As vulnerability assessors, we try to find security weaknesses in a variety of physical security devices, systems, and programs. This is usually the easy part. Then we suggest fixes, which is typically only slightly harder. The most difficult part is actually getting people and organizations to make changes in order to improve security. And yes, it is a lot of fun.
We work mostly in the area of physical security, not cyber (computer) security. But nowadays, physical security increasingly depends on having good cyber security, and vice versa, so we do some cyber security analysis, too.
We do this work for private companies, NGOs, and various government organizations, including the International Atomic Energy Agency (IAEA). We used to only do vulnerability assessments, but we got so frustrated at how bad physical security and nuclear safeguards can sometimes be that we began to develop new approaches and technologies ourselves to, if nothing else, at least demonstrate alternatives.
Your last statement is a little unnerving, Roger. What should we as citizens be worried about, security-wise, if that's not too broad a question .
Well, physical security in general is not a very well developed field and a lot of what passes for physical security is just "Security Theater". Cyber security, which is thousands of years younger than physical security, is a much more developed field. It is sexier and attracts really bright people. Not so much for physical security. Physical security tends to lack the metrics, models, theories, research and development, critical and creative thinking we need. While you can get a degree in computer security from many major 4-year research university, good luck with that in physical security! There are 33 scholarly, peer-reviewed journals dedicated to cyber security, but none for physical security (until we started one: The Journal of Physical Security ( http://jps.anl.gov/ ).
In general, physical security (including homeland security, nuclear security, and election integrity) suffers, in my view, from a failure of imagination. There is too much denial, cognitive dissonance, wishful thinking, bureaucracy, and being reactive instead of proactive. If we don't think creatively like bad guys, we can't foresee what they will do. Example: 9/11.
This lack of imagination and thinking like the bad guys is what I think we should be afraid of.
Let's talk about cyber security for voting machines, which is what you will be talking about tonight. Many computer experts think it is folly to even use computers for something as important as our elections because of the inability to prevent insiders or outsiders from gaining access. As soon as one layer of security is slapped on, hackers develop an antidote. What's your view on this?
Well, actually tonight I'm talking about non-cyber ways to defeat voting machines. I agree that they typically have very serious cyber vulnerabilities but the vast majority of people who have looked at voting machine security are computer scientists. It's the old story of when you have a hammer, everything looks like nail. They mostly do cyber attacks. You have to be fairly smart to reverse engineer the microprocessor code or fiddle with stored data or computer ports. There are easier, non-cyber attacks, as we've demonstrated.
I believe a case can be made for getting rid of computers in voting machines but that issue is largely irrelevant until the voting machine manufacturers build in physical security and move beyond denial, until election officials develop serious security protocols, and until there is a much better security climate/culture around elections, including careful and creative thinking about the problem from the perspective of the bad guys.
Security is hard. We can't just phone it in, or rely on Security Theater and wishful thinking.
Bev Harris, the founder of Black Box Voting, the nonpartisan election watchdog group, is also in Illinois this week. I heard her on Wednesday night. She feels that as soon as any of the four essential processes in an election [who can vote, who did vote, chain of custody and the count] are concealed, then citizen sovereignty has been transferred from the people to election officials, private vendors and election "experts'. We have moved away from the "inalienable right" of self-government established in the Declaration of Independence and the Constitution. Bev sees this as a human rights issue, a freedom of information issue and emphatically not a computer security issue. So, all this talk about securing voting machines really misses the point. How would you respond to Bev?
I agree that the security of voting machines is just a part of the problem, but it is symptomatic of a larger lack of security culture when it comes to elections. The thing with attacks on voting machines is that they attract attention and they are very concrete. The vulnerability assessors either spoofed the machines or they did not. A lot of the other security issues Bev is talking about are harder to test (without actually breaking laws) and harder for election officials and the public to get their heads around.
But in my view, she is dead on correct about the need for public transparency and oversight, and the fact that all the areas she mentions are problematic. Ironically, security is usually much better when it is open to public view and analysis than when organizations try to keep secrets (because the fact is, they can't). This is called Shannon's (or Kerckhoff's) Maxim. (DHS still does not get this concept, so why should election officials?)
All of the things she mentions need to be fixed. I think anybody asking questions about election integrity should be welcomed into the discussion, not dismissed if they don't have the final answer to all issues.
Agreed! The title of your talk in Wheaton (IL)* tonight [Friday, March 25] is "How to Tweak a Voting Machine - by Remote Control." For those of us who won't be able to join you, what will you be talking about? Are you giving away free tricks to would-be fair election thwarters?
[Afterward] Joan, I talked about our work with a wide variety of physical security devices, systems, and programs. This includes locks, tamper-indicating seals, access control and biometrics devices, GPS, RFIDs, nuclear safeguards equipment, etc. and how these things often have little to no effective security and lots of "Security Theater" (fake security). If these SECURITY devices can't do security well, why would we expect electronic voting machines and election officials who aren't security experts to do well? Nevertheless, we have to insist that we have good election integrity despite the challenges.
I warned that if we can have about 15 seconds of access to most security devices (and presumably most voting machines), we can hijack them. This can occur at the factory, in transit, on the loading dock, in storage, while sitting around in the school hallways, etc. Thus, a cradle to grave, secure chain of custody is vital for any security device or voting machine. (Note: a chain of custody is a process, not a piece of paper that bureaucrats scribble their initials on.)
Then I talked about tamper-indicating seals and why they aren't the simple, mindless silver bullets for election security for ballot boxes, voting machines, etc. You can get good tamper detection from seals, but it takes a lot more effort and training than people are willing to do. I gave some suggestions for better seal use.
I also talked about our attacks on the Sequoia Advantage AVC electronic voting machine that have nothing to do with cyber attacks, and are much easier. I discussed the importance for the bad guys of being able to turn cheating off and on remotely (as we've demonstrated is easy). We have also recently started looking at the Diebold Accu-Vote TS for simpler attacks than cyber based ones.
I discussed the importance of a good security culture and climate, listed a bunch of fairly common assumptions about election security that are probably wrong, and gave three-dozen suggestions for how to improve election security in general.
About 65 people in attendance, including a several election officials. A very lively discussion afterwards.
Now you've got me intrigued, Roger. What can you tell us about false assumptions about election security and easy ways to protect election security?
Sure. I think too often election officials assume (incorrectly) that: the bad guys have to attack the computer/microprocessor or cyber parts of the machine--which requires real smart people; that "certification" of machines is some kind of silver bullet against vote tampering; that adhesive label seals are good at detecting tampering and that they will be blatantly ripped open by an attacker and that they require almost no training to use; that you should get your security advice from manufacturers of voting machines, locks, and seals; that piling on lots of security features leads to good security; that "security by obscurity" (keeping secrets) is how you get good security; that a chain of custody is a piece of paper on which people scribble their initials or signatures; that hundreds of voting machines have to be compromised for the bad guys to succeed; that vote tamperers are only interested in getting their candidate to win the election; and that physical and cyber security are easy.
Suggestions for better election security:
1. Let's try to separate concerns, questions, and criticisms about election security from political attacks on election officials (who are often elected themselves). Security should be controversial and we need to listen to all input about it.
2. Election officials need to think like the bad guy. How would you cheat?
3. Establish a health security culture and climate, where security is constantly on everybody's mind and open for discussion and debate and review and outside analysis.
4. Ironically (and counter-intuitively), the best security is usually transparent.
5. Security is hard work, so expect to put in hard work.
6. Do periodic background checks on people who move and maintain the voting machines.
7. Somebody has to sign for the machines when they reach the polling place prior to the election (there can't be a delay in delivery), and at least semi-watch them. Use custodians, teachers, secretaries, and school kids (a great civics lesson!) to keep an eye on the machines if you can't lock them up.
8. Consider escorting the machines to and from the polling places.
9. Lean on manufacturers of voting machines to get serious about security.
10. Have a real, secure chain of custody, not bureaucratic forms to sign or initial purporting to be a chain of custody.
11. Try bribing your people, then make them public heroes and let them keep the money if they decline. (Wait at least one day, though.) Word will get around it isn't a good idea to accept a bribe.
12. Form a pro bono citizens panel with local security experts to provide guidance.
13. You must randomly select some machines before, during, and after the election to completely tear apart, examine, and reverse engineer. Just seeing if they appear to run correctly is not good enough! It's too easy to turn cheating on and off.
14. If you are going to use seals, provide at least a few hours of training in how to spot attacked seals. Give lots of examples of attacked seals. Discuss how the seals will likely be attacked.
In the meantime, elections continue to be run without any of these safeguards. Have your guidelines been picked up by anyone? Do you have any indications that anyone is listening? Considering the importance of elections in charting our future, you would think that election security would be a major concern.
Gee, you would think election security would be a major concern, but I don't see much evidence of that among voting machine manufacturers or election officials. Seems to be a lot of denial and amateur-hour approaches. At the 2 talks I gave last week, though, several election officials in attendance expressed gratitude for some of my suggestions for improving security, so maybe that's a positive sign. I certainly have been amazed at the number of private citizens and activists wound up about election integrity. Good for them! Counting everybody's vote fairly is the cornerstone of our democracy, and they're being very patriotic to be concerned about it.
We need a lot more than a few concerned individuals here or there, Roger. In the meantime, candidates have been elected (or not) using a deeply flawed system that is antithetical to the principles of self-governance. Anything you'd like to add?
No, I think that covers it.
Thanks for talking with me, Roger. If you're willing, I'd like to explore the other vulnerabilities you've discovered in your work in the future.
*When: Friday, March 25th, 7-9pm
Where: The Auditorium of the Illinois Institute of Technology
201 East Loop Road, Wheaton, IL
Roger's Awards, Honors, and Memberships
- LANL Fellows Prize for Outstanding Research (2004)
- Two LANL Distinguished Performance Awards (2001 & 1996)
- Three LANL Achievement Awards (2007, 1999, & 1995)
- National ASIS "Excellence in Performance Measure" Award (2002)
- Distinguished Performance Award from the CIA (2002)
- Two National R&D 100 Awards (1994 & 1992)
- Certified Protection Professional (CPP), ASIS International
- 1997 Ford Motor Co. Engineering Award