Risk

9/6/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Best Way To Secure US Elections? Paper Ballots

Voting machines that do not provide a paper trail or cannot be independently audited should immediately be removed, concludes a new report from the National Academies of Sciences, Engineering, and Medicine.

A new report from the National Academies of Sciences, Engineering, and Medicine is recommending the use of human-readable paper ballots as the best way to protect the security and integrity of US elections, at least in the immediate future.

In fact, the committee behind the report wants election officials to consider ditching voting methods that do not provide a reliable paper-verifiable audit trail as early as the upcoming 2018 midterms and for all local, state, and federal elections by 2020.

It also does not want jurisdictions to permit the use of the Internet and Internet-connected systems to return marked ballots until "very robust guarantees" of security and verifiability are developed. Other recommendations include the need for states to mandate risk-limiting audits prior to the certification of election results and routine assessments of the integrity of voter registration systems and databases.

The report, funded by grants from the Carnegie Corporation, the William and Flora Hewlett Foundation, and several others, is based on an exhaustive analysis of the state of US election security in the wake of concerns over Russian interference in the 2016 general elections. It also examines the current state of technology and standards for voting across the country with a particular emphasis on the challenges — including those related to cybersecurity issues — stemming from the last elections.

Lee Bollinger, president of Columbia University and co-chair of the committee that developed the report, described the study as coming at a critical time for American democracy.

In a live-streamed event on Thursday, Bollinger said that when the committee began working on the report, it had fully expected to find that US voting systems were moving away from physical, in-person balloting toward Internet and remote voting.

"However, by the time the committee's first meeting in April 2017, it was clear the most significant threat to American elections was coming not simply from the need for new technologies, but rather from efforts by foreign actors seeking to undermine the credibility of election results," he said.

The report makes note of assessments by the US intelligence community of Russian involvement in several cyberattacks and attempted attacks against US election infrastructure in the months leading to the 2016 presidential election. Among them was an incident in June 2016 when network credentials to the Arizona state voter registration system were posted on a site frequented by suspected Russian hackers, and another later that month involving a voter registration system in Illinois.

Such incidents combined with aging and insecure voting equipment, inadequate poll worker training, and vulnerable voter registration systems mandate a return to paper ballots, Bollinger said. The ballot could be marked either by hand or machine using a ballot-marking device and could be counted using an optical scanner or even hand-counted.

"Paper ballots are evidence that cannot be manipulated by faulty software or hardware," he noted. "And they can be used to audit and verify the results of an election."

Marian Schneider, president of election watchdog group Verified Voting, says the recommendations in the new report are exactly in line with what her organization has been calling for, as well.

While many states already use the kind of paper-based voting system that the report recommends, many others do not, she says. Some states use completely paperless voting systems or Direct Recording Electronic (DRE) systems, for which a voter's choice is recorded and stored directly in the computer. Some DREs support a paper-based audit trail where voters can verify the system has properly captured their intent before casting their vote. And many states use a combination of paper and paperless systems, Schneider notes.

Five states — Delaware, New Jersey, Georgia, Louisiana, and South Carolina — currently vote exclusively on machines that do not support a paper record. In a report this July, the Committee on House Administration categorized these states as being exposed to the most critical election security vulnerabilities. "It is nearly impossible to determine if paperless voting machines have been hacked and if vote tallies have been altered," the report had noted.

Even DREs that support a voter verifiable paper audit trail are not foolproof because voters may not always verify their ballots before casting them. So it is possible that the information stored in a computer's memory does not accurately reflect the voter's intent, Schneider says. At the moment, the best way to mitigate such risks is to use hand- or machine-marked paper ballots.

"The most significant takeaway is that certain times in a nation's history demand unity. This is one of them," Schneider says.

The new report comes amid ongoing concerns over hacking and other forms of interference in US elections. A survey conducted at Black Hat by security vendor LastLine found 84% of the respondents saying there will be some form of hacking during the 2018 midterm elections. About 54% believed it would happen at a national level, while 47% expected disruption at the state level, with the goal of influencing state-level races. Nearly one-third believed that any hacking that takes place would be designed for propaganda purposes and not to affect the outcome of the election.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CyberCoach
50%
50%
CyberCoach,
User Rank: Apprentice
9/13/2018 | 1:18:03 PM
I agree with Paper Ballots
The entire year of investigations into our voting process and it being hacked needs to be stopped. The analysis conducted by the National Academies of Science, Engineering, and Medicine has an approach. Sometimes it's just best to unplug. Paper Ballots and trusted senior citizen volunteers who have nothing to gain or lose from counting the ballots and love the work they do for their country is the way to go. Pitch the voting machines! No digital devices allowed and as a result, no interference from any hackers. Let's shut the digital wall on them by cutting the cord completely. How difficult can that be? 
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/12/2018 | 9:24:29 AM
Seriously
If you have computer voting, it is all on an in-location isolated network - no internet!    Results are tabulated on a central system also isolated.  Results are then "voice phone" to central location for final count which is kept offline too and when done = VOILA - internet free election. 
JoeB1Kanobe
0%
100%
JoeB1Kanobe,
User Rank: Strategist
9/10/2018 | 3:53:01 PM
Re: True, but
Hemp will cure the "Tree" issue, Save a tree, insist on hemp paper!
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/7/2018 | 9:51:31 AM
True, but
Then all the advocates of Brazillian rain forests and tree huggers will come down on de-forestation. 
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19296
PUBLISHED: 2018-11-16
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
CVE-2018-19301
PUBLISHED: 2018-11-15
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
CVE-2018-5407
PUBLISHED: 2018-11-15
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-14934
PUBLISHED: 2018-11-15
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
CVE-2018-14935
PUBLISHED: 2018-11-15
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.