/aug 5, 2020

Live From Black Hat: Stress-Testing Democracy - Election Integrity During a Global Pandemic with Matt Blaze

By Chris Kirsch

Technology and elections are heavily interrelated – but it wasn’t always that way. We started to adopt technology once we weren’t able to fit everyone into a town hall. The first piece of technology was simply a piece of paper and a ballot box. We may not think of it as technology, but the ballot box can be tampered with.  

That technology gave us ballot secrecy, a trait that a hand-raise in the town hall didn’t. This raised the bar to a level that is expected from other voting technologies since then, which can be tougher with voting machines and electronic evaluation of ballot boxes. Our Confidence in the outcome of an election depends on the integrity of the methodology we use to do this.

Stress Testing Democracy at Black Hat 2020  

Matt Blaze, this year’s Black Hat keynote speaker, is a researcher in the areas of secure systems, cryptography, and trust management. He is currently the McDevitt Chair of Computer Science and Law at Georgetown University.  

Blaze has been working on election security for years. He’s never encountered a problem bigger and more complex than democratic elections. The reason for this is that the requirements are contradictory: We don’t want to be able to figure out how someone voted, but we want transparency into whether or not our vote was counted as cast and that the system is not corrupted. The paper ballot box seems to do this pretty well, and other technology solutions require you to be a lot more cleverAnother snag is that you cannot recover from a bad election very easily. You can’t redo it easily before the term is up.  

U.S. voting is highly decentralized due to size

The federal government has remarkably little to do with the election process; each state has their own rules and requirements. The elections are carried out by over 3,000 counties and voting takes place in precincts in these counties. It’s a very decentralized process. Even within a precinct, there may be different ballots for various local elections. The county’s budget is paying for elections, so improvements in election technology competes with improvements to roads and the fire department. In the 2016 election, about 24% were cast by mail and 17% cast in person before election day. Most states allow some form of absentee voting.  

Campaigns and foreign foes outspend operational election budgets 

Election campaigns vastly outspend the money that’s spent on carrying out the elections. In addition, foreign state adversaries have recently entered the game, sometimes simply with the goal of disrupting elections and undermining the legitimacy of an election. That’s actually easier than influencing a particular outcome.  

The question is: Does new voting tech enable or prevent mischief? The answer is: both.  

Voting technology has always had challenges 

Paper ballots are more effective in re-assessing a particular vote and agreeing on an outcome. If we remember voting machines in Florida that led to the re-count in 2000, they didn’t even involve a computer. It was simply a punch card with a manual punch to vote. However, the mechanical design was flawed, and it became more difficult to vote for a popular in the end of the day because punched out paper from previous votes were blocking the punch.  

Florida Election Official

A Florida election official trying to interpret a paper ballot during the 2000 U.S. presidential elections. 

As a result, Congress passed the Help America Vote Act (HAVA). It provided funding to modernize voting and to make it more “accessible” to a wide range of voters. Most of the current equipment did not comply. However, the technology wasn't broadly available.  

The DRE voting machine was a common new form of computerized voting that works similarly to an ATM. It counts the votes in an internal computer. Looking at the entire journey, software touches each part of the vote – such as voter registration databases and software to check who’s already voted or to count and report the votes. The security of this software is critical to the legitimacy of the election. At the same time, software is designed to be replaceable and easily changed. It’s a really hard problem to solve.  

The voting system attack surface is huge  

Software security and reliability is hard, even under the best of circumstances. In practice, the attack surface is huge: county election management software, voting machine firmware, communications, procedures, physical security, and people. Attacks include anything from denial of service to forging the vote. Every piece of computerized voting technology so far has been terrible.  

The DMCA Security Research Exemption makes it legal to buy surplus voting machines, hack them, and to report on your findings. The DEFCON Voting Village does this, and everything is worse than we thought.  

Hand-counted paper ballots vs. blockchain 

We have two options: We could just hand-count all votes on paper or amp up the technology (blockchain FTW!). The size of the US election is so large that hand-counting would be extremely hard. It would be very difficult to eliminate all reliance on software for the entire election.  

On the other side, the blockchain makes us more dependent on software. Also, the blockchain is decentralized while elections have a central oversight, which is a contradiction. Just detecting election fraud is not helpful either, we need to prevent it to start with.  

Two breakthroughs since 2020  

There were two breakthroughs since 2020 that help us:  

  • Ron Rivest invented software independence. A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome.  
  • Stark et al developed a new statistical method to sample a subset of voting machines (e.g. paper ballot optical scanners) for post-election hand audits to ensure they reported correct results. If not, the other ones can be hand-counted.  

These two ideas have become the gold standard for securing elections since 2020. Progress is positive but slow, and it addresses the key concerns computer scientists were worried about in past elections. If you’d like to read up on election security, Blaze recommends the National Academy of Science “Securing the Vote” (2018) study. 

Matt’s talk would have ended here if it wasn’t for the pandemic... 

...And then the pandemic changed everything 

The pandemic changed everything because it’s disrupting the vote.  

Generally, there are several reasons why a vote may be disrupted:  

  • Voter-level: Individual voters are unable to make it to the polls 
  • Local or regional emergencies: Earthquakes, floods, 9/11 
  • National-scale emergencies: Wars, pandemics, large-scale cyberattack 

Postponing elections is absolutely the worst-case option. There are often no rules for this. It may be preferable to hold an election that people regard as illegitimate.  

A huge logistical challenge  

Emergencies (such as a pandemic) likely require scaling up mail-in voting. Absentee voting exists in every U.S. jurisdiction, but they often require a reason, such as being out of town – unlikely during the pandemic. Some places allow absentee ballots without an excuse.  

The question is how we scale up absentee voting during an emergency, and this is a resource and logistics problem.  

Absentee Ballots

The voter-side of an absentee ballot is reasonably easy but the workflow on the system side is relatively complex. It’s a fairly labor-intensive process that involves checks by multiple people and can involve some technology. Exception handling, like signature mismatches, is even more labor-intensive because they require reaching out to the voter. Simple logistics of the number of envelopes and ballots and the throughput of your counting machines may provide restrictions. Ballots themselves have security features so they can’t simply be printed at a local copy shop either.  

Booth Scanning Machine

Vote batch scanning machines are big, bulky and hard to mass-produce.   

Your local election officials need your skills – ask how you can help!  

There are reasons to be optimistic and pessimistic. We don’t know how many people need paper ballots, so we’ll have to over-produce just to be sure. Most jurisdictions don’t have the funding to do this. Time is really short – less than 100 days away. This problem is similar to some computing problems. This community is going to be needed by the local election officials. Phone them, find out how you can help.  

Related Posts

By Chris Kirsch

Chris Kirsch works on the products team at Veracode and has 20 years of experience in security, particularly in the areas of application security testing, security assessments, incident response, and cryptography. Previously, he managed Metasploit and incident response solutions at Rapid7 and held similar positions at Thales e-Security and PGP Corporation. He is the winner of the Social Engineering CTF Black Badge competition at DEF CON 25.