Some voting security experts are warning, however, that those systems aren’t nearly secure enough and that any ballot filled out by a machine is vulnerable to hacking. They say paper ballots filled out with pen and ink should be the gold standard.
Yet other experts say the ballot-marking devices with paper receipts that Georgia is considering are secure enough — especially when combined with post-election audits. And they also fix problems with paper ballots, such as unclear voting marks and the fact they’re often inaccessible for people with disabilities.
The dispute is having national consequences. States and localities are racing to upgrade outdated voting systems with $380 million in federal election security money Congress doled out last year -- and have to decide whether to invest in paper or electronic machines with paper receipts. Russia's campaign to interfere with the 2016 presidential election highlighted the potential insecurities of electronic machines that do not leave any sort of paper trail. Yet Georgia, which was one of only five states that had no paper record of votes at all during the 2016 election, may pave the path for other states to forgo paper ballots and settle for a simpler upgrade.
Because Georgia is one of the few states that chooses its voting system at the statewide level rather than the county level, it could have an outsize impact on the national debate and on where voting machine vendors put their resources, Matt Bernhard, an election security advocate with the group Verified Voting, told me.
Paper ballots are increasingly in vogue in Washington, but so far, Congress hasn't clamped on what path they must choose.
Sen. Ron Wyden (D-Ore.) secured 14 Democratic co-sponsors last year for a bill that mandated states either use paper ballots or offer an option between paper ballots or paper receipts. Wyden plans to reintroduce that bill soon, an aide told me.
Presidential candidate Sen. Kamala Harris (D-Calif.), one of the co-sponsors of Wyden’s bill, has touted paper ballots as an applause line on the campaign trail and declared that “paper ballots are the smartest, safest way to conduct secure elections.”
House Democrats’ major election security bill also endorses either paper ballots or paper trails, but, unlike Wyden's, doesn’t mandate that voters have a paper ballot option.
But paper ballot advocates say there are serious downsides to choosing to upgrade electronic machines. A paper receipt, they say, doesn’t guarantee hackers can’t change votes because people rarely read those receipts closely and are sometimes confused by them if they do. That means a smart hacker could strategically change votes without getting spotted, they say.
A voter who cast a party-line ballot, for example, may not recognize if one name was changed among the dozen or more candidates she voted for when she skims the receipt. Or she may have voted against a ballot initiative about local property taxes but not notice that vote was changed on the receipt because she recalls the topic, not the number of the ballot initiative.
If a voter does notice an error and tells a poll worker, the worker probably will presume the voter made an error and just give her a new ballot rather than suspect hacking, the experts say.
“Almost no voter is going to really check that piece of paper,” Bernhard told me. And if the voter doesn’t check that the receipt is correct, the value of other checks on hacking, such as post-election audits, goes “out the window,” Bernhard said.
Yet advocates for electronic machines with paper trails shoot back that it’s a stretch of the imagination that a hack would go undiscovered. They say there are many checks a paper trail and post-election audit put in place. Protecting against that scenario, they say, isn’t worth losing the advantages that computerized voting systems offer to people with disabilities or who need to read their ballot in a different language.
“This is a problem that’s ideally suited for people to be assisted by technology,” Maurice Turner, a senior technologist at the Center for Democracy and Technology, told me. “If we embrace that, we can work toward being more secure rather than removing computers from the process.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Some security experts say the United States is probably overstating the risk that other countries would face if they allowed equipment from Chinese telecommunications company Huawei on their 5G networks, the Associated Press's Frank Bajak reported. U.S. officials have said that Huawei equipment could be used as a platform for Chinese spying.
Priscilla Moriuchi, an analyst at the cybersecurity company Recorded Future, said she doubts that the company would plant back doors in its gear. Moriuchi, who used to work at the National Security Agency, told the AP that the likelihood of Huawei inserting back doors to enable spying by Chinese authorities is “almost zero because of the chance that it would be discovered” and expose Huawei.
Experts also argue that government-linked hacking teams carry out operations regardless of which company built the technology they're exploiting. Jan-Peter Kleinhans, a researcher at the Neue Verantwortung Stiftung think tank in Berlin, told the AP that if the Chinese intend to disrupt networks, “they will do so regardless of the type of equipment you are using.”
PATCHED: Most ethical hackers are honing their skills outside formal education or training programs, according to a report published today by HackerOne, a security company that helps organizations set up bug bounty programs. A survey of more than 3,600 ethical hackers found that 81 percent of respondents said “they learned their craft mostly through blogs and self-directed educational materials,” according to the report. By contrast, 6 percent of respondents said they completed a formal class or certification related to hacking. A majority of hackers who took part in the survey said hacking is a hobby that earns them money rather than a full-time occupation, according to HackerOne's 2019 Hacker Report.
The company also announced that the first participant in a HackerOne bount to reach $1 million in bounty awards is a 19-year-old from Argentina. The self-taught hacker, Santiago Lopez, has found more than 1,600 bugs so far. He started reporting vulnerabilities in 2015 via bug bounty programs. “I’ve always liked computers and programming ever since I was a little kid, but I never knew anything about hacking,” Lopez said, according to a news release from HackerOne. “I didn’t even know it existed until I saw the movie ‘Hackers’, which opened up a whole new world for me.”
PWNED: A top NSA official said he expects foreign hackers to refine their tactics ahead of next year's U.S. presidential election, CyberScoop's Sean Lyngaas reported. “I fully expect tradecraft to evolve in the adversary space, and we’ve got to do the same,” said Rob Joyce, senior cybersecurity adviser at the NSA, according to CyberScoop. He noted that the NSA is collaborating with U.S. Cyber Command, the Department of Homeland Security, the FBI and other agencies to secure the 2020 election.
“We’re pretty proud of delivering a midterm election that was free of malfeasance and interference, and we’re already working pretty hard on the 2020 [election],” he said, as quoted by Lyngaas. But there is more for the United States to do when it comes to fending off threats from foreign adversaries in cyberspace, according to Joyce. “We have to impose costs in a visible way to start deterrence,” he said, according to CyberScoop. “We have to go out and try to make those operations less successful and harder to do.”
— Two divisions of Huawei, Huawei Device Co., Ltd. and Huawei Device USA, pleaded not guilty in federal court in Seattle to charges of stealing trade secrets from T-Mobile, The Washington Post's Brian Fung reported. Huawei also said it wasn't guilty of conspiring to hide a plan to commit theft of trade secrets. “The pleas follow a 10-count indictment unsealed last month alleging in part that the Huawei divisions tried to collect information about a robotic arm that T-Mobile used to simulate human touch on its smartphones,” my colleague wrote. “The robot, Tappy, became the focus of an intensive effort by Huawei in 2012 to gather technical specs, photographs and other system details, according to the court document.”
— More cybersecurity news from the public sector:
— Microsoft said in a report that state-sponsored hackers stole “large sums of cash” from financial services companies, Bloomberg News's David Scheer and Dina Bass reported. “In a series of similar incidents, hackers gained administrative access to computer systems by infecting a machine with a ‘highly targeted, obfuscated backdoor implant,’ possibly with a spear-phishing email,” according to Bloomberg News. The hackers in some cases attacked the companies' systems with malware after they were discovered. (I wrote in yesterday's Cybersecurity 202 that banks, investment firms, securities exchanges and hospitals are the four industries with the highest risk of being ravaged by cyberattacks.)
— More cybersecurity news from the private sector:
— The Swedish Security Service said a person working in a high-technology sector was arrested on suspicion of passing information to Russia, NPR's Sasha Ingber reported. “Technological developments have made state actors’ efforts to gather intelligence in cyberspace more sophisticated,” Daniel Stenling, head of counterintelligence at the Swedish Security Service, said in a statement. “At the same time, the more traditional intelligence-gathering approach, using recruited agents to collect information, is still being used. This combination enables state actors to broaden and deepen their collection of classified information.”
— Thailand's parliament unanimously passed a cybersecurity law that critics have labeled “cyber martial law,” Reuters's Patpicha Tanakasempipat reported. The law's provisions deal with issues ranging from slow online connections to attacks against the country's critical infrastructure. “The law allows the National Cybersecurity Committee (NCSC) to summon individuals for questioning and enter private property without court orders in case of actual or anticipated ‘serious cyber threats,’ ” according to Reuters. “An additional Cybersecurity Regulating Committee will have sweeping powers to access computer data and networks, make copies of information, and seize computers or any devices.”
— More cybersecurity news from abroad:
- The Center for Strategic and International Studies holds an event on “digital governance and the pursuit of technological leadership” on March 4.
Fans react to Harper leaving the Nationals:
Airbus, OneWeb launch satellite for rural area high-speed Internet:
See The Weather Channel's immersive mixed reality segment in action: