-decade outpouring of cash. But anxiety about election security has run headlong into broader, decades-old partisan divisions about practicing democracy.
Gridlock
Republicans, led by Senate Majority Leader Mitch McConnell, have resisted calls for large amounts of new funding or legislation.
One reason is principle: McConnell and some of his colleagues argue that Congress should not "federalize" a practice in which responsibility now rests with state and local jurisdictions around the country.
Another objection is practical: The government did a good job safeguarding the 2018 midterm elections, McConnell argues, which ran comparatively smoothly. So although the door isn't completely closed to more grants or other work by Congress, the system — in this view — is working as it should.
Critics tease that the Senate majority leader is "Moscow Mitch," alluding to supposed softness on Russia. That nickname rankles McConnell, who called it "over the top" in an interview on Tuesday with Hugh Hewitt.
The parties' differences in outlook are vast.
Oregon Democrat Sen. Wyden says the federal government should take control over how the country votes, and he disagrees with the every-state-for-itself argument.
"I'll be damned if, when we're up against the Russians and all their military and all their cybersecurity might, we're going to send out the county IT guy," Wyden told a crowded conference room, in the keynote address at Defcon.
House Democrats approved a bill earlier this summer that would authorize more than $700 million in election security grants, but Republicans in the Senate have made it clear that the bill has no future.
"Why hasn't Congress fixed the problem?" Wyden asked, rhetorically. "Two words: Mitch McConnell."
The confidence issue
In addition to the money allocated by Congress, many states and localities have also put their own resources into improving their election systems.
But experts say the system is only as strong as its weakest jurisdiction, so improvements done in a piecemeal way could just make it clearer which states and counties to target for future attacks.
The Senate intelligence committee's report on Russian election interference says one of Moscow's goals may have been to "undermine confidence in the 2016 U.S. elections simply through the discovery of their activity."
In other words: one breach, even without actually affecting overall results, can give the impression that nothing anywhere can be trusted.
The other side of that coin, however, is increased awareness.
One of the largest improvements over the past four years isn't quantifiable, says Matt Olney, the director of threat intelligence and interdiction at Cisco. He says general awareness of cybersecurity as a paramount concern for election officials makes the U.S. significantly safer heading into 2020.
"There's no conversations anymore about whether or not this is a problem," said Olney.
Paper
One glaring vulnerability — which cybersecurity experts have been talking about for 20 years, and yelling about for the past decade — are paperless voting machines.
Experts agree that these machines are insecure because they record votes electronically and could either be manipulated or malfunction without detection. They can't truly be audited and they leave room for some doubt in the result.
"[We need] paper ballots 100 percent ... This isn't hard, this isn't controversial. As scientists, we know exactly what we need," Schneier said. "Getting it done is hard."
The U.S. is improving in this area, but work isn't complete.
In 2016, approximately 20 percent of voters used electronic voting equipment that didn't provide a paper trail. In 2020, that number will be around 12 percent, according a recent report from the Brennan Center for Justice.
The largest state that was exclusively using paperless electronic machines in 2016, Georgia, is slated to replace its machines with touchscreen equipment that provides a paper record before 2020.
But even after the 2020 election, it's unclear whether there will be the urgency to overhaul the rest of the systems that are in use — unless there's another election-related cyberattack.
Just last month, Politico reported that election officials in 69 counties in Texas will either be "sticking with their existing paperless machines, some of them almost 20 years old, or buying new [paperless] ones. Several counties said they wouldn't upgrade until the state legislature mandated it."
Copyright 2019 NPR. To see more, visit https://www.npr.org.9(MDAyNDY5MjM1MDEyODE2MzMyMTZmZDQwMg001))
ARI SHAPIRO, HOST:
Remember the hanging chads that caused so much confusion in the 2000 Bush vs. Gore election? Well, since then, the federal government has spent billions of dollars to modernize voting systems. But how secure are today's systems? NPR's Miles Parks has been keeping track of this as we get ready for next year's presidential election, and he is here in the studio.
Hey, Miles.
MILES PARKS, BYLINE: Hi, there.
SHAPIRO: Let's start with defining what makes voting equipment safe. How do you draw the distinction between the good and the bad?
PARKS: So the key, according to cyber experts, is something called software independence. But this is basically just a paper trail. Basically, you want something where voters can look at their ballot before they cast it, something that if there's a malfunction or if there's a hack - a lot of these machines are more than 10 years old, and some of them do malfunction - but you want something where you're not reliant on the technology to be able to spot a problem.
And this is sort of the future of election security - not only protecting the vote, but protecting our ability to then go back and double-check the results so if there is a problem, we can fix it.
SHAPIRO: To kind of do an audit. But some voting systems today don't have that ability. They don't have a paper trail. Why not?
PARKS: Right. So this goes back to that 2000 election, where America just decided we're going to overhaul this whole thing and spend a bunch of money, buy a bunch of new electronic voting machines. But people at this time weren't thinking about security at the - kind of the front of their minds. I talked to Matt Blaze, who's a cybersecurity and voting expert at Georgetown University about this.
MATT BLAZE: Even if you asked us back then what exactly should we do to build secure voting machines, we wouldn't have really been able to tell you precisely what you needed to do. Today, we can.
PARKS: That answer comes down to paper. So there's been this push really over the last decade to get these outdated paperless machines completely out of the American voting system.
SHAPIRO: And how's that push going? How many of those machines will be around in 2020?
PARKS: So it kind of depends on who you ask, really. The Brennan Center for Justice released a report this summer that said the amount of voters who are going to be voting on these sorts of machines in 2020 has basically been cut in half since the 2016 election. And a lot of that comes from Georgia, who is overhauling their entire statewide voting system before that election.
But the number is still pretty high. It was 20% in 2016. In 2020, the Brennan Center seems to think it's going to be about 12%. That's about 16 million voters. And security advocates say this is the most low-hanging fruit in the voting world, something we've been talking about for much of this decade. A foreign adversary attacked the 2016 election, and we couldn't get this thing fixed. There's frustration there.
SHAPIRO: Right, so we know that Russia tried to hack into U.S. election systems - totally separate from the misinformation campaign. Are experts expecting more of the same or even more than we saw in 2016 in 2020?
PARKS: Well, when we look at 2016, it is important to note that there is no evidence that any vote tallies were actually changed in that attack. Attackers were able to break into registration systems and were able to steal some voter data. But the Senate Intelligence Committee did release in their report this summer and they said basically there is a possibility that what Russia was doing them in breaking into those systems wasn't attacking us. Potentially, they were intelligence gathering for a future attack.
I talked to Bruce Schneier, who's a fellow at Harvard's Berkman Center for Internet and Society, about whether he thinks 2016 was kind of the worst of the worst when it comes to cyberattacks on our elections.
BRUCE SCHNEIER: So the odds that we've seen the worst in cyberattacks in any space seems small to me. I mean, this is as bad as it could possibly get for the rest of the future of humanity? That just seems implausible, right? I mean, as soon as I say it, that seems dumb.
PARKS: So it's kind of off when you hear politicians pointing at the 2018 midterms, which went really smoothly, and saying OK, the problem is behind us; everything's fixed. According to people I've talked to, cyber experts, there's still a lot of problems still there and the 2020 election and beyond.
SHAPIRO: Miles, that sounds really ominous.
PARKS: I don't know what to tell you.
SHAPIRO: (Laughter).
PARKS: I mean, you know, we're working on it.
SHAPIRO: That's NPR's Miles Parks on election security ahead of 2020.
Thank you, Miles.
PARKS: Thank you.
(SOUNDBITE OF THE BOOKS AND JOSE GONZALEZ'S "CELLO SONG") Transcript provided by NPR, Copyright NPR.
Sep 4, 2019
A group of guys are staring into a laptop, exchanging excited giggles. Every couple minutes there's an "oooooh" that morphs into an expectant hush.
The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process.
Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard.
"That's a new vulnerability!" someone yells.
The laptop that's drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia.
"Right now, we're trying to develop a way to remotely control the voting machine," said a hacker named Alex.
He's seated next to Ryan, and like a lot of the hackers at the Defcon conference, they didn't feel comfortable giving their full names. What they're doing — messing around with voting equipment, the innards of democracy — falls into a legal gray area.
The voting machine looks sort of like a game of Operation. The cover is off and dozens of cords are sticking out, leading to multiple keyboards and laptop computers.
No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren't indicative of problems that actually could be exploited during an election.
All the same, hackers like Alex and Ryan say the work they're doing is important because it's the highest profile public investigation of the equipment U.S. citizens use to vote.
And if they can exploit it, so could government-sponsored specialists working for another nation's intelligence agency.
Governments contract with private companies to provide voting equipment and other services and there are no laws requiring any sort of breach disclosure or third party security auditing. Even the governments themselves are usually barred from hiring a security firm to investigate the machines they serve to voters.
At this year's Defcon, it was Alex's first time looking at the technology that voters use to cast their ballots — and he wasn't impressed.
The machine he's investigating is a ballot-marking device used to help people with physical impairments or language barriers vote, and it's running a version of Windows that is more than 15 years old.
At @defcon and I’m still concerned for our upcoming election. This voting machine was used in Williamsburg, VA in the 2018 general election. Problem is, it’s running Windows CE 5.0 — software that is 15 years old with many known vulnerabilities. pic.twitter.com/ThYLjizTVh
— Rachel Tobac (@RachelTobac) August 11, 2019
— Rachel Tobac (@RachelTobac) August 11, 2019
"These systems crash at your Wal-Mart scanning your groceries. And we're using those systems here to protect our democracy, which is a little bit unsettling," he said.
"I wouldn't even use this to control a camera at my house. Or my toaster."
The paradox
Russian cyberattacks targeted a number of voter databases, election vendors and other such systems in the 2016 presidential election. There's no evidence anyone's vote was changed, but the Russians did compromise a few key systems and extract some data.
And less than six months before voters head to the polls in early primary states for the 2020 election, American voting is stuck in a paradox: States have spent hundreds of millions of dollars on security improvements, and yet the overall system remains vulnerable in some of the same ways it was four years ago.
Cybersecurity expert Bruce Schneier, a fellow with Harvard's Berkman Center for Internet and Society and the author of more than a dozen books, was asked how much security has improved since 2016. He cut off the question.
"Oh, we have done nothing," Schneier told NPR. "We've done absolutely nothing."
He isn't being literal, but this sentiment was pervasive at Def Con.
People who spend their lives thinking about computer security said they feel the government still isn't taking the threat of a major breach seriously enough. Congress allocated $380 million towards election improvements in 2018, but even at the time, technical experts scoffed at what they called such a low number.
Because technology is constantly changing, cyber advocates say new funding needs to arrive regularly — not as a once-in-a-decade outpouring of cash. But anxiety about election security has run headlong into broader, decades-old partisan divisions about practicing democracy.
Gridlock
Republicans, led by Senate Majority Leader Mitch McConnell, have resisted calls for large amounts of new funding or legislation.
One reason is principle: McConnell and some of his colleagues argue that Congress should not "federalize" a practice in which responsibility now rests with state and local jurisdictions around the country.
Another objection is practical: The government did a good job safeguarding the 2018 midterm elections, McConnell argues, which ran comparatively smoothly. So although the door isn't completely closed to more grants or other work by Congress, the system — in this view — is working as it should.
Critics tease that the Senate majority leader is "Moscow Mitch," alluding to supposed softness on Russia. That nickname rankles McConnell, who called it "over the top" in an interview on Tuesday with Hugh Hewitt.
The parties' differences in outlook are vast.
Oregon Democrat Sen. Wyden says the federal government should take control over how the country votes, and he disagrees with the every-state-for-itself argument.
"I'll be damned if, when we're up against the Russians and all their military and all their cybersecurity might, we're going to send out the county IT guy," Wyden told a crowded conference room, in the keynote address at Defcon.
House Democrats approved a bill earlier this summer that would authorize more than $700 million in election security grants, but Republicans in the Senate have made it clear that the bill has no future.
"Why hasn't Congress fixed the problem?" Wyden asked, rhetorically. "Two words: Mitch McConnell."
The confidence issue
In addition to the money allocated by Congress, many states and localities have also put their own resources into improving their election systems.
But experts say the system is only as strong as its weakest jurisdiction, so improvements done in a piecemeal way could just make it clearer which states and counties to target for future attacks.
The Senate intelligence committee's report on Russian election interference says one of Moscow's goals may have been to "undermine confidence in the 2016 U.S. elections simply through the discovery of their activity."
In other words: one breach, even without actually affecting overall results, can give the impression that nothing anywhere can be trusted.
The other side of that coin, however, is increased awareness.
One of the largest improvements over the past four years isn't quantifiable, says Matt Olney, the director of threat intelligence and interdiction at Cisco. He says general awareness of cybersecurity as a paramount concern for election officials makes the U.S. significantly safer heading into 2020.
"There's no conversations anymore about whether or not this is a problem," said Olney.
Paper
One glaring vulnerability — which cybersecurity experts have been talking about for 20 years, and yelling about for the past decade — are paperless voting machines.
Experts agree that these machines are insecure because they record votes electronically and could either be manipulated or malfunction without detection. They can't truly be audited and they leave room for some doubt in the result.
"[We need] paper ballots 100 percent ... This isn't hard, this isn't controversial. As scientists, we know exactly what we need," Schneier said. "Getting it done is hard."
The U.S. is improving in this area, but work isn't complete.
In 2016, approximately 20 percent of voters used electronic voting equipment that didn't provide a paper trail. In 2020, that number will be around 12 percent, according a recent report from the Brennan Center for Justice.
The largest state that was exclusively using paperless electronic machines in 2016, Georgia, is slated to replace its machines with touchscreen equipment that provides a paper record before 2020.
But even after the 2020 election, it's unclear whether there will be the urgency to overhaul the rest of the systems that are in use — unless there's another election-related cyberattack.
Just last month, Politico reported that election officials in 69 counties in Texas will either be "sticking with their existing paperless machines, some of them almost 20 years old, or buying new [paperless] ones. Several counties said they wouldn't upgrade until the state legislature mandated it."
Copyright 2019 NPR. To see more, visit https://www.npr.org.
ARI SHAPIRO, HOST:
Remember the hanging chads that caused so much confusion in the 2000 Bush vs. Gore election? Well, since then, the federal government has spent billions of dollars to modernize voting systems. But how secure are today's systems? NPR's Miles Parks has been keeping track of this as we get ready for next year's presidential election, and he is here in the studio.
Hey, Miles.
MILES PARKS, BYLINE: Hi, there.
SHAPIRO: Let's start with defining what makes voting equipment safe. How do you draw the distinction between the good and the bad?
PARKS: So the key, according to cyber experts, is something called software independence. But this is basically just a paper trail. Basically, you want something where voters can look at their ballot before they cast it, something that if there's a malfunction or if there's a hack - a lot of these machines are more than 10 years old, and some of them do malfunction - but you want something where you're not reliant on the technology to be able to spot a problem.
And this is sort of the future of election security - not only protecting the vote, but protecting our ability to then go back and double-check the results so if there is a problem, we can fix it.
SHAPIRO: To kind of do an audit. But some voting systems today don't have that ability. They don't have a paper trail. Why not?
PARKS: Right. So this goes back to that 2000 election, where America just decided we're going to overhaul this whole thing and spend a bunch of money, buy a bunch of new electronic voting machines. But people at this time weren't thinking about security at the - kind of the front of their minds. I talked to Matt Blaze, who's a cybersecurity and voting expert at Georgetown University about this.
MATT BLAZE: Even if you asked us back then what exactly should we do to build secure voting machines, we wouldn't have really been able to tell you precisely what you needed to do. Today, we can.
PARKS: That answer comes down to paper. So there's been this push really over the last decade to get these outdated paperless machines completely out of the American voting system.
SHAPIRO: And how's that push going? How many of those machines will be around in 2020?
PARKS: So it kind of depends on who you ask, really. The Brennan Center for Justice released a report this summer that said the amount of voters who are going to be voting on these sorts of machines in 2020 has basically been cut in half since the 2016 election. And a lot of that comes from Georgia, who is overhauling their entire statewide voting system before that election.
But the number is still pretty high. It was 20% in 2016. In 2020, the Brennan Center seems to think it's going to be about 12%. That's about 16 million voters. And security advocates say this is the most low-hanging fruit in the voting world, something we've been talking about for much of this decade. A foreign adversary attacked the 2016 election, and we couldn't get this thing fixed. There's frustration there.
SHAPIRO: Right, so we know that Russia tried to hack into U.S. election systems - totally separate from the misinformation campaign. Are experts expecting more of the same or even more than we saw in 2016 in 2020?
PARKS: Well, when we look at 2016, it is important to note that there is no evidence that any vote tallies were actually changed in that attack. Attackers were able to break into registration systems and were able to steal some voter data. But the Senate Intelligence Committee did release in their report this summer and they said basically there is a possibility that what Russia was doing them in breaking into those systems wasn't attacking us. Potentially, they were intelligence gathering for a future attack.
I talked to Bruce Schneier, who's a fellow at Harvard's Berkman Center for Internet and Society, about whether he thinks 2016 was kind of the worst of the worst when it comes to cyberattacks on our elections.
BRUCE SCHNEIER: So the odds that we've seen the worst in cyberattacks in any space seems small to me. I mean, this is as bad as it could possibly get for the rest of the future of humanity? That just seems implausible, right? I mean, as soon as I say it, that seems dumb.
PARKS: So it's kind of off when you hear politicians pointing at the 2018 midterms, which went really smoothly, and saying OK, the problem is behind us; everything's fixed. According to people I've talked to, cyber experts, there's still a lot of problems still there and the 2020 election and beyond.
SHAPIRO: Miles, that sounds really ominous.
PARKS: I don't know what to tell you.
SHAPIRO: (Laughter).
PARKS: I mean, you know, we're working on it.
SHAPIRO: That's NPR's Miles Parks on election security ahead of 2020.
Thank you, Miles.
PARKS: Thank you.
(SOUNDBITE OF THE BOOKS AND JOSE GONZALEZ'S "CELLO SONG") Transcript provided by NPR, Copyright NPR.