Here's everything that's wrong with America's insecure electronic voting machines, and what to do about it

The University of Pennsylvania's Matt Blaze (previously) is a legendary figure in cryptography and security circles; most recently he convened Defcon's Vote Hacking Village where security experts with no particular knowledge of voting machines repeatedly, fatally hacked surplus voting machines of the sort routinely used in US elections.

Last month, Blaze made a statement to the House of Representatives' Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on Intergovernmental Affairs Hearing on Cybersecurity, in which he comprehensively laid out the problems with today's voting technology and how this state of affairs came to be, and what the US must do, urgently, to correct a terrifying vulnerability in a foundational democratic process.

In particular, Blaze points out that the threat model for voting machines is a dirty candidate who tries to tip the scales in their favor; but that in the real-world, nation-states attack each other by discrediting the results of elections, by sowing enough doubt about the accuracy of the vote count to delegitimize the winner.

Blaze makes three principal recommendation: first, adopt precinct-counted optical scan ballots, which can be machine-tabulated but can be recounted by hand if the software is suspect or corrupt; second, conduct random "risk limiting audits" at every election to spot systemic problems as they emerge and to deny adversaries the opportunity to use small elections as testbeds for larger, more ambitious attacks; and finally, to increase the funding and resources to train local election officials "to help them more effectively defend their systems against increasingly sophisticated adversaries."

Electronic voting systems must resist not only fraud from corrupt candidates and supporters, but also election disruption from hostile nation-state adversaries. This is a much more formidable threat, and one that current systems, especially those using DRE technology, are even less equipped to resist.

The most obvious difference between traditional fraud from corrupt candidates and disruption by hostile state actors is the expected resources and capabilities available to the attacker. The intelligence services of even relatively small nations can marshal far greater financial, technical, and operational resources than even the most sophisticated corrupt domestic criminal attacker. For example, intelligence services can be expected to conduct espionage operations against the voting system supply chain. In such operations, the aim might be to obtain confidential source code or to secure surreptitious access to equipment before it is even shipped to county officials. Hostile intelligence services can exploit information and other assets developed broadly over extended periods of time, often starting well before any specific operation or attack has been planned.

House of Representatives Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on Intergovernmental Affairs Hearing on Cybersecurity of Voting Machines November 29, 2017 [Matt Blaze/University of Pennsylvania Computer and Information Science]

(via Bruce Schneier)