CyberWire Daily - Meddling with the midterms. [Special Editions]
Episode Date: October 17, 2018Kim Zetter is longtime cybersecurity and national security reporter for the New York Times, and author of the book Countdown to Zero Day. She joins us to discuss her recent feature for the New York Ti...mes Magazine, titled The Crisis of Election Security. In it she explores the structure and fragile integrity of the US election system, how we got to where we are today, and what can be done to reestablish confidence in the system. Link to Kim Zetter's feature The Crisis of Election Security: https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
As we publish this CyberWire special edition, we're just weeks away from the 2018 midterm elections.
And it's not just hype to say this election cycle is particularly hot and contentious.
In addition to the amplified partisan posturing, there are lingering concerns about the integrity of the election process itself,
the security of the voting machines, and the possibilities that foreign governments might continue the interference they were alleged to have engaged in back in 2016.
Kim Zetter is longtime cybersecurity and national security reporter and author of the book
Countdown to Zero Day.
She joins us to discuss her recent feature for the New York Times magazine titled The
Crisis of Election Security.
In it, she explores the structure and fragile integrity of the U.S.
election system, how we got to where we are today, and what can be done to re-establish
confidence in the system. Stay with us.
I've been covering election security going all the way back to 2003.
So this is sort of a culmination of all of that reporting.
I was really heavily involved in it for a long time between 2003 and around 2008, 2010.
And it really sort of fell by the wayside. People weren't really concerned anymore about the voting machines because a lot of the places, a lot of jurisdictions
around the country had actually started switching to paper ballots or paper trails on touchscreen
machines. And so there were a lot of people that sort of, you know, thought that, okay,
we've solved the problem. I didn't think that we'd solved it, and a lot of people didn't think that we'd solved it.
But it went out of favor in terms of the public wasn't thinking about it anymore.
And so when the Russian interference in the 2016 election occurred, it brought this into sharp focus again.
And so it was clear the problem hadn't been solved. I mean,
many of us already knew that. But now that there was actually people paying attention to it again,
it was time to raise the issue. And my point with this piece was really to show that the Russians
weren't the problem. They're sort of a symptom of the problem and sort of an urgency to the problem. They're sort of a symptom of the problem and sort of an urgency to the problem, but it's
been a problem going all the way back to 2002, and it really hasn't been addressed properly.
Can you take us through, what are some of the challenges that we face when it comes to getting this under control? Well, there's really, like I said,
it's sort of multifaceted.
You know, securing the machines
is sort of the long haul way
of addressing this.
But you're never going to get a machine
that's fully secure and not hackable.
So what you have to do
is you have to have a system in place
that would help you know
in the first place whether or not the software has been altered. And we don't have that right now.
We don't have the ability to examine the software at all once it's on machines because it's
proprietary software and the voting machine vendors have gone to court to prevent anyone
from looking at their software. And we don't have sufficient audits in place that would compare, well, we do have paper ballots
that would compare the paper ballot against the digital tallies to uncover discrepancies.
So we've really been almost willfully resistant to engaging in methods that would actually tell us if there was a problem
with our elections. And that's always been very curious to me. There's a sort of willful resistance
to actually taking the steps needed to ensure the integrity of election outcomes.
And what do you think's behind that? Why do you suppose that is?
The voting machine vendors were very resistant and engaged in strong lobbying activities for many years to prevent even the paper trails from being added to paperless machines.
It's always been very curious to me why they had such an interest in resisting that.
But it wasn't just them. Election officials were really swayed by the voting machine vendors.
They were really under the thrall of voting machine vendors for a long time and would follow
their lead on many things. And so they sort of parroted the arguments of vendors that the paper
trails would, it would be more expensive to install printers, that the printers would
cause problems at the polls, just, you know, it would be inconvenient for disabled voters
who couldn't see them.
A lot of arguments against that.
And election officials were, you know, sort of the driving, I guess, the end stop, right?
So if they decide that they don't want them, it's not going to happen.
And a lot of that is because here in the United States, the elections are run at the state level.
They are not just, no, they're actually, they're run at the county level. So the Secretary of the
State, in many cases, is sort of the chief election official, but doesn't really have a
lot of involvement in the day-to-day running of elections. And elections don't just happen, you know, when you go to the polls. There's a lot of prep work and a lot of smaller elections that take place throughout that, it's sort of high level.
And they engage only when, in the past, only when there's been a problem.
And so really county officials who are, for the most part, quite often not tech savvy at all,
are left, have been left to make these decisions on their own.
And that's how the loading machine vendors have become so influential.
And what led us to this situation?
Is this a relic of how, I don't know, the growth of our country?
What brought us here?
Well, you know, under the Constitution,
it's under states' rights and constitutional rights to conduct elections.
We don't want the federal government interfering in elections, right?
Because then that raises the possibility for some kind of real interference.
And so there's always been this pride about counties running elections on their own.
running elections on their own. But that actually doesn't get us the lack of interference that we think it does because many county election officials are very partisan. They've been
elected themselves and they are part of a party. And so we've sort of given, in many cases,
partisan people control over elections and also not had any oversight over their day-to-day operations
or the choices that they make and the things that they do.
And we really sort of neglected that because we don't really want to know about elections
at any time except, you know, the day we go to the polls.
It's really a problem with legislators. It's a problem with the public.
No one wants to hear about this stuff.
And no one really cares about it until an election
year or until a problem rises. They want to think that the, you know, they want it to be in the
hands of someone else. No one wants to really deal with it. And so leading up to the 2016 election,
were there people who were sounding the alarms? For a decade. Well, so specifically about the sounding the alarm around the Russians.
I mean, obviously there was DHS was coming out and talking about the probing of voter registration databases.
But they were very emphatic that there wasn't any evidence that anyone was targeting voting machines or the election infrastructure aside from those voter registration databases, which is alarming in itself, right?
But not the machinery that is used to tabulate or cast ballots.
But we all know, you know, people who have been on this beat or overseeing this issue for a decade,
issue for a decade, that it's not that hard to go from a voter registration system to the systems that are then used to control and count ballots.
So there were people, obviously, when the first hints came out that Russians were probing
even voter registration databases, there were people that knew ultimately what that could
mean, but there was no time to do anything about it.
Now, one of the things that you point out in your piece here is that the security agencies
in the U.S. say that there's no evidence that the Russians had changed any votes, but you
think it's a little more complicated than that.
Yes.
So when they say, and I want to point out that they changed even the wording of that.
Right after the 2016 election, they said no one changed any votes.
And there was pushback. I mean, I engaged in a lot of pushback with the government about that kind of definitive statement.
And they've altered it and said there's no evidence that votes have been changed.
And they've altered it and said there's no evidence that votes have been changed.
Now, there are problems with that statement because no one has looked for evidence.
When the government says that there's no evidence, what they're talking about is just signals intelligence evidence. So the intelligence community monitors, you know, chatter over the waves from, you know, Russian officials and Russian hackers.
They monitor machines.
They have sensors set up.
They're looking for anything like that.
If there are people talking,
they're looking for their human sources,
their intelligence sources.
They're looking for any evidence
that people have been talking about altering votes
or to see if there's any kind of chatter online about it.
They may even look to see if there's any kind of chatter online about it. They may even look to see retroactively if they can find any activity going into election networks.
But it's unclear even if they went that far.
So when they are saying there's no evidence, that's the kind of evidence they're talking about.
But these machines have been vulnerable for more than a decade. And at any time in that decade, anyone could have gotten
into these machines. And so when you're talking about looking for evidence, did anyone get into
those machines right before 2016, you're missing the entire decade of activity whereby someone may
have already gotten into the machines and may have been sitting there for the last decade doing nefarious activity. Unless you actually do
forensic investigation of the machines, the voting machines themselves, you can't know
what has been on those machines and whether or not votes have been altered. The only way that you can
even find some sufficient, because even if you actually do a forensic examination, if the attackers are really skilled, they're going to erase their tracks on the machine.
So you won't find it that way.
That's why you need paper ballots and you need mandatory audits to compare the votes on the voter created ballot against the digital ballots.
uh, the votes on the voter created ballot against the digital ballots. And that's the only way that you'll see, um, whether or not there's any evidence that would point to the software.
Cause you may not, like I said, if you go back into the software, you may not see anything,
but you will see the evidence of it, uh, in that comparison if they don't match.
Why do you suppose Congress doesn't take this more seriously? What's holding them back?
suppose Congress doesn't take this more seriously? What's holding them back?
Lobbying. So Representative Rush Holt tried multiple times, four or five times,
to pass legislation that would mandate paper ballots and to mandate audits. And he was unsuccessful in all of those times in getting any traction to his bill. Some people say it's because they were Republican-controlled houses at that time,
congressional houses, Senate, and so it was hard to get any leverage there.
But even when it looked like there was, you know, a lot of Democrat interest,
it didn't actually go far enough.
As you point out in the story, in the New York Times story,
where I interviewed Steny hoyer from massachusetts and he was the architect of the legislation that got us these voting machines and he said i asked him why once you became aware or once the public
became aware that there were problems with these machines and rush hold brought up the legislation again to ensure the integrity
of ballots um by mandating audits and paper trails you still didn't uh pick that up and vote for it
and he said he just didn't believe rush hold that this was a problem he believed that the machines
had integrity and it really is that the you know we have a case of lawmakers who don't understand
technology. And so they're really at the mercy of whatever the tech companies, the voting machine
companies in this case, tell them. And they don't seem, they seem to be very out of touch with
anything that happens outside of the Beltway. So while everyone outside of the Beltway, including
academics and computer scientists, actually, even in the Beltway, computer scientists in Maryland and D.C. were trying to point out problems.
They just weren't listening to them.
to have confidence in our elections is basically under the control of private for-profit companies who aren't really allowing us to take a look at what's going on under the hood.
Right.
But there's just been no impetus for forcing that on them.
Like I say, the election officials were a long time really trusted vendors, and they
were also, you know, they had good lobbyists.
vendors and they were also you know they had good lobbyists so even among federal lawmakers it was hard to get any traction on any of this now you know leading up to the 2016 election we had
then candidate trump who was sort of sowing the seeds of doubt when it came to the election
integrity he was leading up to election day he was saying the election is a sham, it's a scam.
We have other observers saying that the Russians feel it isn't necessary to sway the outcome, but just to shake our confidence in our democratic norms.
How much confidence do voters have these days?
Has that shakeup been successful?
Yeah, I mean, so that's the difficulty here,
is that we've never had a situation like this, right,
where a president going into the election himself
was already questioning the integrity of the outcome of the election.
And then after the election, of course, we're looking at the prospect,
well, if the Russians actually did accomplish some of this, then that was their goal and they achieved it, right? They've raised
questions. And so now anyone who tries to shine a light on this then can be accused of aiding
the Russians. So you don't win either way, right? You're trying to actually secure elections,
but now you become an enemy of democracy. If you're actually in trying to secure elections
against the Russians, you now become an aid of the Russians by sowing doubt in the outcomes.
And we've never had that situation before in the many years that I've been covering this.
So this is a new sort of wrench thrown in, and it's a difficult wrench,
but I think that we've overcome that.
I think that election officials have sort of embraced some assistance from PHS.
They've accepted that they need to become more security conscious
and raise their security profile.
So I think that even though there are still some people that say,
hey, don't talk about this, you're helping the Russians,
there are many more that say, you know, no, we need to actually address this.
So where do we stand now?
We're heading into the 2018 midterms.
Has there been any meaningful change?
Are things the same as they've been?
Is having a light sh shown on this, has that
made anything better? It's definitely made election officials more, let's say, open and
cooperative about seeking assistance. In the past, the election officials really haven't been able to,
first of all, they didn't have the will to go look for assistance, but they also had a resources problem and that they don't have money to actually hire security staff on their own. So having
assistance offered by DHS has really improved things and it's improved the awareness and it's
improved the willingness. But what DHS can do is very limited. What they are doing is they're
scanning internet-facing systems. So like the voter
registration database, the server, anything connected online, they can do a remote scan of
that to see if there are any unpatched software holes in that database software, the server
software, and they can help officials get that patched. But that's a very, very small part of the election infrastructure.
And most of the infrastructure is not supposed to be connected to the internet
and it's not in a position of being scanned.
And yet it is just as vulnerable.
What would you like to see going forward?
Are there any solutions available to improve the situation
that have any hope of being pushed through?
Mandatory audits and paper ballots.
That is, if we can do anything, that would, you know, it's very hard to get security right.
Security is a huge uphill battle.
Even when you think that you've secured your system, any change that you make to your system
afterwards can introduce new vulnerabilities.
So you can't rely on getting the tech so secure that no one will ever be able to
change anything. And also, we're dealing here with an insider threat, right? We're not just
dealing with Russians who we have to look at coming from the outside over the internet.
Voting machines are also vulnerable to being manipulated by a trusted insider.
And so you can't necessarily defend against that by doing the tech.
That's why you have to implement something after the fact to do some verification.
And if you have audits, and I mean they have to be well-designed audits,
risk-limiting audits is the kind of audit that states and counties want to be doing. And there's only one state now that currently does that.
So you want to have paper ballots created by the voter,
not a paper ballot that's produced by a machine,
but the paper ballot that's created by the voter.
Then you can scan it, and you can count the digital votes taken from that ballot.
But you need to actually look at that paper ballot,
and you need to do a mandatory audit.
And that's really the only hope that we have
of knowing when the election has been manipulated
and trusting that it hasn't.
Our thanks to Kim Zetter for joining us.
The title of the article is
The Crisis of Election Security.
She's also the author of the book Countdown to Zero Day.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our Cyber Wire editor is John Petrick, social media editor Jennifer Ivan, technical editor Chris Russell, executive editor Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.