Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/16/2020
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Meet the Computer Scientist Who Helped Push for Paper Ballots

Security Pro File: Award-winning computer scientist and electronic voting expert Barbara Simons chats up her pioneering days in computer programming, paper-ballot backups, Internet voting, math, and sushi.

Barbara Simons has been fighting for secure elections for two decades. But the award-winning computer scientist, who's also well-versed in voting technology and its security vulnerabilities, doesn't consider herself a security expert. Everything she's learned about election security, she says, came from hanging out with security experts.

"My job had nothing to do with security. My training is in computer science," she says. "I've never hacked [a] machine ... [but] I think I could learn [how to]," she says.

Related Content:

DEF CON Voting Village: It's About 'Risk'

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: 5 Security Lessons Humans Can Learn From Their Dogs

Simons, 79, has been a major and influential player in the movement to institute paper-ballot backups for electronic voting systems and in warning about the security risks of Internet voting. She and many other computer scientists argue that computers and software alone can't properly handle the task of tallying votes.

"You can't trust computers to work properly [with voting systems]," says Simons, who has served on multiple projects and task forces on election security. "You need paper as a check on the computers."

In 2000, online voting in US elections had sounded like an exciting and promising prospect to Simons when she joined the Internet voting study task force convened by then-President Bill Clinton.

"In those early days looking at Internet voting, it was, of course, why not? I thought it was a good idea," recalls Simons.

But her enthusiasm quickly waned. Security experts from academia and government labs shared grim assessments of the major security risks in online voting, so the final report published by Simons and other members of the National Workshop on Internet Voting flatly rejected the notion of shifting to online voting in the new millennium.

"It basically said, 'No, not right now," she says. "It was a pretty negative report."

But soon after, new calls for Internet voting and expanded electronic-voting technology began to escalate in the wake of the punch-card "hanging and dimpled chads" fiasco of the 2000 presidential election. Some punch-card ballots had not properly detached the perforated paper in the casting of votes. As a result, they were unreadable, causing more confusion and consternation in the already extremely tight race in Florida between Al Gore and George W. Bush.

Suddenly, paper became the bane of vote-count accuracy, which helped usher in a new generation of electronic-voting systems, such as direct recording electronic (DRE) voting systems. These systems had no paper trail to protect vote counts - but unfortunately, plenty of security holes.

Thanks to high-profile hacks of voting equipment at DEF CON, as well as pressure from experts like Simons and policymakers in the wake of Russian election-meddling and data breaches in the 2016 election, old-school paper is now experiencing a comeback in the voting process, and DRE systems are gradually disappearing from polls due to security issues. Simons, her colleagues at Verified Voting (where Simon serves as Board Chair), and other election security experts are also pushing hard for adoption of so-called risk-limiting audits to be widely deployed.

It hasn't been an easy sell, Simons admits.

"A lot of people are put off by that," says Simons, who's officially retired but currently performs full-time pro bono work for both Verified Voting and the Association for Computing Machinery (ACM), where she also had served as president. "They don't realize scanners are computers that can be hacked."

A risk-limiting audit randomly selects ballots that are then manually checked against electronic machine results to basically provide an integrity check of vote counts. A statistical sampling of paper ballots are compared with the electronic records, and the vote counts are checked.

Ask Simons about the recent mobile voting experiments in states such as Washington, Utah, and West Virginia, where votes are cast by smartphone and processed over a blockchain infrastructure, and she argues that it's a nonstarter. It's just Internet voting by a different name, and "it's a terrible idea," she says.

'Ahead of the Game'
Simons blazed a path from mathematics to a Ph.D. in computer science in 1981 from the University of California, Berkeley, at a time when computing was new and there were few women to follow in the technology profession. Her dissertation solved an open problem in the so-called scheduling theory in computing, and she joined IBM Research in 1980, where she worked as a computer scientist.

Simons today is considered not only a computer science pioneer, but also one of the most influential women in technology. And as she describes it, she "fell into" the field. Simons never finished her undergraduate degree: After starting at Wellesley College as a mathematics major and then transferring to Berkeley, she got married and later dropped out to raise her children.

"I went back to school when my marriage was breaking up. I was out of school for nine years," she says. "My father, whose advice I hardly ever took, suggested that I learn how to program because as a mathematician he thought that would mean I would find programming easy."

(That's a fallacy, Simons says. Computer programming doesn't necessarily require math chops - something she says she and her dad didn't realize at the time.)

"I enjoyed programming and continued to aim slightly higher than where I currently was. One thing led to another, and I ended up getting a Ph.D. in computer science. If I had started off with the goal of getting a Ph.D. ... well, I never would have started off. It would have seemed impossible," she notes. "Instead, each time I set a new goal, I could say to myself that even if I fail, I'm already ahead of the game. That made me feel less intimidated than I might have felt otherwise."

Computer programming was still a new field when Simons entered it, and in launching a new career after taking time off with her family, she was well aware of the challenges faced by women in the same situation. So she co-founded the University of California Computer Science Department Reentry Program for Women and Minorities at Berkeley to help women join the field, and also served on diversity group boards at Berkeley and the national Coalition to Diversify Computing.

Women were among the pioneers in computer programming in the early days, she recalls.

"The first programmers were women and they were totally written out of history," she says, pointing to women such as the late Fran Allen, who in 2006 became the first woman to receive the prestigious Turing Award from ACM.

Programming "wasn't poorly paid" as a field at the time, but it also wasn't initially as highly regarded as it is today, she says. It wasn't until men started entering the field in numbers that salaries rose and women got squeezed out, Simons says.

"They started requiring calculus, which has nothing to do with programming [and] a lot of girls in high school weren't taking," she notes. "The doors were closing for women, and that's one of the reasons we started" the reentry program at Berkeley.

To this day, Simon remains the only woman to have won the Distinguished Engineering Alumni Award from Berkeley.

"Our goal was to produce more women and minority leaders, and we wanted them to get Ph.Ds," she says.

The reentry program gave women and minorities the opportunity to take regular computer science classes at Berkeley so they could apply to graduate school, but the passage of Proposition 209 in California - which banned educational benefit programs based solely on gender or ethnicity - ultimately killed the program, she says.

Paper and Patience
James Hendler, chair of ACM's US Technology Policy Committee, describes Simons' expertise as a unique blend of knowledge in computing technology and its policy implications that she has used to help forge election security policy. ACM recently awarded Simons its ACM Policy Award for her leadership of the organization and her work on election security issues.

"She realized before most others that the cybersecurity risks of electronic voting machines and, later, online voting could have implications that most politicians and the public were not aware of," Hendler says. "She realized there had to be a paper-based record to back up electronic voting machines and/or some kind of risk-based auditing for monitoring any kind of online election. Without these safeguards, an election would be virtually impossible to secure."  

Simons sees the shift away from paperless voting technology as a positive development for the upcoming election in November, but she worries about efforts to fast-track mobile voting if the move to mail-in paper ballots falters in some areas.

Mail-in voting is good for post-election audits, she says, and "hand-marked ballots are the best kind."

Even so, she says the potential for a protracted vote count given the increase in mail-in ballots amid the pandemic could cause confusion and even sow distrust in the outcome.

"Americans are going to have to learn a little patience" in learning the outcome of the election, she says.

___________________

PERSONALITY BYTES

Simons' biggest worries about election security: Just about everything. I'm especially worried about an attack on our voting technology: the electronic poll books, the voting machines, and the scanners that tabulate the ballots. If folks share the concerns of our intelligence community - and they should - that Russia wants to mess with our election, then allowing Internet voting, which is the most insecure form of voting possible, would be a gift to Russia, or China, or Iran, or North Korea, or indeed any nation/state or organization that wants to steal our elections.

'Aha' moment as a mathematician-turned-coder: I remember thinking, 'Wow, in math you're given a problem that you don't necessarily know has a solution. Is this theorem true or false?' You don't know. But with programming, you're asked to write software for a problem you know you can solve. This was pretty cool.

Retirement: I'm working really hard. I'm just not getting paid.

Favorite hangout before COVID-19: Bowen Island [British Columbia]

Comfort food: Sushi

Netflix pick right now: At the moment we're into Korean shows. We've seen "Crash Landing on You" and "Rookie Historian," both of which I recommend. We're now watching a show called "Vagabond."

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
janelee
50%
50%
janelee,
User Rank: Apprentice
9/18/2020 | 3:04:10 PM
Risks to both paper and electronic voting systems
This was a great read! GO BEARS!

It'll be interesting to see how voting technology progresses in the future. While I do agree that electronic voting has its risks, I believe that paper/in-person voting has its downsides as well. Particularly with the recent confusion/disinformation being spread about mail-in votes, I can't help but think about whether having a more streamlined (electronic) voting system would be better. Additionally, I have never been asked to verify my ID during in-person voting in the past 14 years. In my opinion, this is a vulnerability that can be exploited by bad actors. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.