But the U.S. is still working to secure its own election infrastructure from the threat of foreign interference and cyberattacks -- and though security experts and top federal officials here have also called on states to use machines with paper trails, it's an uphill battle.
Still, the fact that Haley is touting the benefits of paper ballots in Congo's election highlights how U.S. officials are adjusting their recommendations for election administration both at home and abroad.
“I am glad to see this consistent message and that it’s coming out there,” said Joseph Lorenzo Hall, an election technology expert who serves as chief technologist at the Center for Democracy and Technology.
“It’s basically consensus of most election officials and all the technical community and anyone else that works in election administration . . . that we should use paper,” Hall said. Just last week, Homeland Security Secretary Kirstjen Nielsen recommended that all U.S. states adopt “a physical paper trail and effective audits” by the 2020 election.
Russia’s attempts to influence the U.S. presidential election in 2016 by targeting state election systems — even though there’s no evidence Moscow actually tampered with the votes — has shed a light on the potential insecurity of electronic voting machines around the world. Election security experts are now sounding the alarm about potential cybersecurity vulnerabilities in the machines that the Congolese government plans to roll out for the presidential, general and provincial elections scheduled for Dec. 23.
These blunt warnings also underscore the fact that many U.S. states still rely on outdated machines that security experts say are vulnerable. The United States has been “remarkably slow” in “replacing voting machines most vulnerable to hacking,” the nonpartisan Brennan Center for Justice at New York University School of Law said in March. “This year, 41 states will be using systems that are at least a decade old, and officials in 33 say they must replace their machines by 2020,” the Brennan Center said.
So while the United States is increasingly talking the talk on election security, it still has to fully walk the walk. “That’s one of the problems: A lot of our systems are 10 or 20 years old,” Hall said. “So even though we have made a collective decision that everyone use paper, it takes a while to actually replace all those systems throughout the United States.”
When it comes to Congo, security experts are especially concerned about the machines. While Congolese authorities have released few details about the actual systems it plans to use, prototype machines the country bought from a South Korean company, Miru Systems, presented vulnerabilities that could result in “potential threats to ballot secrecy as well as results manipulation,” according to a report issued in June by The Sentry, a watchdog group investigating corruption and mass atrocities in Africa.
“From what I know from the nonpublic information that I have seen, there’s very little chance that those machines are going to be secure as used in the [Congo] election,” said Hall, who reviewed technical materials The Sentry used to create its report that were not released to the public. Hall also said he could think of one kind of voting machines in the United States that would be as potentially insecure — and Virginia decertified those very machines in 2015.
A report issued in May by the Consortium for Elections and Political Process Strengthening stated that Congolese voters would insert a paper ballot in an electronic voting machine, choose a candidate on a touch screen, and the machine would then print the paper ballot to be inserted in a ballot box. However, Hall said the ballots that Congo intends to use feature unique QR codes that could jeopardize ballot secrecy. He identified other potential vulnerabilities in the machines such as wireless connectivity, unprotected USB ports and an outdated operating system.
Yet Ken Cho, vice president and managing director of Miru Systems, criticized the report from The Sentry and said in an email that “the security concerns raised are not real as the author of the paper seems to have taken facts only from pictures seen and published.” The production of the machines is “almost finished,” Cho said, and their deployment will reduce the “complexity” of the voting process in Congo and bring “more transparency and accuracy,” according to the company.
Haley's concerns were broader and focused on the technical capabilities of the machines -- and Congo’s plan to deploy them across its territory. “Have election organizers widely tested the machines?” Haley asked last month at the United Nations. “Will voters, many of whom have never used a touch-screen, know how to use them? Are organizers preparing paper ballots as a backup if the electronic voting machines fail?”
Congo’s Independent National Electoral Commission (CENI) said in a news release last week that nearly 84,000 of the roughly 105,000 machines from Miru Systems it plans to deploy in December “have already been submitted to quality control and inspected.” The CENI and the Congolese Embassy in the United States did not respond to emailed requests for comment.
Still, Congolese activists are also expressing fear that the vote could be manipulated and opposition to the technology is growing among the population. Last week, the Congolese activist group Lucha organized protests against the voting machines and demanded fair elections. Jean-Paul Mulagizi Nyunda, a member of Lucha, said the group worries about the machines because “we don’t know what their software contains.”
“The voting machine has become a lightning rod in popular opinion,” said Jason Stearns, director of the Congo Research Group at New York University’s Center on International Cooperation. “The opposition has used this as one of the main themes they’re campaigning on, that as long as the voting machine is being used, the elections cannot be free and fair.”
Moreover, a poll published in July found that 66 percent of Congolese respondents were not in favor of electronic voting machines. The poll was released by the Congo Research Group and the Bureau d’Études, de Recherches, et de Consulting International, a Congolese research firm.
To be sure, there were impracticalities in the paper ballots that Congo used in past elections. Stearns said the ballots were sometimes so long that they ended up being “booklets.” And Corneille Nangaa, president of the CENI, said during the Feb. 12 U.N. meeting that introducing the machines would allow Congo to save more than $120 million and reduce the amount of equipment needed to hold elections.
But at the same meeting, Haley was unconvinced. “It should go without saying that employing an unfamiliar technology for the first time during a crucial election is an enormous risk,” she said. “It has the potential to seriously undermine the credibility of elections that so many have worked hard to see have happen.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “The Trump administration is considering imposing sanctions on Chinese entities caught stealing U.S. intellectual property via cyber attacks, three people familiar with the matter said,” Bloomberg News’s Jenny Leonard and Shawn Donnan reported on Friday. “The plan being discussed would use an Obama administration executive order that allows the U.S. to impose sanctions on individuals or entities engaging in ‘malicious cyber-enabled activities.’ But it has sparked a heated debate among administration officials, with Treasury Secretary Steven Mnuchin, who has jurisdiction over the potential sanctions, said to be blocking the effort, the people said.”
U.S. Trade Representative Robert E. Lighthizer is among the supporters of such a move, according to Bloomberg News. The sanctions could include seizing or freezing assets or banning Chinese companies that get caught from doing business with U.S. firms. “Andrew Grotto, who helped draft the original executive order while serving as a cybersecurity adviser in the Obama administration, said it could be an effective tool to crack down on Chinese cybertheft of commercial secrets,” Leonard and Donnan wrote. “But the powers it grants to impose sanctions have only been used a few times until now, he said, in part because it required evidence that any hacking was done for commercial reasons rather than as part of a broader espionage effort.”
PATCHED: “A Russian man has been extradited to the United States from Georgia on charges that he took part in a massive computer hack, which targeted JPMorgan Chase & Co and other U.S. companies, U.S. prosecutors announced on Friday,” Reuters's Brendan Pierson reported. “Andrei Tyurin, 35, was arrested in Georgia at the request of U.S. authorities, according to the office of U.S. Attorney Geoffrey Berman in Manhattan.” Other companies such as Dow Jones & Co., E*Trade Financial Corp. and Scottrade were also hacked. “Tyurin is charged with computer hacking, wire fraud and conspiracy,” Pierson wrote. “The most serious charges carry a maximum sentence of 30 years in prison.”
Prosecutors said the information that was obtained in the hacks was used in other schemes including credit-card fraud and stock manipulation, Bloomberg News's Christian Berthelsen, Michael Riley and Jordan Robertson reported. “In the financial firms’ hack, Tyurin allegedly worked in concert with Gery Shalon, an Israeli who the U.S. accuse of masterminding the scheme,” according to Bloomberg News. “From 2012 to 2015, according to prosecutors, Tyurin purloined personal information about more than 100 million of the firms’ clients by infiltrating corporate computer networks, locating customer databases and exporting profile information to computers overseas.”
PWNED: “A new report by congressional investigators details how hackers broke into Equifax last year in a breach that exposed the financial information of more than 145 million Americans,” the Associated Press's David Koenig reported. “The lawmakers who requested the report say they will press the Trump administration on the lack of enforcement actions against the giant credit-reporting agency.”
Here is how the breach unfolded: “The Government Accountability Office, the investigative arm of Congress, confirmed that a server hosting Equifax’s online dispute portal was running software with a known weak spot,” Koenig wrote. “The hackers, who have not been identified, jumped through the opening. Hiding behind encryption tools, they sent 9,000 queries to dozens of databases containing consumers’ personal information, then methodically extracted the information.”
Moreover, states have been more effective at taking action following the breach than the federal government, according to the Wall Street Journal's Adam Janofsky. For instance, Alabama and South Dakota passed data breach notification legislation in March. “Other states, including Arizona, Colorado, Louisiana and Oregon, have amended their laws to include provisions about credit freezes, expand the definition of personal information and shorten the time to notify victims,” Janofsky reported.
— Louisiana continues on its rocky path toward replacing its aging voting machines. “Secretary of State Kyle Ardoin defended the selection of a vendor to replace Louisiana’s years-old voting machines, saying Friday that the evaluation process was done ‘with a view to ensuring fairness to all participants,’” the Associated Press's Melinda Deslatte reported. “Ardoin filed his formal response to a protest of the lucrative contract award that a losing bidder lodged with the state’s procurement office. The Republican secretary of state said his office ‘at all times acted in the best interests of the state to secure the best, most cost-effective voting technology for the citizens.’”
— More cybersecurity news from the public sector:
— “A new lawsuit in New York is highlighting the thorny legal issues concerning the degree to which employers can snoop through their employees’ electronic devices,” the Wall Street Journal's Nicole Hong reported on Sunday. “Paul Iacovacci, an ex-managing director at Brevet Capital Management LLC, sued his former employer last week, accusing the New York investment firm of accessing his home computer to read his personal emails and steal data stored on personal hard drives. Mr. Iacovacci alleges the activity violated federal antihacking laws. A spokeswoman for Brevet denied the company hacked into Mr. Iacovacci’s computer, saying the computer was Brevet’s property because the company purchased it.”
— More cybersecurity news from the private sector:
- 10th EAI International Conference on Digital Forensics & Cyber Crime in New Orleans through Sept. 12.
- Senate Banking Committee hearing on “countering Russia” on Sept. 12.
- Senate Homeland Security and Governmental Affairs Committee hearing on “evolving threats to the homeland” on Sept. 13.
Russian President Vladimir Putin has trouble with voting machine:
Sen. Ben Sasse: “This White House is a reality show-soap opera presidency.”
“Plaid shirt guy” at Trump rally goes viral: