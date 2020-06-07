With the general election less than 150 days away, there is growing concern that the push for remote voting caused by the pandemic could open up new opportunities to hack the vote, for President Vladimir Putin of Russia, but also for others hoping to disrupt , influence or make profit. Of choice.

President Donald Trump has repeatedly said that mail ballots invite voter fraud and would benefit Democrats. It's an unsubstantiated claim: voting by mail has resulted in small fraud in the five states that have used it for years, and a recent study at Stanford University found that voting by mail did not benefit either party and could increase the electoral participation of both parties.

But there are different concerns. The rush to accommodate remote voting is leading a small number of states to experiment with or expand online voting, an approach the Department of Homeland Security deemed "high risk,quot; in a report last month. It has also focused again on the variety of online state voter registration systems, which were among the top targets for Russian hackers in 2016. Their security is critical to ensuring that voters receive their ballots by November. mail or may win Access to online voting.

While Russian hackers failed to manipulate voter data in 2016, US officials. USA They determined that the effort was likely a dry run for future interference. To avoid that threat, last summer the Department of Homeland Security hired RAND Corp. to reevaluate the nation's electoral vulnerabilities, from voting booths to voter registration systems. The RAND findings only fueled long-standing fears from government officials: State and local registry databases could be blocked by hackers demanding ransomware or manipulated by outside actors.

Homeland Security officials have focused "intensely on strengthening registration systems," said Christopher C. Krebs, who heads the department's Cyber ​​Security and Infrastructure Agency. He said his teams had been working to make sure cities, counties and states correct software vulnerabilities, back up their systems, and also have hard copies of voting books (the registration lists used on Election Day). in case criminals or adversary nations submit digital versions. Inaccessible.

Now the problem has become more complex as states across the country compete to accommodate voting by mail, even for those who are not away from home. And the courts are intervening with conflicting rulings, many of which are being appealed, increasing the feeling of chaos and uncertainty about what procedures will be used on November 3.

Krebs' agency is also concerned about vulnerabilities around Internet voting being used by Delaware, West Virginia and other states. In May, it released a confidential report to vendors and election officials in the 50 states that oppose online voting, warning that ballots "could be manipulated at scale," meaning that hackers could change large volumes of votes. undetected.

Separately, researchers from the University of Michigan and the Massachusetts Institute of Technology published a study on Sunday concluding that a platform that already facilitates the internet and remote voting could, in certain cases, be manipulated to alter votes, undetected. by the voter, election officials, or the company that owns it.

Called OmniBallot, the platform was used to vote online in the Delaware primaries last week and will be used to a lesser extent in the West Virginia primaries this week. Both states also plan to use it in some way in November, as does Colorado. (New Jersey quietly used it experimentally last month in local elections.)

Several jurisdictions in Colorado, Florida, Oregon, Ohio, and Washington also use the platform as a way for voters to remotely mark ballots and send them by email, fax, or mail.

The researchers found that both uses of the system presented opportunities for hackers or nation states to compromise a choice.

"Online voting poses such serious risks that, even in times of unrest and pandemics, these jurisdictions are at great risk of undermining the legitimacy of their election results," said one of the researchers, J. Alex Halderman, professor of computer science. in Michigan

Bryan Finney, executive director of Democracy Live, which offers OmniBallot, defended the platform, saying that before the pandemic it primarily served voters with disabilities and US service members abroad. "No technology is bulletproof," he said. "But we need to be able to grant rights to the marginalized." (START OPTIONAL TRIM). Mail-in ballots, like the one Trump used to vote for in the Florida primaries in March, also depend on the security of state and federal registration systems. . Before the pandemic, officials focused primarily on securing voting machines and databases, and establishing new audit controls.

But now the virus has forced states to revise their plans to accommodate an expected deluge of ballot papers, and almost all states that are not blocked by a legal or legislative challenge are competing to expand the vote by mail by November.

In Texas, the state Supreme Court blocked the expansion of mail-in ballots last month. On Thursday, Ohio lawmakers passed a Republican bill that makes voting by mail difficult, eliminating prepaid postage and cutting half the time to request an absentee ballot. And in Tennessee, the Republican secretary of state promised to fight a court ruling Thursday that would allow voting by mail statewide.

Many election officials now struggle to ensure that ballots are mailed and returned safely. In 31 states, voter signatures must be verified. In the past, this task was done by trained specialists, but larger counties increasingly rely on signature verification software that security experts fear could be exploited to deprive voters of their rights.

(END OF OPTIONAL TRIM). The threat of foreign interference remains real. US officials have repeatedly warned that Russia is once again meddling in the presidential election. Last month, the National Security Agency warned that Russian state hackers had targeted an email program used by dozens of congressional candidates to steal emails, as Russian hackers also did four years ago.

On Thursday, Google said that Chinese hackers targeted the personal email accounts of campaign staff members who worked for former Vice President Joe Biden. He also confirmed reports that Iran had targeted the Trump campaign.

But the White House, where Trump continues to dismiss piracy allegations against Russia in the last election, has paid little attention to problems beyond the president's unfounded claims that mail ballots favor Democrats and "will lead to fraud. and massive abuse. " (In fact, mail ballots create a paper record that helps prevent abuse.)

Even the perception of vulnerabilities could have a profound effect on the actual vote, security specialists warn. It could cast doubt on the integrity of the election, at a time when Trump critics allege that he is already paving the way to challenge the outcome if he loses. (START OPTIONAL TRIM). In a reference last month to the California legislative elections, the president warned without offering any evidence that "everything is rigged," a claim he also made when he campaigned in 2016.

Biden, who advocates remote voting due to the health risks of the virus, has suggested that Trump is sowing uncertainty because he may try to delay the election. And other Democrats have raised the possibility that Trump will not accept the results if he loses in November.

Robert O & # 39; Brien, the president's national security adviser, dismissed those concerns last week on Up News Info's "Face the Nation." "The elections will take place on election day, there is no doubt," he said, insisting that "we have a very strong infrastructure,quot; in the White House regarding electoral security, which includes "the ballots, the voting machines voting, the secretary of state websites "where the registration data is kept.

Harri Hursti, an electoral security expert who consults with states and counties across the country, said: "The elections are not really about the winners." He added: "It is about holding elections in such a way that the losers accept that the result is fair."

(END OF OPTIONAL CUT OUT)A door open to hackers

It was four years ago this month when officials in Arizona discovered that election officials' passwords had been stolen, one of the first signs that the 2016 election was under cyber attack.

Studies led by the Department of Homeland Security and the FBI later said that Russia had likely carried out investigations and reconnaissance against electoral networks in all 50 states.

The integrity of the November election depends on the registration systems themselves, which are "public,quot;, connected to the Internet and accessible to a wide variety of state and county officials, and often the companies they hire to manage their electoral systems. . But that access also leaves them open to possible attacks.

A well-known threat comes from ransomware, when an invasion of a computer system blocks the registries, making them inaccessible. Atlanta and Baltimore have been hit by devastating attacks that made it impossible to pay parking tickets or recordings, and cities from Florida to Texas have also been paralyzed with ransomware.

For the elections, there is a separate concern that hackers, unless they shut down a system, could undermine the integrity of voter information.

If hackers enter voter registration lists and modify addresses, or falsely indicate that voters have moved out of state, the result could be the deprivation of digital rights. Even by entering the lists without tampering, hackers could raise doubts about tampering. That may explain why Russian hackers flaunted stealing data from Illinois voters in 2016, according to DHS officials, even though they did not manipulate it.

"As we looked across the country and saw ransomware run wildly across state and local government agencies, it was reasonable to conclude that the highly interconnected and highly centralized voter registration databases could be as follows," he said. Krebs, the cyber chief of Homeland Security. States have "stepped up,quot; over the past year, he added.

In fact, security is now better across the country, but voter registration data remains vulnerable and accessible to the outside world.

Some states and counties manage their registration systems internally, but many rely on a maze of private contractors who can be mature targets. Businesses retrieve data over the Internet and keep it in the cloud, often with limited security. In 2016, a contractor, VR Systems, was attacked by Russian hackers, according to an assessment classified by the National Security Agency. The company, which has long maintained that the attacks were unsuccessful, had access to registration data in changing states such as North Carolina, Florida and Virginia.

"Most people don't realize how many times vendors and parts access registration systems with little security," said Hursti, the security consultant. "The justification for this is that it is public data, so no one can steal it, but that ignores how dangerous it would be if someone modified it." (START OPTIONAL TRIM). The problem has been illustrated in two states in recent weeks.

Two thousand voters in Pennsylvania received the wrong ballots for the June 2 state primaries due to a mistake in a company that sends ballots to Montgomery County. And in New Jersey, a software malfunction delayed ballots for foreign and military voters for that state's primaries in July.

Election officials and vendors in both states became aware of the technical problems, but security experts warn that malicious hackers could exploit such flaws in November.

Transparency of information helps authorities catch bad actors, but "the vulnerabilities are real," said Eric Rosenbach, who heads the Harvard Defending Digital Democracy project, which is working with election officials to secure the vote.

(END OF OPTIONAL CUT OUT)A $ 89,000 digital ballot

Before the coronavirus outbreak, the benefits of online voting were obvious to Americans with disabilities, those living abroad, military personnel sent to remote locations, even Alaska's desert-dwellers.

But the risks were made alive a decade ago in Washington state. An online voting experiment was discontinued after researchers hacked the system to choose HAL 9000, the computer for the movie "2001: A Space Odyssey," and played the University of Michigan fight song every time it was cast a ballot.

The experiment is back, but once again it is not going well. New Jersey is an example of this.

In April, with the virus taking over the state, officials quickly moved to expand voting by mail. But they also decided to explore online voting by hiring Democracy Live, whose OmniBallot system was identified by Michigan and MIT researchers as vulnerable to undetected piracy.

New Jersey officials made the online vote available to county clerks for the municipal and school board elections last month, but did not disclose it widely for fear of causing trouble.

"We didn't want to give an explanation to the possible bad guys to decide that this was something they wanted to exploit," said Alicia D & # 39; Alessandro, spokeswoman for the New Jersey secretary of state.

The result: Only one voter used the online system. The cost to the state: $ 89,000, and there is still no real proof of whether or not it works. (START OPTIONAL TRIM). New Jersey will not repeat the experiment for its July primary, and has not yet decided what it will do in November, officials said. A lawsuit attempts to block more online voting in the state, alleging that it is susceptible to hackers.

Delaware, which also cited the pandemic, recently announced that it would make online voting available to sick or quarantined voters. And West Virginia said it would allow online voting for some residents with disabilities, military personnel and residents abroad, as it has since 2018. And in emergencies, Colorado will allow some voters to submit ballots electronically, it announced last week. .

(END OF OPTIONAL TRIM). Like New Jersey, Delaware, West Virginia, and Colorado have contracted with Democracy Live.

Michigan's Halderman and MIT researcher Michael A. Specter determined that Democracy Live's online voting and voting systems could not resist concerted hacking attempts, and also presented privacy concerns.

The researchers reported that the ballots could be manipulated to change the votes and that, in some cases, the company's servers received voter identification information.

"Democracy Live is obtaining a database of how each voter voted," Specter said. "What if that ends up in the wrong hands?" (THE STORY MAY END HERE. OPTIONAL MATERIAL CONTINUES.) The report concluded that while the OmniBallot mail-in option was reasonably secure, the online options represented "a high risk to electoral integrity and could allow attackers to alter the electoral results without detection ".

Finney, the Democracy Live executive, said the company never shares or sells voter data. He also said that voters concerned about online security always have the option of printing and mailing their ballots, something Halderman recommended as being prudent.

Finney said Democracy Live's security had previously been vetted in two reviews it couldn't publicly share, noting that OmniBallot had been used in more than 1,000 elections in the past decade, with no security issues.

Earlier this year, a team of MIT researchers, including Specter, encountered similar problems with Voatz, another app-based voting platform. Voatz insists that its system is secure.

Warnings about resorting to online voting too quickly also come from countries that use it successfully. Kersti Kaljulaid, President of Estonia, noted last month that her country had switched to electronic ballots only after an ambitious project, known as E-Estonia, to secure the digital identity of 1.3 million Estonians.

"You must first ensure that you have a perfect understanding of everyone's identity," he said.

No such system exists in any American state. So election officials, in the face of the pandemic and an immutable general election date, are trying to cope.

In New Jersey, before the pandemic, "we held drills on all kinds of scenarios that could disrupt our choice," said D’Alessandro.

"We even had a scenario that dealt with a public health crisis," he continued. "But I can tell you that simulating a measles outbreak in two cities does not prepare you for a global pandemic."