[CAVO] Fwd: [VVSG-election] [VVSG-interoperability] By November, Russian hackers could target voting machines
turnerbrentm at gmail.com
Thu Jul 28 14:11:19 UTC 2016
---------- Forwarded message ----------
From: Brent Turner <turnerbrentm at gmail.com>
Date: Thu, Jul 28, 2016 at 7:09 AM
Subject: Re: [VVSG-election] [VVSG-interoperability] By November, Russian
hackers could target voting machines
To: Arthur Keller <ark at soe.ucsc.edu>
Cc: Susan Eustis <susan at wintergreenresearch.com>, vvsg-election <
vvsg-election at nist.gov>, vvsg-pre-election <vvsg-pre-election at nist.gov>,
vvsg-post-election <vvsg-post-election at nist.gov>, vvsg-interoperability <
vvsg-interoperability at nist.gov>
The key is to facilitate smooth transitions of power is to ensure voter
confidence and that relates directly to a secure " first count" rather than
audit procedures. I endorse audits.. but history shows us that is when
the village becomes restless.. and audits are no substitute for a
confidence inspiring - transparent initial count. Currently the " secret
software " systems coupled with VVPAT's are condemned as insecure by
government study, so we don't have to consider the internet to sound those
alarms. Ed Felton from OSTP confirms.
Over-focus on audits seem to be an affectation of the fund raising groups
with motivations unclear. Though the open source election reform advocates
100 % immediate audit at the precinct level.. we recognize the key is to
capture a precise and secure count previous to transportation of the
ballots. The media must stand down until the task is completed.
If technology like smart phone voting is available ( with short codes /
block chain etc ) at least the voter will be able to verify their vote was
counted as cast.
California Association of Voting Officials
On Thu, Jul 28, 2016 at 6:43 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
> But that's made harder with vote by mail ballots that aren't counted until
> later if received on Election Day. And California now has a law allowing
> ballots to be received on Friday if postmarked on Election Day.
> Fortunately, California is not a swing state!
> And with HAVA requiring a provisional vote process, audits don't occur
> until after the tabulation is complete. Yet it's election night results
> that make the difference in the press and in the public's mind. Practically
> No one pays attention to the detailed results weeks later when the results
> are certified.
> Best regards,
> On Jul 28, 2016, at 6:30 AM, Susan Eustis <susan at wintergreenresearch.com>
> Arthur, I agree, I concur. My new book lays this scenario out in detail
> and provides suggestions for preventing the hacks, ways to protect the
> integrity of the election results, there needs to be safe guards and
> automatic recounts the very next day with observers representing all
> candidates, no matter whether the election was close or not. There needs
> to be an audit trail and a way to protect the integrity of the balloting
> that occurs before election day. There needs to be a way for the observers
> to make a duplicate of the original ballots as the recount goes on and to
> run those through their own counting scanner to determine the validity of
> the election. There needs to be a way to interrupt the recount at any time
> if someone has to go to the bathroom or falls asleep so that the recount
> process has continuity and integrity. Things like this.
> On Thu, Jul 28, 2016 at 9:22 AM, Arthur Keller <ark at soe.ucsc.edu> wrote:
>> But vote tabulation and especially roll up is often connected to the
>> Internet. And with the lack of effective audits in more jurisdictions,
>> hacking the Internet-connected vote tabulation systems would do the trick.
>> In particular, if the vote tabulation system is connected to the web
>> reporting system, then that's an avenue for attack.
>> There's a difference between auditable and actually audited. If the
>> results are sufficiently skewed on election night, post election audits may
>> not matter anyway. They didn't even matter in Florida in 2000 where the
>> election was close.
>> Could the programming of electronic voting machines be hacked in a
>> Stuxnet type attack while they are loaded with the election data file?
>> If China can hack Google, do we really believe there's no way Russia
>> can't hack enough counties or states to change the outcome of the
>> presidential election?
>> Best regards,
>> On Jul 28, 2016, at 6:07 AM, Deutsch, Herb <hdeutsch at essvote.com> wrote:
>> Voting machines are not attached to the internet. You can’t hack them
>> without physical control and that is auditable.
>> *From:* vvsg-interoperability-bounces at nist.gov [
>> mailto:vvsg-interoperability-bounces at nist.gov
>> <vvsg-interoperability-bounces at nist.gov>] *On Behalf Of *Arthur Keller
>> *Sent:* Thursday, July 28, 2016 12:30 AM
>> *To:* John Wack
>> *Cc:* vvsg-election; vvsg-pre-election; vvsg-post-election;
>> *Subject:* [VVSG-interoperability] By November, Russian hackers could
>> target voting machines
>> What should the election community do about this threat?
>> Best regards,
>> By November, Russian hackers could target voting machines
>> If Russia really is responsible, there's no reason political interference
>> would end with the DNC emails.
>> By Bruce Schneier July 27 at 3:10 PM
>> Bruce Schneier <https://www.schneier.com> is a security technologist and
>> a lecturer at the Kennedy School of Government at Harvard University. His
>> latest book is *Data and Goliath: The Hidden Battles to Collect Your
>> Data and Control Your World* <https://www.schneier.com/book-dg.html>.
>> Russia was behind the hacks into the Democratic National Committee’s
>> computer network that led to the release of thousands of internal emails
>> just before the party’s convention began, U.S. intelligence agencies have
>> The FBI is investigating. WikiLeaks promises
>> <http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/> there
>> is more data to come. The political nature
>> of this cyberattack means that Democrats and Republicans are trying to spin
>> this as much as possible. Even so, we have to accept that someone is
>> attacking our nation’s computer systems in an apparent attempt to influence
>> a presidential election. This kind of cyberattack targets the very core of
>> our democratic process. And it points to the possibility of an even worse
>> problem in November — that our election systems and our voting machines
>> could be vulnerable to a similar attack.
>> If the intelligence community has indeed ascertained that Russia is to
>> blame, our government needs to decide what to do in response. This is
>> difficult because the attacks are politically partisan, but it is
>> <https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/>. If
>> foreign governments learn that they can influence our elections with
>> impunity, this opens the door for future manipulations
>> both document thefts and dumps like this one that we see and more subtle
>> manipulations that we don’t see.
>> Retaliation is politically fraught and could have serious consequences,
>> but this is an attack against our democracy. We need to confront Russian
>> President Vladimir Putin in some way — politically, economically or in
>> cyberspace — and make it clear that we will not tolerate this kind of
>> interference by any government. Regardless of your political leanings this
>> time, there’s no guarantee the next country that tries to manipulate our
>> elections will share your preferred candidates.
>> Even more important, we need to secure our election systems before
>> autumn. If Putin’s government has already used a cyberattack to attempt to help Trump
>> there’s no reason to believe he won’t do it again — especially now that Trump
>> is inviting the “help.”
>> Over the years, more and more states have moved to electronic voting
>> machines and have flirted with Internet voting. These systems are
>> and <https://www.salon.com/2011/09/27/votinghack/> vulnerable
>> *[Your iPhone just got less secure. Blame the FBI.
>> But while computer security experts like me
>> have sounded
>> the <http://homepage.cs.uiowa.edu/%7Ejones/voting/congress.html> alarm
>> for <https://citp.princeton.edu/research/voting/> many years, states
>> have largely ignored the threat, and the machine manufacturers have thrown
>> up enough obfuscating babble that election officials are largely mollified.
>> We no longer
>> have time <https://xkcd.com/463/> for that. We must ignore the machine
>> manufacturers’ spurious claims
>> <https://www.salon.com/2006/09/13/diebold_3/> of security, create tiger
>> teams to test the machines’ and systems’ resistance to attack, drastically
>> increase their cyber-defenses and take them offline if we can’t guarantee
>> their security online.
>> Longer term, we need to return to election systems that are secure from
>> manipulation. This means voting machines with voter-verified paper audit
>> and no
>> <http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting>. I
>> know it’s slower and less convenient to stick to the old-fashioned way, but
>> the security risks are simply too great.
>> There are other ways to attack our election system on the Internet
>> besides hacking voting machines or changing vote tallies: deleting voter
>> hijacking candidate or party websites, targeting and intimidating campaign
>> workers or donors. There have already been multiple instances of
>> political doxing
>> <https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html> —
>> publishing personal information and documents about a person or
>> organization — and we could easily see more of it in this election cycle.
>> We need to take these risks much more seriously than before.
>> Government interference with foreign elections isn’t new, and in fact,
>> that’s something the United States itself has repeatedly done
>> <https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack> in
>> recent history. Using cyberattacks to influence elections is newer but has
>> been done before, too — most notably in Latin America
>> Hacking of voting machines isn’t new, either. But what is new is a foreign
>> government interfering with a U.S. national election on a large scale. Our
>> democracy cannot tolerate it, and we as citizens cannot accept it.
>> *[Why would Russia try to hack the U.S. election? Because it might work.
>> Last April, the Obama administration issued
>> <https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m> outlining
>> how we as a nation respond to cyberattacks against our critical
>> infrastructure. While our election technology was not explicitly mentioned,
>> our political process is certainly critical. And while they’re a hodgepodge
>> of separate state-run systems, together their security affects every one of
>> us. After everyone has voted, it is essential that both sides believe the
>> election was fair and the results accurate. Otherwise, the election has no
>> Election security is now a national security issue; federal officials
>> need to take the lead, and they need to do it quickly.
> Susan Eustis
> WinterGreen Research
> 6 Raymond Street
> Lexington, Massachusetts
> phone 781 863 5078
> cell 617 852 7876
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the CAVO