Informatics Cafe - A Taste of Informatics

Election (In)security

May 05, 2022 Informatics+, College of Informatics, Northern Kentucky University Season 2 Episode 3
Informatics Cafe - A Taste of Informatics
Election (In)security
Show Notes Transcript

Since the 2000 election, the United States has made the move to electronic balloting for elections. However, with this switch came concerns about cybersecurity and the safety of our votes. Dr. James Walden from NKU's Center for Information Security joins us to talk about election security in Kentucky, Ohio, and the rest of the United States.

Learn more about NKU’s Cybersecurity B.S. or the Cybersecurity M.S.

Visit Ballotpedia

Vist Cyber Seek

Mike Nitardy:

Welcome back to the Informatics Cafe. I'm your host, Mike Nitardy, and here with me in the cafe today, I'm pleased and proud to have Dr. James Walden. He's a professor in Computer Science here at NKU, in the College of Informatics. He's also the director of the University's Center for Information Security. Dr. Walden, thank you so much for joining us.

James Walden:

Oh, thank you for inviting me.

Mike Nitardy:

So how are you doing today?

James Walden:

Oh, pretty good. There's always exciting events happening in cybersecurity.

Mike Nitardy:

No doubt, and so it's great to have you finally join us in the cafe. Today, what we're going to be talking about specifically, is what's been going on in the world of election security, and that's just one of many areas that cybersecurity is impacting the world at large. But so let's just let's just dive right in. Why is cybersecurity so important for elections?

James Walden:

Well, mainly because we did shift to going to electronic voting machines primarily after the problems in the Florida election in 2000. Congress passed the Help America Vote Act, and provided funds for states to buy electronic voting machines. Unfortunately, it's one time funding and there were no cybersecurity standards made for the voting machines at the time.

Mike Nitardy:

So I'm going to, I'm gonna jump in and ask several questions on this topic. Because I think that what we can help is is kind of identify what we're, what the major problem is, and then also maybe get rid of maybe some some bad information that's out there. But when I think about election security, there's a couple of things that I think about. Is someone going in and changing people's votes? Or someone going in and messing with the overall process? Is that is that both what we're concerned about here?

James Walden:

Right it's both, and we need to look at the entire process from people registering to vote. So we need to protect the registration databases, that data gets transferred to electronic poll book systems, which are at the individual polling stations, then you have the actual electronic voting machines there and then the data gets passed to electronic tabulation machines after that point, and any of those points of the voting process can be interfered with.

Mike Nitardy:

And so if I'm hearing you right, that means that there needs to be a security each of those steps.

James Walden:

Right. There's got to be security at every step. Hackers always go after the weakest link, because it's easier, cheaper, takes less time. As defenders, we have to secure every point in that process to have secure elections.

Mike Nitardy:

So are you doing any, are you are the center doing any specific work in this area right now?

James Walden:

I recently wrote a book chapter in a book about Kentucky elections. I co-authored it with Professor Shauna Riley from the Political Science Department at NKU. Her research focuses on validating and such, so we collaborated to look at the past and present of Kentucky elections.

Mike Nitardy:

Okay, so let's, well tell us a little bit about that, if you will. Tell us about that chapter.

James Walden:

Yes. So um, I guess the there's good news. Right now, as of last year, Kentucky passed a new law fixing a lot of our pre existing problems. But one of the biggest problems Kentucky had prior to that law was that we had so called direct recording electronic machines, which record your votes on a flash memory stick like a flash drive or those little cards that used to go into digital cameras. And it doesn't produce any humanly readable copy of that data. So you're completely at the mercy of whatever the software does. And so, researchers have demonstrated that software can be easily changed to show that you voted for who you intended to vote for, but can flip a certain percentage of votes to ensure that the target candidate wins the election. And there's no way to audit those. And this new law in Kentucky requires a voter verifiable paper audit trail. So that we have a final paper record that is the definitive record of how people voted. As opposed to having a flash memory stick that just gives you a number like 117. Is that right or wrong? Those machines do have a recount function because they're legally required to but all it does is read the number from the flash memory and print it again.

Mike Nitardy:

Right, right. So as I understand it at the very at the very core of this, you know, we want to be able to have free and, and safe elections and fair elections, and we want to be able to instill confidence in the electorate that we're doing that, you know, not just from international enemies, protection from them, but also from, you know, the the crazies on each side of the political aisle that that are conspiracy theorists that think the other side's trying to steal something. Is is are there any myths? Or is there anything out there in in election security that that you find needs to be corrected, and maybe people are thinking that they shouldn't be thinking?

James Walden:

I think there are a lot of myths that things like vote by mail are less secure than voting in person on an electronic machine. I used to live in Oregon, so I was pretty used to vote by mail before it came up during COVID. And really, as far as the process, you know, certainly compared to a voting machine without a paper trail, it's more secure, because you can audit it and do a recount, whereas you just can't with the direct recording electronic machines.

Mike Nitardy:

So, and when you were saying earlier than there that, you know, at each step of the process, we need to have a line of protection, because I guess the at each step, that's where someone can get in and somehow mess with the system. Is that correct? Right. And so one of the things that I'm thinking about, as just a layman, when it comes to all of this is if I'm going into the to vote in a booth, and I vote here in Kentucky, and I go and I press, you know, I'm voting for candidate one. And, you know, it confirms that, that one of the ways that it can be is that somehow that changes my vote at that point to candidate, I guess, two, wouldn't somebody, so how would somebody even get in the system to do that? At that point?

James Walden:

Okay, yeah, so the good thing about voting machines is they're not directly connected to the internet, so so nobody can go in on election day, from home and hack your voting machine over the internet. But they are what we call indirectly connected machines, they have to get data from the outside. First, they need to get the ballot for that particular election, they need to know who the candidates are, what the ballot measures are, and all of that. But they also need to get security and functionality updates. And so states usually let third party companies control that process. And those companies are careful to keep them indirectly connected. And that means the company puts a server on the internet to pick up the latest security updates from Microsoft, the voting machines software vendor and so forth. And then takes that machine and puts it on a private network that isn't connected to the network but puts all the voting machines on it so they can get the updates from that machine.

Mike Nitardy:

Okay.

James Walden:

But we have seen malicious software that can get through in direct connections, most famously, the US government's Stuxnet software, which sabotaged Iran's nuclear refinement operations. The Iranians were smart enough not to be connected to the internet, but somebody did take a flash drive from a computer that was connected to the internet and was infected, took it inside the plant, and then it infected all the machines inside the plant. So that's sort of the biggest, most dramatic instance. But it's certainly not the only time that happens.

Mike Nitardy:

So so under that scenario, if I go in there, and is, from a security standpoint is, is that type of infiltration or problem is that the least of the concern, then the point where I'm voting changing from one vote to the next actually, at that machine? Is that less of a problem than down the line? Let's say.

James Walden:

It is one of the hardest points to affect, at a national level for some reasons. One, the machines are indirectly connected, different states have different policies. States like Kentucky, have different voting machines by county, not processed by states. And so if you really wanted to flip a national election, you'd have to research carefully you know, which states you want to affect, know which voting machines they use, know who contracts for them. Probably the biggest worry there are insiders, people who work for the service companies or people who work for the state. And there have been a couple of cases in Colorado where people county officials have taken voting records home. They've purged people from the voting rolls and such on their home PCs.

Mike Nitardy:

Oh, wow.

James Walden:

So that admittedly is more of the registration system than the balloting side. And in theory, there;s supposed to be physical security for the actual voting machines, but in practice, people into election security on election day, they share tweets, like here, I'm by election side, here's my photo of all these unintended voting machines.

Mike Nitardy:

Right, right. Yeah.

James Walden:

So there's good procedures, but they aren't always followed. And unfortunately, election security isn't very well funded. There's not really federal support for doing it beyond like, the federal government gives you standards, but it won't help you implement those standards.

Mike Nitardy:

That makes sense, that makes sense that the federal government will give standards but not give money.

James Walden:

Probably the most vulnerable part, the most attractive target are the registration system.

Mike Nitardy:

Okay. Okay. Tell us about that. Yeah.

James Walden:

Yeah, so these are highly connected systems. So we have the Motor Voter Laws, so the DMV has to be connected into

Mike Nitardy:

So that's definitely the gold mine. the voter registration database. There is third parties who helped tell you who has moved between states, you can move people who are no longer residents off the voter rolls and so forth. And because of all those connections, they're easier to attack than the voting machines. Also, there's only one of those databases per state, as opposed to there being many 1000s of voting machines and every state have hundreds of different types.

James Walden:

Right, and so, of course, they have been attacked. We saw in 2018, that Russia attacked every state voter registration database, two states register, that they reported that there were successful compromises of their databases, they claim they that nothing was altered. And the problem is, of course, is does that mean nothing was changed? Or does that mean you weren't able to detect,

Mike Nitardy:

Right

James Walden:

Anything was changed.

Mike Nitardy:

Right

James Walden:

And for the other 48 states, you know, my question would be, it was like, What measures did you have in place to detect compromises? So was it just two states they got compromised, that have bad security or two states have good security, so they could detect being compromised, and a lot of other states couldn't detect the fact?

Mike Nitardy:

So, so given all of this conversation, where would you say we are currently? I mean, if if are we at, we can have, you know, confidence in our election security right now, you know, on a scale of one to one to 10, one not no confidence, 10 being confidence, where would you say we are?

James Walden:

It varies a lot between states. And there's actually a website Ballotopedia, which describes all the processes for each state. And I forget if it's Ballotopedia or another site, but they actually offered security grades for different states. Before the law passed in 2021, I think Kentucky was a D, out of a traditional ABCDF scale. But after this recent law that would really put Kentucky you know, back in the b plus or a range, because it did require the voter verified paper trails. And it started to move us to more modern audits. Unfortunately, it really is actually mathematically provably impossible to make a perfect voting machine that you can ensure it's correct, as far as cyber attacks go. So you have to have an auditing system after that. And that's why the paper trail is so important, so that you can count the ballots without relying on the software that you may not be trustable. And you can either feed those ballots into a different piece of software. So you could have multiple pieces of software, you know, vote on it, or you could have humans count them. But the important thing is that this you don't just have one piece of software that you rest all your trust on. And so there's a procedure called a risk limiting audit. So it's basically an iterative statistical procedure where you take a sample of ballots, you count those, and you do a statistical hypothesis test and it tells you whether the results of the election are correct. Or whether you can't tell with that amount of ballots. And so if you can't tell you take a larger sample, and you repeat the process and the worst case, you have to recount everything. But normally you just have to recount a fairly small percentage of ballots, and it will give you like a 99% assurance that your results from the audit correspond to the results of the software report for the totals.

Mike Nitardy:

Okay, that makes sense, because that's where I was going. The next thing I was going to say is that if we're going to have to be doing all of this auditing, by by counting, you know, physical ballots, why not just go back to the straight physical ballots?

James Walden:

Yeah, there actually is sort of a, we're starting to see a transition in voting machines to the new ones being called ballot marking devices, rather than voting machines where they don't even try to count them. All they do is produce ballots for another machine to count, or a human to count. The nice thing about having computers in that role was that it helps make them accessible. So if you're blind, and it's easy for the computer to read the ballot, the computer can present the ballot in multiple different languages. I read the New York City has something like 100 different ballots for the many different languages spoken there.

Mike Nitardy:

Wow.

James Walden:

So they have to guess you know, what's the right amount to print in each of these languages and this an expensive, complicated process, and it's easy to get wrong. And the ballot marking device basically solves that for you.

Mike Nitardy:

Interesting, very interesting. So who are the primary actors, bad actors in this area that are that are really doing a lot of the work? Is it possible to point at, you know, nation states is, are they I assume they're the ones that are, are the ones that are really promulgating a lot of the attacks.

James Walden:

Right. That's who we've seen in the past is the attacks from nation states, predominantly Russia, there. And we have seen, I guess, smaller attacks from insiders, where you we have had people purge people from the voter rolls when they weren't supposed to be purged and such. And I'd say that those are really the two main ones we should worry about in the future are the insiders, and the nation state level attackers. To help with insiders, you really need to have a separate auditing function. So that you can track that the insiders are doing the right things there.

Mike Nitardy:

So give our listeners a sense of where you think we're headed and we're going on this topic. Are we are we moving in the right direction? You said obviously, Kentucky now is gone from a D to what you would say maybe an A? Are we, do you get a sense that we're doing the right things as a nation, or are there still ways to go?

James Walden:

We have a ways to go, but we are moving in the right direction. Back in 2000, for the first presidential election, after the Help America Vote Act, the majority of voting machines didn't produce paper trails. Whereas and 2020, a large majority, over three quarters of the states did produce paper trails. And we've started to see risk limiting audits start being adopted, I think only two states currently require them. But quite a few states, including Kentucky and I believe Ohio have pilot programs where they're doing it for a subset of elections in the state with a goal of you know, if it works out well to using it everywhere.

Mike Nitardy:

Very interesting. So let me throw this out here. And maybe we'll edit it completely out of the podcast. But, but if someone is doing a great job with, you know, infiltrating these systems, I mean, would we ever really even know? Like you were saying earlier for the states that, that say that that Russia tried to get in but you know, they say didn't get in...maybe they didn't have the right systems to detect that they did. I mean, is it possible that that, you know, we could be completely wrong on this and just never know?

James Walden:

Unfortunately, it is always possible in security. On the registration side, the Caltech-MIT voting project has produced software that's designed to monitor the registration databases, and they've piloted it in California. So hopefully we'll get more help there. As a personal note, I actually got removed from the voting rolls once despite voting and the previous, this wasn't the previous election, but, but at the two year election cycle before that, which according to the state I lived in at the time shouldn't have been done.

Mike Nitardy:

Oh, wow. And we hear that with every voting purge, that people who weren't supposed to be purged always seem to get purged. And so that's something we do need to work on is to ensure that people who are correctly registered, stay registered. And one way to help that would be to make that more public. One thing I like in Kentucky is I can go check whether I'm registered or not, before the end, the registration end date. And having that happened to me once, I always check that every year. That makes sense. It makes sense.

James Walden:

On the voting machine side, there is a lot of room for invisible malicious software messing with things. But as long as you have a ground truth in the paper trail, you can rely on that as opposed to trying to believe what the software tells you. Although there is one human factor there, if the person doesn't check the printed paper ballot, and verify that it says what it should say, then yeah, they just let it slip by, and there's no check that you actually voted the way you wanted to if you don't do it yourself.

Mike Nitardy:

Right no, that makes a lot of sense. It makes a lot of sense. For students that are interested in cybersecurity, what programs do we have here at the school that they can get involved in or degree programs or anything like that?

James Walden:

Right, so we have a Bachelor of Science in Cybersecurity. And we also have an online Master of Science in Cybersecurity that's designed for people who are looking to change careers and get into Cybersecurity.

Mike Nitardy:

Fantastic.

James Walden:

And at the undergraduate level, we also have two minors, Information Security and Computer Forensics. And we have a Cybersecurity track in the Bachelor of Information Technology Degree Program, too

Mike Nitardy:

I thought I keep on reading places that that the demand for workers in this area is not being met worldwide, and

James Walden:

Uh, yes, I have seen that there a map the US government maintains at cyberseek.org and you can go check on Kentucky or the Greater Cincinnati area, and you'll see how many thousands of unfilled cyber positions are currently out there.

Mike Nitardy:

So is that an area that you know, for our listeners, is that an area that will be a good career, maybe in terms of pay moving forward, then because of the the demand?

James Walden:

Um, yeah. It's a well compensated field and yeah, basically, you know, you said, the unemployment rate's essentially negative.

Mike Nitardy:

[laugter]

James Walden:

And especially if you're an American citizen who can get a security clearance, that opens, you know, just a world of job opportunities, of course in DC, but also, you know, local companies like GE and such are looking for that as well.

Mike Nitardy:

That's great information. Well, Dr. Walden, I really appreciate your time and meeting with us today in the in the cafe and going over all this. We definitely want you back to talk about other events going on in the world, and maybe the increase in attacks all over the world in terms of trying to defend against them by both nation states and also by criminal organizations. It'd be great to have you on to talk about the trends in that area as well. I'm going to give you the last thought here before we wrap up anything that you want to add that maybe we didn't talk about as it relates to election security that our listeners should know about.

James Walden:

I guess the last thing I would say is that I would really like states to be funded well for providing for election cyber security. Some states are, some states aren't, but we really need it every place.

Mike Nitardy:

Fantastic. I appreciate that. Thank you, Dr. Walden. I really appreciate your time.

James Walden:

Thank you for having me.

Mike Nitardy:

Informatics Caféis a production of Informatics+ the outreach arm of Northern Kentucky University's College of Informatics. Hosted by Mike Nitardy. Produced by Chris Brewer. Music and engineering by Aaron Zlatkin. Recorded at the Informatics Audio Studio in Griffin Hall.