Analysis | The Cybersecurity 202: Internet-based voting is the new front in the election security wars
By Joseph Marks
The development comes as states are scrambling to revamp their voting procedures to respond to the novel coronavirus pandemic. In some cases that means allowing digital voting to play a more prominent role, despite persistent warnings from experts that it's highly insecure and often unverifiable.
The Department of Homeland Security, the FBI and the Election Assistance Commission jumped into the fray on Friday, sending guidance to states warning about the major security challenges posed by all voting systems that use the Internet in some way. The guidance covers ballots sent digitally to voters; ballots sent and marked online but printed out and returned by physical mail; and ballots that are received and returned entirely digitally.
The agencies warned about dangers related to all three systems but especially the third, which they say poses “significant security risks.” Among those risks: Hackers could change large numbers of votes, block votes from being recorded or undermine ballot secrecy.
Securing the 2020 election presents a set of dramatically different challenges than even just a few months ago when it seemed nearly unthinkable states would willingly expose more of their voting processes to the dangers of hacking and most election security debates focused on ensuring votes would be cast with paper ballots that could be audited after the fact.
The new situation underscores how the coronavirus pandemic has upended every aspect of election security, propelling the 2020 contest into far more dangerous territory.
Voters drop off their ballots at the Board of Elections in Dayton, Ohio. (Megan Jelinger/AFP/Getty Images)
The move to voting that relies on the Internet in some fashion has been limited so far. But that could change.West Virginia, Delaware and New Jersey have announced plans to pilot app-based voting systems for parts of the electorate in upcoming primaries, including military and overseas voters and voters with disabilities that make voting by mail impractical.
Other states and counties are contemplating systems to allow voters to receive, mark or return their ballots using online systems. But the focus of the debate is mostly on receiving and marking ballots that voters can later mail to officials or drop off in secure lock boxes.
But federal officials fear online balloting could become more attractive as states complete primaries delayed by the pandemic and turn their attention to preparing for the general election.
Those elections will be burdened by a bevy of new costs related to the pandemic but have received only a fraction of the money necessary to implement them from the federal government. It would cost about $2 billion for states to implement all the necessary upgrades to protect voters from both the coronavirus and Russian hacking, according to an estimate by the Brennan Center for Justice at New York University, but Congress has supplied just $400 million so far.
The letter from DHS and the FBI includes unusually blunt language about the danger of transmitting completed ballots online.The final version of the letter, however, is less harsh than a draft version obtained by Kim Zetter for the Guardian. That early draft specifically warned that DHS’s cybersecurity division “discourages electronic ballot return technologies.”
Here are details from the Wall Street Journal’s Dustin Volz, who was first to report on the final version of the letter.
One change from the version @KimZetter got to the final one is that the line stating CISA “discourages electronic ballot return technologies" was deleted.— Dustin Volz (@dnvolz) May 8, 2020
Why? Source said interagency talks raised the concern of litigation from internet voting vendors.https://t.co/Hngto12W8x
The right to vote is fundamental & we must continue to expand access to the ballot box in these difficult times. But we must do so in a way that preserves the integrity of elections. I urge states to heed @CISAgov's guidance & put into place only low-risk remote voting options. pic.twitter.com/bSoWh3FDpP— Jim Langevin (@JimLangevin) May 9, 2020
A group of computer scientists who wrote to DHS Thursday expressed far more concern about those systems.
They warned about hacks that could destroy the secrecy of the ballot for any voters who used them and urged such ballots be reserved just for people with disabilities that make it impossible to mark ballots by hand. They also want the systems to go offline while the voters are marking their ballots.
The situation is further complicated by President Trump’s railing against voting by mail.Voting by mail is the easiest and likeliest solution for large portions of the population if the coronavirus is still making in-person voting dangerous in November. But Trump has attacked the method, claiming without evidence that it leads to widespread voter fraud.
That’s despite the fact Trump voted by mail himself in Florida this year.
The presidential disdain has been echoed by a handful of lawmakers including House Minority Leader Kevin McCarthy (R-Calif.). And it could make it harder for some Republican election officials to rely as heavily on mail-in voting as they might in November.
Trump attacked California officials this weekend regarding a special election to replace Rep. Katie Hill (D). Officials in the district have urged people to vote by mail because of the pandemic but are also maintaining several in-person polling sites.
It was the late decision to add one more in-person site that set Trump off. He claimed without evidence the new location amounted to a “scam” to increase Democratic votes and urged that votes cast there shouldn’t count.
So in California, the Democrats, who fought like crazy to get all mail in only ballots, and succeeded, have just opened a voting booth in the most Democrat area in the State. They are trying to steal another election. It’s all rigged out there. These votes must not count. SCAM!— Donald J. Trump (@realDonaldTrump) May 9, 2020
The decision to add an in-person polling location there was supported by the city’s Republican mayor, she notes.
The polling site in Lancaster will be one of 13 in the district, Colby reports, compared with about 1,000 during a normal election.
Trump's tweets raised the ire of several congressional Democrats. Here's Rep. Bill Pascrell Jr. (D-N.J.).
Trump’s attacks on voting aren’t funny because taken to their logical conclusion his endless lies about voter “fraud” threaten the legitimacy of every election and democracy in America. pic.twitter.com/BxxtYw2tdG— Bill Pascrell, Jr. (@BillPascrell) May 9, 2020
The President who votes by mail ballot says voting by mail is “stealing an election”. If it’s good enough for him, good enough for Utah and other states that conduct mail-only elections, why isn’t it good enough for every eligible American voter? https://t.co/yy69RUmi2W— Rep. Dean Phillips (@RepDeanPhillips) May 9, 2020
The Trump administration plans to accuse China of trying to hack coronavirus vaccine data.
President Trump meets with China's President Xi Jinping. (Kevin Lamarque/Reuters)
The warning focuses on data theft by government-backed hackers and “nontraditional actors,” such as researchers and students the Trump administration says are being directed to steal data from inside U.S. academic and private laboratories.
The Times describes the Chinese hacking campaign as part of a global effort by government-backed hacking teams to try to gain advantage amid the pandemic, including by nations that are typically U.S. allies such as South Korea.
Iranian hackers may be responsible for an attack that tried to disrupt Israeli water supplies.
Water reaches the stairs in a harbor in the Sea of Galilee. (Ariel Schalit/AP)
“Cyberattacks that intentionally damage critical infrastructure shouldn’t be condoned,” a senior Trump administration official, who declined to discuss the specific incident, told my colleagues.
The alleged strike occurred on April 24 and 25, was quickly detected and thwarted before it could cause damage. Iran denied any involvement in the attempted hack.
Acting director of national intelligence Richard Grenell created a new top cybersecurity post – irking lawmakers.
Acting director of National Intelligence Richard Grenell. (Thomas Kienzle/AFP/Getty Images)
The move comes as the Senate is considering the nomination of Rep. John Ratcliffe (R-Tex.) to be the next permanent DNI. It also follows a spat between Grenell, who is seen as a Trump loyalist, and House Intelligence Committee Chairman Adam Schiff (D-Calif.) over the firing of the intelligence community inspector general. Schiff had warned Grenell not to make other personnel changes during his short tenure.
Here are details from Voice of America’s Jeff Seldin:
In his response to @RepAdamSchiff, acting DNI @RichardGrenell accused the HPSCI chairman of overrech in the committee's mandate— Jeff Seldin (@jseldin) May 8, 2020
More on this from a House Intel Committee official - pic.twitter.com/J5XYQl3EWB— Olivia Gazis (@Olivia_Gazis) May 8, 2020
Coronavirus reportIran linked-hackers are also targeting U.S. drugmaker Gilead Sciences, which is working on coronavirus treatments.
A vial of the investigational drug remdesivir is inspected at a Gilead manufacturing site. (Gilead Sciences/AP)
More news on the coronavirus and cybersecurity:
A U.S. Marshals Service data breach exposed the personal information of current and former prisoners.
The Justice Department. (Chandan Khanna/AFP/Getty Images)
It’s not clear how many people were affected by the breach, which the Marshals Service recently notified current and former prisoners about.
More government cybersecurity news:
Hill happeningsA bipartisan group of lawmakers wants to boost state IT money in the next coronavirus stimulus bill.
Rep. Michael McCaul (R-Tex.). (House Television/AP)
The group Includes Reps. Michael McCaul (R-Tex.), Jim Langevin (D-R.I.), Mike Gallagher (R-Wis.), and Cedric Richmond (D-La.), all of whom hold congressional positions related to cybersecurity.
More news from the Hill:
Chat roomOrganizers of the DEF CON summer hacking conference in Las Vegas make an annual gag out of declaring it’s been canceled. But the conference is canceled for real this year because of the pandemic. The organizers, who are planning an online conference, still managed to have some fun with the setback.
Here’s DEF CON Content Director Nikita Kronenberg:
It does help take the sting off, you have no idea how hard it’s been to hold back. My only regret is not making a bunch of memes in advance.— Nikita Kronenberg (@Niki7a) May 8, 2020
— DEF CON (@defcon) May 8, 2020
- House Homeland Security Committee Vice Chairwoman Lauren Underwood (D-Ill.) and Rep. Elissa Slotkin (D-Mich.) will hold a virtual forum on coronavirus misinformation at 1:30 p.m. today.
- The IT Sector Coordinating Council Chair Jamie Brown will talk with CISA’s National Risk Management Center Director Bob Kolasky in a webinar titled "IT Industry Briefing on CISA COVID-19 Response Efforts" hosted by CompTIA and ITI today at 3 p.m.
- The Senate Homeland Security and Government Affairs Committee will host a virtual roundtable to discuss U.S. cybersecurity and the Cyberspace Solarium Commission Report on Wednesday at 9:30 a.m.
- The Senate Commerce Committee will host a hearing on the state of broadband amid the covid-19 pandemic on Wednesday at 10 a.m.
- The Carnegie Endowment for International Peace will hold an online event on “next steps for encryption policy” at 11 a.m. Wednesday.
- The Information Technology and Innovation Foundation will host a webinar “Mind the Gap: A Design for a New Energy Technology Commercialization Foundation” on Wednesday at noon.
- The Open Technology Institute will host an event on the role of technology in pandemic response efforts on May 14 at 11:30 a.m.