Fixing US elections is easier—and harder—than you’d think

When I flew out to San Francisco for the RSA Convention (RSAC) in early March, I planned to attend all the election security talks I could fit into my schedule. It’s an obvious choice. While the 2018 midterms concluded without much controversy, we’re still fighting over the 2016 presidential election, and we’re halfway to the next one. That’s in addition to the US system of casting and counting votes being, at best, a barely functional shambles.

(Editors’ Note: This is the first in a series of weekly columns where security and VPN expert Max Eddy analyzes the online security landscape and dispenses the advice you need to stay safe in today’s digital world. Check out SecurityWatch for more.)

I expected the usual doom-and-gloom about election security, with researchers bemoaning the sorry state of voting machines in the US. I was even looking forward to it, because you have to be a little masochistic to be in this industry. There was a bit of the usual misery, but I wasn’t prepared for a double whammy of optimism and despair. I left convinced that we’ve actually sorted out the most pressing of the technological problems with voting. What has us stumped is the other stuff.

And that’s a lot of stuff.

There’s a Low-Tech Solution for Voting Security

All the speakers I saw were in agreement: In general, we know what the problems are with voting in America. Purely electronic voting systems, called Direct Recording Electronic (DRE) voting machines, are generally hidden away from researchers, but the ones that have been investigated have proven to be pitifully lax in terms of security. The WinVote machine, dubbed the world’s worst voting machine, had just about every red flag you could imagine for such an important piece of hardware. This system is practically begging to be hacked.

None of that is particularly surprising, but my technology schadenfreude started to get riled up when discussions turned to verification of elections. It’s been an issue for years, but it’s starting to move to the forefront of discussions as election security becomes a bigger issue. Many electronic voting systems (and even some old, lever-powered mechanical machines) lack a way to verify the outcome of an election. Or even to determine whether someone has tampered with the machine.

There’s a consensus among experts: When it comes to ballot security, paper is king. A paper ballot has no software and no moving parts. A paper ballot is its own paper trail, one that’s been verified by the voter and can be recounted as many times as necessary. While there are certainly potential flaws in electronic ballot-marking machines (which print a finished ballot) and ballot scanners, the paper ballots themselves are the most secure method we have to not only cast a vote, but also to verify that the outcome of the election is correct.

What surprised at RSAC me is that the people in charge seem to be getting the message. Kay Stimson, Chair of the US Department of Homeland Security’s Election Infrastructure Sector Coordinating Council, said at RSAC that there’s, “a trend across the US toward building resilience, [and] that means paper records and auditing.”

A quick look at the maps from Verified Voting show a general increase in the availability of paper ballots over the last few election cycles. There’s still more work to be done, however. That same Verified Voter map shows four states that only offer DRE machines with no paper trail. Many states do offer a mix of paper ballots and DRE machines, but sometimes with far more DRE-using districts than paper ballot ones. And paper trails, even ones verified by voters, are still considered inadequate compared to an actual paper ballot.

Even DARPA is taking a crack at the problem, with an initiative to create open-source ballot-marking devices and ballot readers. The project already follows some of the best ideas to fix voting machines. It relies on paper ballots, and will be fully accessible to researchers to find flaws. A neat twist is a receipt with a cryptographic value voters can use to verify that their vote was cast and counted after the election.

A concept that’s received endorsements from researchers is conducting risk-limiting audits after an election. These audits require only a small fraction of votes to achieve statistical confidence in the outcome. It’s such a simple and obvious idea that I never would have expected it to actually be adopted. But according to the National Conference of State Legislatures, 31 states require a traditional audit of the results after an election, and three states perform risk-limiting audits that are recommended by experts. Notably, ten states have passed laws regarding post-election audits since 2016.

And audits work. Just look at North Carolina, where audits helped overturn Mark Harris’ election to Congress.

It’s Everything Else That’s Broken

The biggest challenge to my assumptions about election security is the realization that it takes more than secure voting machines and clever math to verify outcomes. Speaker after speaker at RSAC stressed that elections are a web of interconnected events, technology, policies, organizations, and people and a failure at any of them can have an effect on the outcome. While we’re starting to nail down a secure and verifiable way to cast a vote, we’re still struggling with…well, everything else.

Voting is simply too hard to do in America and individual votes don’t carry the same weight. An effort to turn Election Day into a holiday was called a partisan power grab. The practice of gerrymandering has seen some defeats in recent years, but that’s the exception rather than the norm. We cling to the electoral college, despite having had two elections in the last 20 years where the winning candidate lost the popular vote.

These are problems that have been with our country for generations, and technology can only play a small role in the solution. Even the Russian meddling of 2016 was simply a high-tech twist on misinformation and propaganda. We’ve seen this problem before. Scammers have long known that it’s much easier to simply call someone up and ask for personal information, or present them with a phishing webpage, rather than try to hack targets outright. We call it “social engineering,” but you could call it a con that’s been made orders of magnitude more efficient by new technologies. The best solution we have is training and education, not a clever AI-powered defender.

Similarly, while anxiety has grown over new technological threats to democracy, a technological defense may not be feasible. James Foster, CEO at ZeroFOX, broke it down simply: Targeting specific groups of American voters for persistent disinformation campaigns using existing marketing platforms, similar to the ones you see displaying ads on this site, is remarkably low. The cost of using automated systems to examine text, images, and video to block disinformation is significantly higher.

For their part, governments appear to be investing heavily in technology to attack one another, and they view elections as an excellent opportunity to do so. Kenneth Geers, Chief Research Scientist at Comodo, showed how elections in any country bring about a massive spike in malware detections.

Some of that, Geers conceded, might be scammers using headline-grabbing events, but he hypothesized that it was mostly intelligence agencies and possibly political parties, too. Separately, an entire panel agreed that there wasn’t any concrete way to prevent nations from carrying out these kinds of activities.

Last Call at the Voting Booth

I’ve spent the last few weeks digesting everything I heard and saw at the conference. I assumed that once the voting machines were locked down, that would be that. The bad guys would be beaten. That’s not the case.

By all means, secure our ballots, and scrutinize the results with statistical analysis, but elections cannot be completely secured with any amount of technology alone. There is no off-the-shelf product for cutting through hyper-targeted misinformation, no software patch for alternative facts, and no antivirus for nation state troll farms. To ensure our democracy endures these new threats, we’ll have to undertake hard societal work to educate voters and painful political labor to make sure votes matter. I didn’t hear anyone among the very smart people at RSAC who had a solution for all that.

This article originally published at PCMag
here