Off the Kuff Rotating Header Image

STAR Voting System

Was the Harris County election system hacked?

Wouldn’t you like to know?

Despite widespread alarm over the breadth of Russian cyber attacks on state and local election systems last year, including revelations of Dallas County being targeted, Harris County officials are refusing to say whether hackers similarly took aim at the nation’s third-largest county.

Releasing information on whether Harris County election systems saw attacks from Russian hackers would threaten the county’s cyber security by emboldening hackers to further target local systems, county officials said this week.

The county’s argument was dismissed by experts, who said the secrecy is unnecessary, and could actually downplay the seriousness of the threat and the resources needed to combat it.

“There’s this concept in security called ‘security through obscurity,’ sort of, if they don’t know about it they won’t come after it,” said Pamela Smith, a consultant at Verified Voting, a San Francisco-based nonprofit that promotes voting integrity. “But to really have robust security, you want people to be able to know that it’s there … I think what the public wants to know is that you’re aware of the threat and you’re taking steps to mitigate.”

Bruce High, the chief information officer and executive director of the county’s Central Technology Services, said Harris County overall sees on average more than a million hack attempts every day. He even acknowledged a recent “spike” in attempts to hack Harris County servers from outside of America’s borders.

[…]

Dan Wallach, a Rice University computer science professor and scholar at the Baker Institute for Public Policy, who has testified before Congress about the cyber security threat to elections, said that to an advanced threat like Russia, there likely are no secrets about Harris County elections.

Asked if Harris County had been targeted in a similar manner as Dallas County, High said the county had not received a list of IP addresses from the Department of Homeland Security. He added that both the FBI and the Homeland Security department will flag Harris County when they have concerns about specific IP addresses.

High did not respond to questions seeking details on how often such concerns are brought up, how big of a “spike” in hacking attempts the county was experiencing and over what period of time, whether that spike was election-related or which systems had been targeted.

Wallach said he was concerned about the ability of many local jurisdictions, including Harris County, to protect against a targeted threat from an advanced adversary like Russia. He said he believed it was probable that Russia had at least targeted Harris County servers, but also that in many cases, attackers are so sophisticated that local officials would not even know that their systems had been breached.

“The category of adversary we’re facing now is not something that Harris County government is equipped to deal with,” Wallach said.

I work in IT security and had a few thoughts about this, but then I saw that Dan wrote this piece with a much deeper analysis than I had done, and I figured it was better to outsource this to him.

Computer security experts who deal with nation-state activities use the term “advanced persistent threats” (APT) as a shorthand to indicate that our adversaries have significant capabilities, including both engineering resources and spycraft, to quietly break into our computers, spread out across our networks, and avoid detection. It’s common for APT attacks to last for months to years prior to detection.

Given these threats, we need to conduct a serious analysis of where our elections stand. Harris County’s Hart InterCivic eSlate voting machines, for example, haven’t had any major security updates following studies conducted a decade ago by the states of California and Ohio. (I was part of the California effort.) In short, an attacker need only tamper with a single voting machine. After that, the infection can spread “virally” to every machine in the county.

Compounding the problem, all of our vote-tabulating systems are running Windows 2000, for which Microsoft dropped all software support, including security patches, seven years ago.

In the lead-up to the 2018 election, it may be financially infeasible for a complete replacement of our voting machines. We only just recently purchased our voting machines after a 2010 warehouse fire destroyed our original fleet of eSlate machines, so the funds aren’t likely to be available so soon for replacements.

What’s clearly necessary, since we know the Russians targeted voter registration systems, is a major upgrade to the way our voter registration systems are managed. A redesigned system would still, by necessity, require Internet connections so voters can verify their correct polling places, see sample ballots, and so forth. Most notably, during our early voting period, we need an online database to track which voters have cast ballots.

A modern design, intended to operate even if the entire Internet failed while the election was ongoing, would involve making local copies of the database at every voting center. Unsurprisingly, the needs of Harris County are essentially the same as the needs for every other county in our state, suggesting that a state-level procurement could be an efficient way to improve the voter registration security for every county’s voters.

Another short-term recommendation will be for Harris County to upgrade its systems to the latest versions of Microsoft’s operating systems, even though this will require a waiver from Texas’s election certification requirements. Even though our vote tabulation systems are hopefully never connected to the Internet, they are nonetheless unacceptably weak in the present threat environment.

Likewise, Harris County needs to hire a professional security “penetration testing” firm to identify other soft points in its infrastructure and prioritize repairs; such consultants need to be brought in on a regular basis for check-up exams. We also need forensic security auditors to do a deep dive into our county’s existing systems to make sure they’re as clean as we hope them to be. This isn’t just a matter of running some anti-virus scanner, since APT adversaries use tricks that automated scanners won’t detect.

There’s more, so go read the whole thing. At the very least, I hope we can all agree that any system that is still using Windows 2000 (!!!) needs to be upgraded or replaced. Dan (who as you know is a friend of mine) puts in a plug for the STAR-Vote system that he helped design, and it’s definitely something the county and the state should consider. I just hope we take this seriously before something bad happens.

UPDATE: Hector DeLeon, the Director of Communications and Voter Outreach for the County Clerk, has emailed me to say that the county tabulation system is running on Windows 7, not Windows 2000 as stated in Wallach’s op-ed. He says they have made this same correction to the Chronicle as well. My apologies for the confusion.

Denton County returns to paper ballots

I hadn’t realized this.

Denton has been using a hybrid voting system that employs both electronic and paper ballots for about a decade. But county officials recently approved spending just shy of $9 million to buy new voting equipment from Austin-based Hart InterCivic that will return to an entirely paper-based system in time for this year’s November elections. Even disabled voters, who will cast their votes on touch-screen machines, will have their ballots printed out and tallied through a print scanner.

The move comes months after a disastrous election day for Denton County in November, with machines inadvertently set to “test mode” instead of “election mode,” long lines, problems with scanning paper ballots, and, ultimately, incorrect tabulations. [Frank Phillips, Denton County’s elections administrator] — who was working in nearby Tarrant County at the time — said it was the personnel, not the machines, that caused chaos last fall. But voters in town, as well as leaders with the local Democratic and Republican parties, called for a return to paper ballots in the months following election day.

“The question always comes: ‘How do I know that when I cast my ballot it’s recorded electronically?’” Phillips said. “We know it’s recorded correctly because of our testing methods, but that question has persisted ever since we started using electronic voting. With the political climate these days, it’s even more heightened right now.”

And these aren’t just any paper ballots, Phillips emphasized. The new Hart system Denton purchased allows election administrators to print ballots on demand, eliminating the waste and cost of over-printing paper ballots in advance of an election and then having to expend resources storing those unused ballots afterward to comply with state regulations. It also prevents the problem of under-printing paper ballots — an issue that emerged last year when Titus County saw a higher-than-expected turnout for the presidential primary, and officials were forced to create and hand-count ballots on election day.

I gather what this means is that when you show up, you will get a printed-for-you ballot, then (I presume) fill it out with a pen or pencil. It will then be read by an optical scanner to tally the votes. Which is fine, but it’s not the way I’d prefer it. The system they have for disabled voters, where you vote on a touch screen then have your ballot printed out, would be better. Frankly, having the vote recorded electronically then having a paper ballot that serves as your receipt is better still. This is basically what the STAR voter system that Travis County has been working on does.

The main problem with filling out a paper ballot is that some people will fill it out incorrectly. Have you ever looked at the election returns on the Harris County Clerk website and wondered how there could possibly be overvotes in a race? It happens with the paper-based absentee ballots, where one can accidentally or purposefully select more than one candidate in a contest. Electronic voting machines don’t allow for this to happen. While this will almost always spoil a ballot for that race, some of the time with these overvotes, the voter’s intent is clear. In the infamous 2000 Florida election, some counties used a paper ballot with optical scan system, and there were documented instances of a person filling in the bubble for a specific candidate, then also putting that same candidate’s name in the write-in space. This is hardly an insurmountable problem, but it would help to have clear policies in place for when a ballot is truly spoiled and when a voter’s intent can be inferred.

There are other potential issues here – do we have any idea if it will take people longer to vote on paper than on a screen, for instance – but again, I don’t think they’re insurmountable. I don’t care for the fearfulness behind the “how do I know that when I cast my ballot it’s recorded electronically?” premise – the same way you know that when you buy something from Amazon it will arrive on your doorstep and your credit card will get charged – but whatever. If this is what the people of Denton County want, then so be it. The Lewisville Texan has more.

More on the STAR Voting System

The Chron updates us on the latest in modern voting technology.

The drumbeat of election rigging and foreign hacking of voting machines have energized ongoing efforts to develop a new model of digital election equipment designed to produce instantly verifiable results and dual records for security.

Election experts say this emerging system, one of three publicly funded voting machine projects across the country, shows potential to help restore confidence in the country’s election infrastructure, most of which hasn’t been updated in more than a decade.

“It’s the hardest thing I’ve ever done in my life. It’s taken years and years to get it done,” said Dana DeBeauvoir, the Travis County clerk and leader of the voting machine project. “Now that we’ve had this election, there’s renewed interest.”

A prototype of the system, dubbed STAR Vote, sits in an engineering lab at Rice University, and bidding is open for manufacturers who want to produce it wholesale. Similar efforts to innovate voting systems are in the works in Los Angeles and San Francisco.

“County clerks in these jurisdictions are the rock stars of running elections,” said Joe Kiniry, CEO of Free & Fair, an election systems supplier currently bidding on contracts to manufacture the designs of both Travis and Los Angeles counties. “If they have success in what they do, it will have, in my opinion, a massive impact on the whole U.S.”

Like any aging digital device, the voting machines are eventually bound to stumble, said Lawrence Norden, deputy director of the Democracy Program at the Brennan Center for Justice. He pointed to Detroit, where the number of votes counted didn’t match the number of voters who signed in. And he noted that reports of machines flipping votes more likely result from aged touch screens than a conspiracy to rig the election.

Yet there is seldom space in county budgets to replace the machines, which cost usually between $3,000 and $5,000 each. The vast majority of electronic voting equipment was purchased with federal funds from the Help America Vote Act of 2002. Most money reached the states by 2004, and there’s no foreseeable second wave of federal aid.

“This is really an oncoming crisis,” said Norden, who interviewed more than 100 election officials for a 2015 report about aging voting equipment published by the Brennan center. “A lot of election officials have been unhappy with the choices that the major vendors are providing.”

[…]

STAR Vote runs automatic audits, comparing a statistical sample of the paper ballots with the digital records to verify results.

“The savings are just enormous over doing a recount,” Stark said.

While other systems allow for comparison of precinct-level data, STAR Vote can compare paper ballots with individual voters’ digital ballots, which are encrypted and posted online.

Officials could take a small sample of printed ballots and compare them with digital results to conclude with high confidence that election results were correct.

The system itself is also inexpensive, built with off-the-shelf tablet computers and printers, which Wallach said will cut the price down to half of the current norm. Advanced software makes up for the cheap hardware, designers said, and they plan to make the software open-source, meaning it is free to use and, unlike current systems, can be serviced by any provider without exclusive long-term contracts.

I’ve written about this before, and while I love the design of the STAR machine, I don’t have much hope of getting to vote on one any time soon. The political climate just doesn’t seem conducive to any effort to improve the voting experience, and the lip service we got from Greg Abbott back during the peak Trump-whining-about-rigged-elections period has surely gone down the memory hole. The one possible way in that I can see for these devices is their lower cost. At some point, enough of the current voting machines will become sufficiently inoperable that replacement will be needed, and a cheaper device ought to have an advantage. Let’s hope the process of getting a manufacturer in place goes smoothly.

(NB: “Wallach” is Rice professor Dan Wallach, who as I have noted before is a friend of mine.)

As long as we’re talking about improving our voting machines

Then this is what we should be talking about.

Dana DeBeauvoir

[Travis] County Clerk Dana DeBeauvoir called Rice University computer science professor Dan Wallach, who has been poking holes in voting-machine security for years. He’s testified before Congress on the subject.

Now DeBeauvoir wanted him to design a new one.

“Wow,” he says. “That doesn’t happen very often.”

The last time voting technology went through a major design change was after the disastrous Florida recount in the 2000 presidential election. Confusion over badly designed and incompletely punched paper ballots threw the results into chaos.

In 2002, Congress passed the Help America Vote Act, committing $4 billion to help localities buy new electronic voting machines.

“All of these machines, we understand now, are wildly insecure,” Wallach says. “Even though the vendors made claims that they were great, those claims have turned out to be false. And we’re now dealing with that problem.”

But replacing them costs money that many localities don’t have, and it’s not clear that Congress will pony up again.

So Wallach’s new system would have to be cheaper than what’s on the market now.

[…]

The system that the team of cybersecurity and usability experts came up with is called STAR-Vote, for secure, transparent, auditable and reliable.

It has two parts: A kiosk containing an off-the-shelf tablet computer and a standard inkjet printer, plus a metal ballot box with a built-in scanner.

Off-the-shelf parts keep the cost down and can be easily sourced and replaced. Wallach says the metal box costs more than all the electronic components inside it. The whole system should cost half or less what current machines do, which cost about $3,000 each.

Voters make their selections on the touchscreen tablet, which is kept off the internet and stripped of all software (and potential vulnerabilities) except the voting application.

State-of-the-art cryptography protects the integrity of the vote. But it’s not the only safeguard. Hard copy remains one of the most secure ways to cast a ballot.

“The crypto can do some really great tricks,” Wallach says. “But if you don’t trust the cryptography, that’s OK. Because we also have printed paper ballots that go into a box.”

Voters can see who the computer says they chose. The vote is only cast when the voter puts it in the ballot box.

And if there is any question about the electronic votes, the paper ballots are the backup.

This is nothing new – I wrote about it in July of 2014, and Wallach’s team made a presentation about STAR-Vote in August of 2013. The point is that this system, which is both more secure than what we have now while also being less expensive, could be in place for the 2018 election if we really wanted it to be. Given the lip service some Republicans like Greg Abbott are giving to election integrity, this is totally doable. You will know by what happens in the 2017 legislative session whether Abbott et al meant any of it or not.

(Disclaimer: As noted before, Dan Wallach is a friend of mine.)

Travis County pursues new voting machines

Very, very interesting.

Dana DeBeauvoir

With the nation facing what a January government report described as an “impending crisis” in voting technology, officials in Travis County are taking matters into their own hands by seeking to create a unique, next-generation system of voting machines.

The efforts put Travis County, along with Los Angeles County in California, at the cutting edge of a race against time to create an alternative voting technology system.

The new machines would have voters use off-the-shelf electronic equipment like tablets, but also provide them with receipts and printed ballots to allow for easier auditing. The development and implementation process won’t be finished in time for the 2016 elections, though officials hope to have the system ready by the 2018 gubernatorial race.

[…]

Some election administrators have said the status quo will likely fall apart within a few years. Across the country, “it’s all just a guessing game at this point: How long can we last?” said Dana DeBeauvoir, the Travis County clerk.

Three years ago, DeBeauvoir decided that something had to change. “I said, ‘Okay, I’m fed up. I’m going to design my own system.’” Part of her frustration stemmed from complaints lodged against the county that she felt blamed officials for things beyond their control. Travis County voters filed a lawsuit in 2006 alleging that electronic voting machines lacked reliability and security. The case was dismissed by the Texas Supreme Court in 2011.

After deciding to create a new system, DeBeauvoir gathered a citizens’ study group, and then a panoply of experts, to iron out the details.

The group is now close to finishing the design of a prototype known as the STAR (Security, Transparency, Auditability and Reliability) Voting System. The county intends to issue a request for proposals within a couple of months and hopes to select a winning bid by the end of the year, DeBeauvoir said.

[…]

The designs already posted on the Travis County clerk’s website lay out a multi-step process: A voter checks in, signs a roster and receives a ticket. Then, she gives the ticket to a poll worker to get a unique ballot code from a ballot control station, which sends information to a voting device. At the device, she makes her choices, prints out a completed ballot and deposits it in a ballot box with a scanner. She also receives a receipt that allows her to check online the next day to ensure the ballot was counted.

All the devices communicate with each other to update and confirm data. To ensure security, the system employs cryptography that “has never been done before” in voting technology, DeBeauvoir said.

The printed paper ballot is particularly crucial, as it addresses one of the principal criticisms of the existing electronic systems. The touchscreen machines common in many counties lack “a paper trail that actually captures the intent of the voter so that you can audit the machines,” said Alex Russell, a University of Connecticut professor of computer science and mathematics and faculty member at the school’s Center for Voting Technology Research. During recounts, auditors can only double-check what the machines say, without any way to verify that the machines reflect voters’ choices.

The presentation is here. It’s pretty technical in places, but the main gist of it is easy to understand and well-summarized by the Trib story. There’s an accompanying video of the presentation on this page, with the presenter being Rice University computer science prof Dan Wallach, who has been studying this stuff for years. Other materials are here on the Travis County Clerk website.

As noted, the STAR-Vote collaboration is close to issuing an RFP for this. One key requirement for the hardware will be sufficient battery life – Election Day and some early voting days last for 12 hours, so your voting machines will need to do so as well. The collaboration will be approaching other counties to participate, which will allow for cost-sharing while making the RFP more attractive to vendors since there would be more potential customers for their proposed devices. I need to check and see if Harris County Clerk Stan Stanart has any interest in this. Our eSlate machines are as old and outdated as Travis County’s are, after all. One other potential hurdle is that this idea is very new and contains aspects that are not addressed by existing federal laws, so either the laws will need to be updated (as if Congress is capable of doing that) or waivers will need to be obtained. The latter ought to be doable, but as with anything new and unprecedented you never know what potholes may exist in the pathway. Be that as it may, this is a thorough and thoughtful design that addresses all kinds of concerns and would put electronic voting machines on a much more sustainable path. I look forward to seeing how the RFP process goes. What do you think about this?