In 1998, as one of a handful of people who thought the future of elections was internet voting, I was a co-founder of eBallot.net, a short-lived internet start-up. The demise of eBallot.net and other internet voting companies was, and continues to be, the report issued by the California Task Force on Internet Voting in January 2000. A close reading of the report appears to definitively kill internet voting well into the future, if not forever. Interestingly, the report called into question (directly and indirectly) many of the characteristics and security practices of all paper based voting systems in use at that time. David Jefferson, the Technology Co-Chair of the Task Force, was responsible for many of the findings in the report. Mr Jefferson has since continued to be involved in issues regarding voting systems and maintains his strong rejection of internet voting.
Anyone who has followed the post 2000 and post HAVA voting equipment debates knows that there has been a large polarization between election administrators and voting system advocates (of all stripes). There has not been a lot of common ground or common understanding and there has been, at times, a lack of civility on all sides in the discourse (of which I am probably also guilty).
I recently had an exchange with Mr Jefferson in a discussion forum considering the impact of a student hacking a university on-line voting application and attempting to change the results of the election. The exchange was notable inasmuch as old rivals (me and Jefferson) began to identify some common understanding and respect for the position of the other. At his suggestion I am re-publishing parts of our exchange. It is my hope that more frequent constructive discussions will build bridges of understanding and that this discussion may be seen as the type of exchange that fosters increasing and meaningful dialogue between the election administrator community and those in the watchdog community (for lack of a better term to encompass the scientific, academic, advocacy and political aspects of the critics).
This post is rather long. Rather than edit it for length and remove something which might resonate with readers, I have kept the thread virtually intact.
The original question, “Is the San Marcos hacking incident a Bad Omen for Internet Voting?”, was posed by Bill Kelleher, a known writer and advocate of internet voting. In response to the question, David’s conclusion was:
Jefferson: “Strong, practical, remote authentication of the users of online systems, especially online voting systems, is a very difficult and unsolved security problem. And it just one of many on the list of profound security that have to be solved before online voting can be made secure. That list also includes; client side malware, fake voting clients, server penetration attacks, distributed denial of service, insider attacks, automated vote buying, and numerous others.
Mr Weaver’s attack was not like those that will occur if Internet voting is used in public elections. He was thwarted because (1) he was voting from a machine controlled by university IT personnel so that they were both able to notice unusual activity in real time; (2) they were actually able to spy on him remotely in real time as he was casting phony votes; and (3) he was physically local, so a police officer could immediately be dispatched to arrest him red handed while he was still casting phony votes, in the commission of a felony, with therefore no need for a warrant to find additional evidence in his pocket that was full of key loggers! None of these fortunate facts will apply in a real attack on an online public election.”
To Jefferson’s response, I chimed in:
Konopasek: “I believe there are some lessons to be learned from the hack which people on both sides of the electronic voting security issue should consider. First I must say that my position over the years on the topic has evolved to a neutral stance as I have been willing to learn, observe, analyze and discuss based upon a decade long experiment with the technology. I am not so quick to dismiss Mr Jefferson’s concerns as I was 10 years ago nor do I believe that electronic voting is without security risks which means I am not as satisfied or optimistic as Mr Kelleher. I would hope that others might demonstrate a similar capacity to learn and a willingness to evolve.
As a military security expert for nearly two decades I learned and practiced a philosophy of security which I call the four D’s– Deter, Delay, Detect, and Deny. These four principles are fairly self explanatory and represent a progression in degrees of security, cost and operational effectiveness. Too often when we have discussions of voting security there is an unspoken assumption that the level and standard of security being considered is Denial- the costliest and most difficult level of security to achieve. Denial means that every type of attempted fraud or penetration must be defeated immediately and completely. The gold stored at Fort Knox is the classic example of something protected with this level of security- even so, it is doubtful that Fort Knox is invulnerable. It merely uses a highly complex and hardened set of deterrent, delay and detection methodologies. The only way to completely secure Fort Knox would be to never store gold or anything of value in it.
“Deterrence, delay and detection effective, and cheaper and more efficient techniques for the security of almost everything we secure– bank accounts, facilities, computer passwords, encrypted communication, our homes, our cars and our paper ballots. It is not impossible for theft or fraud to be attempted but with the right combination of measures, threats can be deterred from action by the probability of being caught and harsh sanctions when discovered. The history of cryptography and intelligence teaches that with enough time every code and encryption algorithm can be cracked. Encryption delays compromise. It cannot prevent or deny it.”
“Detection, the security principle at play in the “Student Hack Caper,” serves a double role in security designs. First it complements deterrence and gives deterrence credibility. If a thief knows that the odds of detection are high, the likelihood of success is low. The whole reason thieves and burglars wear dark clothing, sneakers, hoods and masks is to avoid detection (and identification). The second principle is that theft or fraud detected is fraud which can be prevented or mitigated. This is precisely what happened in this caper.“
“To assert that if this was a “real” attack on a “real” election that the fraudster would have been smarter, luckier and more stealthy and therefore, by definition, would have succeeded is to assume that “real” election security is ineffective, “real” elections IT personnel are not competent, “real” election fraud could not be identified, isolated and mitigated as was the case in this caper. Any “real” election is and always has been the target of potential, attempted and sometimes actual fraud–and always will be regardless of the voting platform. That threat however does not cause us to stop having elections. Similarly if we insisted on denial as the only acceptable level of security for elections whether hand counted paper ballots, machine counted ballots, electronic ballots or pottery shards are used- democracy would cease to exist. “
“We must cease the insistence that denial is the only acceptable level of security for electronic voting systems. Deterrence, delay and detection are the tools we use everyday to secure our most precious and valuable possessions– and that should include our votes.”
“postscript: Modern science is empirical and based upon observation and evidence. Assertions of what “is” or “might be” absent any theory, evidence, observation or proof might be opinion, politics, superstition or religion but it is not positivist science.”
Jefferson: “Scott — Using your 4D framework (Deter, Delay, Detect, and Deny) you point out that Denial represents the highest degree of security, cost, and operational effectiveness. You then add that Denial means that ‘every type of fraud or penetration must be defeated immediately and completely’”.
“The criterion I have always used is that not ALL attacks on elections have to be Denied. But LARGE SCALE, AUTOMATED (i.e programmed) REMOTE ATTACKS do have to be absolutely denied. I have never tried to invent mechanisms that prevent small attacks in which only a handful of votes only are at stake, so I have never gotten involved in the VoterID issue, for example, which denies at best a handful of impersonation votes per year. Nor have I spent much time worrying about postal workers opening and modifying ballots transmitted by mail, because such attacks are not automated. I do worry greatly about frauds committed by my kind of people, programmers, both those who write the voting system software and those who are motivated to attack an election remotely.”
“Remote, programmed attacks on Internet voting are the weapons of mass destruction in the elections world. Thank goodness we have had very few so far. (But I do know of handful of cases that have been detected.) Just as with physical WMD, we have to do everything we can in a democracy to deny that possibility of electoral WMD at all costs. It is just not good enough to say that because it has never happened before in this country we can consider the risk to be low. Those of us in the security community know how to attack any current Internet voting architecture and can completely disrupt any of them or worse, rig the results undetectably. If we know how to do it, we can be sure that criminals, foreign intelligence agencies, and our own political partisans know it also, or can pay for people who do.”
“Because we know that no one can build an Internet voting system today that is invulnerable to remote automated attacks that we know how to perpetrate, we are forced to conclude that it is just too dangerous to field Internet voting systems yet. We also know that there are a large number of profoundly difficult Internet security problems that have to be solved before anyone will be able to build a secure enough Internet voting system suitable for public elections, and we are not within a decade of solving any of them. So for the foreseeable future it is best to live without Internet voting and continue to improving the systems we have, particularly absentee balloting systems and procedures.”
Konopasek: “Hi David- I want to make sure you understand that I agree with you that internet voting is best left to the future. My concern is that our attitudes and assumptions about security will delay or inhibit legitimate development of robust internet voting systems while garage engineers, like the ones that built certain models of the current DRE systems, will design, build and lobby for their use. The ubiquity of the internet in our lives and our dependence on it will eventually erode the credibility of security concerns and we will be left with poorly designed systems that will be approved for use in public elections.”
“Interesting that you used WMD as an example. Our tremendous fear of the proliferation of WMD by certain regimes (undoubtedly a real threat to all of us) led us in 2003 to greatly and deceitfully (as it turns out) exaggerate claims that Iraq had nuclear weapons. On that pretext, our nation launched a security operation to eradicate (deny) an imagined threat that COULD have existed but which DID NOT. The fear of what COULD BE cost hundreds of thousands of innocent lives and a decade of warfare and insecurity. The single minded pursuit of a potential security threat changed the world forever, and not for the better.”
“A more reasoned approach, which was not based upon complete and immediate denial of WMD, may have sought to detect indications of WMD, to delay their development with continued embargoes or to deter the Iraqis with threats of escalating coercive means. The president’s arguments and decisions to invade, overthrow the regime, destroy the infrastructure and inflict “shock and awe” represent the classic type of bad policy decisions based upon absolutes, non-negotiable and an insistence on denial.”
“I see many parallels in the decade old arguments against electronic voting in general and internet voting specifically. As long as absolutism is the rule the stage is set for legitimate science to sit on the sidelines while techie entrepreneurs develop the next generation of voting technology. The debate is likely to be overcome by events and popular will- Bill’s evangelism and that of others is already taking hold. Soon “hell no” to internet voting will give way to the demands of the public, the self interest of politicians and the profit motive of business.”
“In 2003 I urged my colleagues at the state and national level to abandon their absolute rejection and to embrace paper audit trails. By doing so, we could influence the design, development, quality and procedures involving what became know as the VVPAT. I warned them that advocates had better sound bites and slogans with mass appeal than their opposition. You know how that turned out. The country has voting systems in which the greatest point of failure mechanically, electronically and procedurally is the VVPAT while there is no evidence that they have enhanced the security or legitimacy of any election. “
“I am urging the community that categorically rejects internet voting to beware of the lessons learned by election administrators– the other side is developing better sound bites and the demographics of decision makers is changing. You would be surprised how many elected officials no longer know what a chad is. Their concerns of late involve finding out sooner if they won or lost the election.”
Jefferson: “Scott, thanks for your thoughtful comments. I will respond to a few key sentences. “
“SK: “My concern is that our attitudes and assumptions about security will delay or inhibit legitimate development of robust internet voting systems while garage engineers, like the ones that built certain models of the current DRE systems, will design, build and lobby for their use. The ubiquity of the internet in our lives and our dependence on it will eventually erode the credibility of security concerns and we will be left with poorly designed systems that will be approved for use in public elections.” ‘
“DJ: I would say that we must delay the development of “legitimate and robust” IV systems until such time as several fundamental security problems are solved, including: client side malware, fake clients, server side penetration attacks, strong remote voter authentication, distributed denial of service attacks of all kinds, various network attacks, and insider attacks. And we need a mechanism for strong end-to-end auditability that does not depend on paper. “
“I would say that we are already living with the problem you point out: that vendors will design and build dangerous Internet voting systems and lobby for their use, and unfortunately many legislators and election officials who are untrained in security will buy them. All I can do is help educate on the dangers. “
“SK: “A more reasoned approach, which was not based upon complete and immediate denial of WMD, may have sought to detect indications of WMD, to delay their development with continued embargoes or to deter the Iraqis with threats of escalating coercive means. ” “
“DJ: In discussing Internet voting as the WMD of elections, I don’t think it is necessary to compare too closely to the history of the Iraq war. There the WMD did not in fact exist, so the whole basis for policy and war was false. But regarding Internet voting there is no doubt whatsoever that undetectable, programmed remote attacks are possible, and many of us know how to do them. If you want a demonstration, just insist that the vendors place their systems up for open public tests as was done in D.C. in 2010, and we will demonstrate how they can be destroyed.”
“In any case the issue is, I think, simpler. I hope we can agree that if we could wave a magic wand and free us of the danger of real WMD, so that no one can ever detonate a nuclear, radiological, chemical or biological weapon in the U.S. (or anywhere else, for that matter) then we should hurry and wave that wand. Well, with electoral WMD, we do have such a magic wand. We do not have to permit insecure Internet voting in this country. When and if Internet voting can be implemented without the risk of remote programmed attacks, then the risk of WMD will be eliminated and we can go ahead and vote online.”
“SK: “The debate is likely to be overcome by events and popular will- Bill’s evangelism and that of others is already taking hold. Soon “hell no” to internet voting will give way to the demands of the public, the self interest of politicians and the profit motive of business.” “
“DJ: Just to be clear, my position is not “Hell no”. It is “not now, and not for the foreseeable future, until such time as the profound Internet security problems will be solved.” In the mean time all I can do is work as hard as I can to educate the public and officials to the very real danger of cyber attack on online public elections.”
“SK: “In 2003 I urged my colleagues at the state and national level to abandon their absolute rejection and to embrace paper audit trails. By doing so, we could influence the design, development, quality and procedures involving what became know as the VVPAT. I warned them that advocates had better sound bites and slogans with mass appeal than their opposition. You know how that turned out.”
“DJ: Yes, you are right. The VVPATs as they were implemented were absolute mechanical crap, and still are. I actually had the opportunity to cast a formal vote against the certification in CA of Sequoia’s lousy VVPAT despite the fact that I was one of the most prominent advocates of VVPAT. I learned from that experience that the vendors cannot be trusted. They just did not care about the fact that paperless DREs were and still are completely unauditable, and instead invented completely bogus arguments for DRE security which too many election official believed (and many still do). When forced to add a paper trail to DREs the vendors did the crappiest, cheapest, junkiest job imaginable, and then screamed “I told you so” when they turned out to be unreliable. Paper handling mechanics cannot be perfect, but it can be 1000 times more reliable than those systems are. Under the circumstances, states would have been better off dropping DREs entirely and switching to optical scan rather than certifying the junky VVPATs the Diebold, Sequoia, and ES&S produced.”
“SK: “I am urging the community that categorically rejects internet voting to beware of the lessons learned by election administrators– the other side is developing better sound bites and the demographics of decision makers is changing. You would be surprised how many elected officials no longer know what a chad is. Their concerns of late involve finding out sooner if they won or lost the election.””
“DJ: If you have any ideas as to how to better present the dangers of cyber attacks on online elections I would be glad to hear them. If you could address the issue, and critically assess those sound bites in your blog, that would help greatly. Maybe even put in a good word for Verified Voting.”
Constructive responses are welcome.