
DHS plans urgently needed to address identified challenges before 2020 elections [pdf] - infodocket
https://www.gao.gov/assets/710/704314.pdf
======
howmayiannoyyou
[https://www.youtube.com/watch?v=TYVLH1tLIDY](https://www.youtube.com/watch?v=TYVLH1tLIDY)

They should start with Rand Waltzman's presentation at DEFCON (link above). In
sum, USGOV is still totally unprepared for information warfare ops ongoing and
intended.

About 1/2 through this video the content is the best I've ever watched from
DEFCON, period.

~~~
rfmw19
Great video, thanks! I have one question:

There's a part where Rand says he was asked to provide questions for the
congressional Facebook hearing. He said he was shocked when his questions were
not used and instead "stupid" questions were asked. I'm not sure if he meant
this sarcastically or not, but isn't it clear, especially to someone like Rand
being an expert in disinformation and related areas, that the questions were
likely deliberately not asked? I'm not sure why he was shocked.

------
maximente
when viewed from a sludge-money lens (a la the F35) electronic voting and
election security seem largely working as intended:

\- we know paper works (Canada/UK) so there must be an ulterior motive for
pushing on tech solution so hard

\- money gets sent to various entities under the guise of tech, security,
freedom, etc. (contracts for voting machines, contracts for software, etc.).
this basically gives some limited air cover for transfer of funds to entities

\- it nicely feeds into itself: defensive work always needs to keep up with
(real or imagined) offensive threats so basically unlimited amounts can be
spent without too much eye rolling

\- it is basically a get out of jail free card for both political parties in
the future: "elections were hacked" is bipartisan and can be a useful tool to
defeat/deny access to popular party outsiders on both parties, as opposed to a
genuine candidate blowing up the system (Sanders?)

\- any foreign entity can be conveniently used if e.g. need to get a quick war
going to distract the plebs from, say, medical parasitism or offshoring jobs

~~~
mzs
UK and Canada are parliamentary systems so most ballots are one page. Most of
those are just a single question with one selection permitted.

In the US the ballot I get in my polling place depends on where I live and
sometimes what party I am registered with. My ballot will likely be different
than the next person in line. That ballot is many pages with numerous
questions per page. And for about half of the questions I am permitted more
than one selection.

Machines are a good aid here for this system. Verifiable paper tallies are
good for election security though.

~~~
roganartu
What you describe is not that different from Australia's preferential system
afaict, aside from people at one district potentially having different
ballots.

Australian ballots are not always simple, and you vote for your local
representative so each district has a different one. Often you will have
multiple ballots to complete, and some have the choice between above or below
the line voting (where above you select some preferences and below you select
all preferences, where all may be over 100 boxes).

Parties often hand out small leaflets outside the voting locations with
instructions for above the line voting, which is typically a list of around 6
preferences in order.

Despite this, voting in Australia is done with paper, and we have live
coverage with real-time counts on election night. Paper works quite well,
computers really aren't necessary.

~~~
mzs
Australia is always a curveball! I've wondered how a precinct counts those
ballots, especially if some people vote below the line. I hope someone with
experience comments here.

~~~
roganartu
You don't have to wonder, the counting process is well documented! :)

[https://www.aec.gov.au/voting/counting/](https://www.aec.gov.au/voting/counting/)

~~~
mzs
Thanks, I'm still confused but it seems in essence before counting they make
an educated guess of the two likely winners and first count with that in mind
and only do a more complicated tally if it ends-up mathematically possible for
one of the others to still come-out on top.

------
_Understated_
Here in the UK we still use paper and pencils and while you can still mess
with individual votes it isn't something that scales... not like running a DB
query:

UPDATE tbl_Vote SET Candidate = [The one that paid us the most] WHERE State =
[State Name]

------
geogra4
Paper and pencils please.

~~~
jcrawfordor
The discussion over paper vs. electronic ballots tends to miss many of the
largest issues in election security. DHS is correct in pointing out that we
need a focus on the larger landscape of election support infrastructure.
Notably, electronic pollbooks are a very important part of the voting system
which cannot readily be replaced with a non-digital solution. Simply switching
to paper ballots reduces the problem, but does not by any means eliminate it.

Calls for paper ballots also tend to get muddled up in the realities of how
ballots are counted. When paper ballots are used, they are virtually always
still counted by computer using an OMR. A precinct tabulating solution, which
is widely used in the US right now, simply moves the OMR from the central
election office out into the polling place, and is broadly equivalent from a
security perspective to what most people would call a "pure paper" solution
except that the environmental exposure of the OMRs is higher because of their
presence in field voting locations. However, security measures used to protect
centralized OMR in jurisdictions without precinct tabulators are not
necessarily any better than OMRs out in the field. In fact, precinct
tabulators are generally built with significantly improved anti-tamper
mechanisms compared to the older central tabulators. These measures aren't
perfect of course, but it is a matter of tamper seals, cryptographic
signatures, and audit tapes used by precinct tabulators as compared to
absolutely no anti-tamper measures in many centralized tabulators used by
jurisdictions with what many people would call "completely non-digital"
voting.

While it is possible to tally the ballots by hand without the assistance of
OMR, and there are organizations which advocate for this, it is an extremely
expensive proposal and it's actually fairly hard to argue that it is superior
to a well operated OMR approach - even in the case of hand-tallying of
ballots, audit recount should still be performed to ensure accuracy and
integrity in the (recently recruited online, poorly paid, minimally trained,
and very hurried) election officials.

~~~
sp332
An audit recount is at least possible with paper ballots. If digital records
are modified, how are you going to audit them?

~~~
jcrawfordor
Digital records kept by precinct tabulators are audited using the paper
ballots. These machines read and retain the voter's original ballot for later
inspection. if the ballot is machine-marked (done for voters with certain
sensory/mobility limitations) the paper copy is produced for the voter's (or
assister's) inspection prior to tabulation.

This is perhaps the #1 misunderstanding of electronic voting technology that I
encounter and frustrates me endlessly: the most widely used electronic voting
method in the US, precinct tabulators, are a paper-ballot based system. The
only change from the "traditional" approach to voting in the US is that the
OMR is moved from the county elections office to the precinct polling place,
which simplifies handling of the paper ballots. The paper ballots remain the
"source of truth" and are retained for audit, the machine just tabulates the
ballots immediately after the voter turning them in, instead of a courier
delivering the ballot box to the central office for tabulation. Precinct
tabulators include multiple safeguards against tampering which are far from
perfect but reasonably effective against most common attacks - ultimately the
safeguard against tampering is the same as it always has been, that the ballot
box must be kept under watch of sworn election officials to protect the
integrity of the paper ballots. Exact handling of the ballot boxes vary by
jurisdiction, in this state they are entrusted to the state court system for
retention for several years and can be retrieved and opened for auditing by
order of a judge.

Risk models for precinct tabulators are generally ballot stuffing, tampering
with software in the supply chain, tampering with election configuration, or
tampering with an individual OMR, such as in the polling place (this is by far
the case that gets the most attention, even the security community seems to
have largely not noticed the first three). Ballot stuffing is generally
prevented by use of a machine "unlock" procedure (using a cryptographic token
in the most common system) and review of the paper audit tape against the
pollbook and/or voting permits generated by the pollbook (number of ballots on
tape must match number of issued permits and the number of voters recorded as
voted by the pollbook, these are independent checks in my jurisdiction
although they should always be equivalent - checking both ways is actually a
means of auditing the pollbook). Tampering with individual tabulators is
relatively easily discovered by auditing the ballots using a different
machine, which is the normal recount process in this jurisdiction. Tampering
with tabulator configuration (likely by compromise of the election management
system used to program the machines) can be detected by inspecting the paper
audit tapes which include the machine configuration, which is normally
conducted by a university political science department in this jurisdiction.
This political science department also inspects the audit tape totals to audit
the central office tabulation where the machine counts are added.

Tampering with tabulator software in the supply chain is by far the most
difficult and concerning case. In every case I have ever seen, tabulators are
never connected to the internet. However, they are connected to a
configuration system which may be internet connected, and could offer a (not
easy but possible) route to tampering with their software. It is more likely
that such tampering would occur prior to delivery of the machine or perhaps
during storage. If done carefully it could be very difficult to detect by any
audit method except for a hand-count of ballots. In this jurisdiction and,
according to NCSL in the majority of US states, a hand-count is performed on a
subset of ballots as part of the normal post-election audit process, and
should detect this type of tampering unless the effect is very small.

To be clear, some direct recording electronic or DRE machines are a major
concern because there is no paper ballot for independent auditing. The term
DRE can be confusing because some DREs produce a voter-verified paper audit
trail or VVPAT which is essentially a machine-marked paper ballot which is
shown to the voter prior to tabulation. These machines are considered DRE
rather than precinct tabulators because they directly record the voter's
preferences from the marker rather than scanning a paper ballot, however,
because a paper ballot is retained they are mostly equivalent to precinct
tabulators, with the downside that voters may not scrupulously verify the
VVPAT since they were not required to mark it manually. Only about 28% of
voters according to Pew vote using DRE machines, and according to Verified
Voting about one quarter of those machines produce a VVPAT. This would suggest
that about 21% of registered voters live in jurisdictions where there is no
paper audit trail. This is definitely highly concerning, but is a
significantly lower proportion of voters than most people who discuss this
issue seem to think.

The popularity of DRE equipment increased significantly after the Help America
Vote act because DRE machines contain significantly more advanced
accessibility features (e.g. blind and mobility-impaired voter modes) and HAVA
required jurisdictions to upgrade to machines with these features. However,
HAVA does not require DRE at all. Jurisdictions which centrally count ballots
or use precinct tabulators can offer voters with accessibility needs a "ballot
marker" which they insert their ballot into. After assisting the voter, the
machine marks their ballot and returns it to them, allowing them or an
assister to verify the ballot's correctness. In my experience most disabled
voters prefer to have a human such as a family member or sworn election
official assist them in marking their ballot anyway, since it is easier than
learning to use the machine's accessibility interface modes, but the ballot
marking machine offers them the option of complete privacy. In the case of
perhaps the most popular precinct tabulator, ImageCase, the ballot marker is
the same machine as the tabulator to save space and equipment maintenance. In
this case the machine returns the ballot to the voter after marking for
inspection and the voter reinserts the ballot into the same machine for
tabulation.

Focusing on all electronic voting methods, including precinct tabulation, as
an evil, like a large portion of people in the tech community currently do,
has significant downsides. Precinct tabulators, and OMR tabulation more
generally, has significant advantages in terms of cost, accuracy (assuming no
tampering, as in the majority of cases), and timeliness of results. Further,
precinct tabulators have advantage to voters. Precinct tabulators generally
sound an alert and return the ballot to the voter if there are problems
tabulating it. This prevents votes being lost due to marking errors or damage
to the ballot. Precinct tabulators confirm to the voter on a display that
their ballot has been successfully tabulated, providing them with a higher
level of confidence that their ballot will be counted than central tabulation
provides.

This has been a very long comment, but this is a topic about which I am
extremely passionate. Those involved in advocating for changes in the
mechanics of the US election system _must be sufficiently knowledgeable of the
actual methods and machines in use to make reasoned arguments_. This includes
knowing the difference between precinct tabulation of paper ballots and DRE,
and especially DRE with no VVPAT. Unfortunately it seems that most of the time
they do not. It doesn't help that the media and even technical experts
(although not technical experts in voting) regularly conflate OMR, precinct
tabulation, and DRE, and generally contribute to an impression that the
majority of US voters leave no paper trail even when that is untrue.

Were I president of the world, I would like to see legislation which mandates
the use of a voter-marked paper ballot. This allows the significant advantages
of precinct tabulators while ensuring the ability to audit the election by
hand. I would further like to see legislation which requires that all
jurisdictions hand-count a portion of ballots as an audit, possibly using the
tiered method used in some states in which the size of the audit sample
increases as the margin in a race gets smaller, eventually leading to a full
hand count (this is essentially a more systematized version of the automatic
recount legislation that already exists in many states).

This is somewhat complicated when many people are arguing against the use of
any technology in the voting process, while unaware that technology (namely
centralized OMR, which is essentially strictly inferior to precinct
tabulators) has been in use since the '60s and widespread since far before the
introduce of problematic DREs, and unaware of the controls in place to prevent
and detect tampering with these systems. Electronic voting simply does not
mean that there is no auditable paper ballot - in the strong majority of cases
there is. _Let 's focus on the real problem, which is DRE with no VVPAT (with
DRE in general being desirable to eliminate due to the limitations of VVPAT),
and not cause election authorities to feel that they need to hold onto their
unauditable DRE systems because the public acts like the only viable
alternative is a full hand-count, which is prohibitively expensive by orders
of magnitude to US elections authorities which generally suffer from severely
limited funding._

Edit: besides fixing spelling, on a reread I realize that I should emphasize
that precinct tabulators are connected to an election management system (which
may be internet connected depending on the jurisdiction) _prior_ to the
election in order to program them. In some cases this is a direct network
connection but more often it's a memory card that's moved from the election
management system to the tabulator. They are not connected to anything during
actual tabulation or at any time before the audit tapes and results card are
removed. It is a sensible policy to require election management systems to be
disconnected from the internet, and DHS has focused in on this issue closely
in their work.

~~~
oblib
Wow...thank you for all the great info and insight, and for the work you've
put in yourself on our elections.

------
ZeroCool2u
Interesting that the DHS response to all 3 points is that they concur, but for
all 3 points the resolution the Department points to is a document called the
#Protect2020 Strategic Plan, which will supposedly be released on Feb 14th.

Is that actually enough time for the guidance within to be implemented?

------
ryanmarsh
Simple question, are electronic voting systems required to be FedRamp
certified? If not why not?

~~~
jcrawfordor
Elections are managed by the states and, in some states, almost all aspects
are deferred to the counties. There is currently no standardized framework for
elections system security on a national level and it is difficult to implement
one for political reasons. DHS has moved in the direction of producing
guidance, but it is my hope that a mandatory framework can be introduced.

------
beepboopbeep
There is every incentive in the world to do whatever one wants to our
elections right now. It's a free-for-all of bad, patchwork technologies, zero
oversight, and a political establishment that is openly encouraging nation
state interference.

I am deathly afraid for our elections this year.

------
alwaysanagenda
It's pretty easy to "secure" the election.

1\. Voter ID 2\. Paper ballot electronically counted, paper stored as backup
for any disputes or recounts. 3\. No digital / computerized voting machines.

~~~
minikites
Voter ID laws aren't about protecting elections, they're about
disenfranchising voters:

[https://www.nytimes.com/2016/09/17/us/some-republicans-
ackno...](https://www.nytimes.com/2016/09/17/us/some-republicans-acknowledge-
leveraging-voter-id-laws-for-political-gain.html)

[https://www.theguardian.com/us-news/2019/dec/21/trump-
advise...](https://www.theguardian.com/us-news/2019/dec/21/trump-adviser-
republicans-voter-suppression)

~~~
1000units
It's about keeping non-citizens who don't have the right to vote from voting.
_Not_ implementing these laws diminishes the enfranchised.

~~~
josefresco
Nope, just another form of Poll tax:
[https://en.wikipedia.org/wiki/Poll_taxes_in_the_United_State...](https://en.wikipedia.org/wiki/Poll_taxes_in_the_United_States)

~~~
1000units
No, it isn't. However, let's assume it is. If you don't pay your (separate and
presumably uncontroversial) federal taxes, you become a felon and legally
disenfranchised. It becomes clear this is all a minor accounting detail.

