Despite the Risks, Some States Are Handcuffed to Limited Online Voting Options

A recent demonstration by security experts showed the ease with which an emailed ballot could be intercepted and changed, but some states have no plans to change course.

by Tim Johnson, Greg Gordon, Christine Condon, McClatchy Washington Bureau / August 15, 2018
Yonatan Lensky, 11, was one of many kids who succeeded at hacking into replicas of state election websites at the DefCon hackers convention in Las Vegas in August 2018. (Tim Johnson/McClatchy/TNS) TNS

(TNS) — LAS VEGAS — Top computer researchers gave a startling presentation recently about how to intercept and switch votes on emailed ballots, but officials in the 30 or so states said the ease with which votes could be changed wouldn’t alter their plans to continue offering electronic voting in some fashion.

Two states — Washington and Alaska — have ended their statewide online voting systems.

The developments, amid mounting fears that Russians or others will try to hack the 2018 midterm elections, could heighten pressure on officials on other U.S. states to reconsider their commitment to online voting despite repeated admonitions from cybersecurity experts.

But a McClatchy survey of election officials in states that permit military and overseas voters to send in ballots by email or fax — including Alabama, Kansas, Missouri, North Carolina, South Carolina and Texas — produced no immediate signs that any will budge on the issue. Some chief election officers are handcuffed from making changes, even in the name of security, by state laws permitting email and fax voting.

At the world’s largest and longest-running hacker convention, two researchers from a Portland, Ore., nonpartisan group that studies election security showed how, in about two hours, they could set up a sham server and program it to intercept and alter ballots attached to emails.

“Ballots sent over email are not secure,” said Lyell Read, one of the researchers from the group Free & Fair. “As long as people have a chance to vote another way, that’s probably a good decision.”

Read and Daniel M. Zimmerman, who earned credentials as a computer scientist at CalTech, said the hacking at the annual DefCon conference in Las Vegas required nothing more than commonly available programming tools.

Read said he set up an “impostor server” to mimic a real one that would normally route emails containing attached ballots. On the rogue server, he inserted 30 or so lines of computer code, known as Bash shell script, to alter voters’ choices on ballots attached to emails in transit and to replace them with Read’s preferred candidates.

Among those attending the conference were more than 20 officials from the U.S. Department of Homeland Security. Several of them observed the email vote switcheroo, said a department official who spoke on condition of anonymity.

DHS officials have stepped up their consultations with states about election security since Russian operatives hacked a voting vendor in 2016 and tried through so-called spearphishing attacks to penetrate 21 state voter registration systems, succeeding only in Illinois. The agency rarely discusses its advice to state and local officials, whom the Constitution gives nearly total authority over the nation’s elections.

However, at an election security conference in Washington in March 2016, DHS cybersecurity official Neil Jenkins said the agency believes online voting “introduces great risk into the election system” at any level of government, providing “an avenue for malicious actors to manipulate the voting results.”

Jenkins said the department would issue guidelines warning states against online voting in the final months of the Obama administration. Why that never happened could not immediately be determined, and Jenkins has since left the department.

Researchers at the DefCon convention were sharply critical of any sort of electronic voting, including voting by smartphone, which will occur for the first time in November. West Virginia announced last week that it will allow military personnel posted overseas and registered to vote in West Virginia to vote via smartphone in the Nov. 6 election, using an app created by Voatz, a Boston-based startup.

“In my opinion, email voting is the most dangerous form of voting,” said David Jefferson, a computer scientist at California’s Lawrence Livermore National Laboratory and former board chairman of both the California Voter Foundation and Verified Voting, nonpartisan groups that promote secure and transparent election technology.

“Anyone who controls a router can change a ballot,” Jefferson said. “It’s just insane. It’s like attaching a $100 bill to a postcard and mailing it and expecting it to get there.”

Some states are backing away from electronic voting. Washington state said it was ending in-state email balloting “to limit vulnerability and reduce the risk of election tampering.”

In an emergency order last Friday, the elections office under Republican Secretary of State Kim Wyman said it had been “alerted to evidence of illegal attempts to gain access to and interfere with electronic systems that Washington elections officials use during an election.”

Mark Neary, a Washington assistant secretary of state who attended the DefCon conference, said he was unaware of any specific attempts to compromise the state’s voting apparatus.

“We’re concerned about that potential risk,” Neary told McClatchy.

In 2017, he said, only 1,465 Washington voters cast ballots by email or fax under a system requiring them to also mail their original ballots to election authorities. However, state law bars county officials from comparing the two ballots and requires that authorities count the first one that arrives.

Neary said he first saw a demonstration like the one in Las Vegas at an event put on months ago by Washington’s League of Women Voters, who teamed with a cybersecurity watchdog to show state and county officials that neither the sender of an emailed vote nor the receiver would know it had been altered.

But Neary said the chief concern was not that votes would be altered, but that malicious actors would plant malware in ballots attached to emails. When opened by local officials, the malware would embed in state or county election networks, where it could tamper with other votes, he said.

“We’re always looking at ways to improve or secure our election process. It’s not just Russia.”

Special counsel Robert Mueller last month indicted 12 Russian military intelligence officers in the hacking of the Democratic National Committee and Hillary Clinton’s presidential campaign, saying the acts were part of a plot to sabotage the 2016 campaigns to sway voters in favor of Donald Trump.

At least one senator suggested last week that Russia is still at it. Sen. Bill Nelson, D-Fla., said Russian hackers “already penetrated certain counties in the state and they now have free rein to move about” — assertions that Republican Secretary of State Ken Detzner said have no credible proof.

Sending ballots by email or fax has been a contentious point in recent years between election integrity watchdogs and states and counties, which at first were encouraged to adopt online voting by the Pentagon, to ease voting for military personnel based outside of the United States.

The figures are still small. In the 2016 election, local and county jurisdictions reported receiving more than 77,000 votes by email and 22,538 by fax, although those figures are incomplete; a McClatchy review found that nearly 4,000 U.S. election jurisdictions did not report how many emailed and faxed votes were cast. More than 130 million votes were cast in 2016.

“To see a mark on a ballot change when it’s transmitted by email is alarming,” said Susan Greenhalgh, policy director at the National Election Defense Coalition. “Hopefully, more states will move in the same direction as Washington and Alaska.”

“One of the biggest problems of the email return of voted ballots is that somebody receiving that ballot has to keep clicking on attachments. Everybody knows that attachments can be vehicles for malware that could infect a system and provide a back door into the network. Now you have an election official sitting at a county computer, clicking on attachment after attachment from emailed votes. Unless that computer is properly quarantined from the rest of the county-by-county system, it poses a huge risk,” Greenhalgh said.

North Carolina officials have noticed no problems with their emailed voting system, which drew 11,993 votes in 2016, but they “have taken the proactive step of scanning emails received through this process to detect any malicious attachments,” said Patrick Gannon, a spokesman for the state Board of Elections. Counties are invited to forward any emailed ballots to the state board for scanning “and if necessary, to detonate any suspicious attachments, malware, etc.,” he said.

Zimmerman said scanning might help locate malware, but “the only way to tell that an attachment has been altered would be to compare it to the original.” When an impostor server alters a ballot attached to an email, Zimmerman said it does not necessarily add anything malicious that would be detected by anti-virus software.

Chris Whitmire, a spokesman for South Carolina’s Board of Elections, said online voting has afforded thousands of military and other overseas voters a chance to participate. He said that of 8,618 military voters to receive ballots in 2016, 6,537 got them online.

Texas won’t stop accepting faxed votes from military service members in hostile pay zones, because doing so would require action from the state Legislature, which doesn’t convene until January, said Sam Taylor, a spokesman for the Texas secretary of state’s office.

Missouri only allows service members in hostile combat zones to fax ballots or transmit them through “a secure portal” online, an arrangement that is likely to continue, said spokeswoman Maura Browning of the Missouri secretary of state’s office.

“We will not violate our statutory obligations in order to disenfranchise Missouri’s military men and women in hostile zones, who are the very people fighting for our freedoms,” she wrote in an email.

Elsewhere at the DefCon convention, which concluded over the weekend, a beaming 11-year-old, Yonatan Lensky, described how he tweaked some code and inserted the name “Mark Albert” on an election website that was a mock-up of one used by the State of Iowa. He gave the persona 999,999,999 votes.

“I just thought it was really easy,” Yonatan said.

Cybersecurity experts, though, said hacking can push government and industry toward higher security at a faster pace, just as hackers have done by exposing vulnerabilities in medical devices and self-driving features in automobiles.

“The purpose of security research is to expose these things proactively when the security vendors don’t do it themselves,” said Kurtis Minder, chief executive and co-founder of Virginia-based GroupSense, a cyber intelligence firm.

“Right now, it’s going to be a little disruptive, but maybe it needs to be that way.”

©2018 McClatchy Washington Bureau Distributed by Tribune Content Agency, LLC.