In the latest election cycle, serious doubt about election security was cast among voters and elected officials. With the current election season underway, the climate remains unchanged, and vote hacking continues to threaten the election process.
According to Harri Hursti, founding partner of Nordic Innovation Labs, it’s impossible to render current systems unhackable. The Finnish programmer, known for his famous hack on the AV-OS AccuBasic Interpreter voting machine, has dedicated much of his work to finding solutions to the vulnerabilities that exist in our voting systems in order to restore the public’s trust.
In an investigative report by the University of California, Berkeley, Hursti “was indeed able to change the election results by doing nothing more than modifying the contents of a memory card.” Commissioned by former California Secretary of State Bruce McPherson in 2006, the report concluded that Hursti “needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server.”
A Threat to National Security
The ease with which hackers can manipulate election outcomes is a serious threat to national security. “There is a saying that countries are built by bullets or ballots,” Hursti said, “and we prefer ballots.”
“Quantico is one of the icons of national security,” said Hursti on the significance of the opening of the Quantico Cyber Hub, “and the Center itself is so needed. Until now, there hasn’t been a centralized location for those looking into election technology. It’s my hope that Quantico Cyber Hub will be the place to come together in tackling this problem, as well as many others affecting national security today.”
At the Grand Opening event on October 26th, Hursti conducted a demonstration known as “Voting Village”. Much like the setup at DEFCON, Hursti facilitated interaction with the four key elements for conducting elections: electronic poll books (commonly used to check-in at local polling places), ballot marking devices (currently used for disabled voters only), paper ballot machines and touch screens. During the public demonstrations, participants had the opportunity to access machines relevant to the local area and discuss the vulnerabilities of the systems nationwide.
In describing the lack of security in our elections, Hursti referenced a long-standing saying: “we are admiring the problem”. According to Hursti, there are two reasons a problem is admired for such a long time, “It’s too hard to solve, or we do not want to solve it.” He urgently believes that vote hacking is a problem that we should stop admiring and start solving.
One of the greatest challenges lies within the very nature of conducting elections through secret ballot. Comparing elections to online banking, for example, Hursti noted that the banking system is intentionally designed to record transactions for traceable proof. Ballots are more difficult to secure because they are intentionally designed to remain anonymous.
Highlighting the current election security dynamic, Hursti explained that the public perception is that there’s a centralized election office and within it, an IT department. However, it’s simply not so.
“Everything is outsourced,” he said. “There is almost no jurisdiction in the U.S. that has specific security personnel. It puts the whole process in a bad place.”
Hursti likened the situation to asking a local sheriff to lead the front lines in a physical attack on U.S. soil. “We would never do such a thing, yet local election officials are defending the fort, so to speak, against foreign nation states.”
Restoring Public Trust
According to Hursti, elections are not about winners and losers. “The whole principle of democracy is founded on the peaceful transference of power.” He went on to explain that this can only happen if the election outcomes are believed to be truthful.
Hursti does not believe it’s possible to conduct unhackable elections with electronic ballots in his lifetime. However, there’s a deeper problem at hand that can and must be addressed immediately. “We’ve lost the public’s trust,” Hursti said. “And public trust must be restored,” he said.
Three specific steps to restoring public trust:
- Modernize infrastructure. From voter registration to the ballot machines to the IT support, the infrastructure does not meet the current needs.
- Increase funding. Cybersecurity for elections is significantly underfunded, and the allocation of limited resources has been largely insufficient.
- Conduct audits. Some states have already implemented methodological risk-limited audits, but strong auditing regulation is needed to expand this practice nationwide.
“Elections should not happen to have IT support, and IT departments should not happen to run elections,” Hursti said. “Yet, that’s the dynamic in which we’re currently operating.”
According to Hursti, it’s the lack of modern infrastructure and limited resources that have necessitated comprehensive audits.
When it comes to conducting an audit, he believes the first step is to predetermine the level of confidence we want to have with the understanding that a successful audit will not verify that the numbers are accurate to the last vote. “The entire purpose of an audit,” Hursti said, “is to systematically and publicly determine that we have chosen the right winner.”
The Role of Quantico Cyber Hub
According to Hursti, there are three reasons the Quantico Cyber Hub can have a significant impact in the role on securing elections.
- Location. “Quantico as a location is wonderful,” Hursti said. “It’s one of the icons of national security, and elections are a national security issue.” Moreover, when it comes to addressing election technology from a security standpoint, there isn’t a single, centralized place to go. “I’m hoping this will be a place to join and meet and tackle this problem,” Hursti said.
- Collaboration. “This issue goes far beyond elections and points to the same tech problems that we have in all areas of our critical infrastructure,” Hursti said. “It is my hope that we can bring this problem to the Quantico Cyber Hub and find the people and resources to connect and collaborate. We’re seeking to solve the problems that are prominent in all areas of critical infrastructure. It’s a national security issue that we share. The fact is, many of the problems we need to solve in elections are the same problems that we need to solve in other security matters.”
- Universal need. Hursti explained that this issue goes far beyond the U.S. “Our right to govern is the cornerstone of our foundation as a democratic society,” Hursti said, “Indonesia is the third-largest democracy in the world. The ability to manipulate elections is shaking the very fundamentals of society, and it needs to be addressed.”
Vote hacking remains a serious threat to national security. Hursti believes that the search for solutions can and will impact all life-critical and mission-critical threats. He looks forward to joining forces at Quantico Cyber Hub and believes that once all areas of national security and critical infrastructure are secure, society itself will be safeguarded.
For more information on Quantico Cyber Hub, visit www.cyberbytesfoundation.org.