Georgia Election Security Now

and in the Future

Richard DeMillo, PhD
Charlotte B. and Roger C. Warren Professor of Computing
Georgia Tech
 The House is ready to adopt HB316
advocating ballot marking devices (BMD)
rather than hand marked paper ballots
(HMPB) based on recommendations in
the SAFE Commission Report despite the
strong urging of the following not to do
so…
• The National Academy of Sciences
• Verified Voting Foundation
• National Election Defense Coalition
• Common Cause
• A National Security Panel at August
SAFE Meeting
• Statement by two dozen experts
• Every independent witness for the
Senate Select Intelligence Committee
• The SAFE Commission's own Security
Expert
 Every single
argument in favor of
a uniform system of No security
improvements over New vulnerabilities High error rates

Ballot Marking current system

Devices is
contradicted by Low usability scores
Technology that the Not accessible by broad

expert testimony and Public does not want disabled communities

demonstrated facts.
Compared to hand No important new
Needless additional
expense:
Election technology
rejected by experts
marked paper ballots, functionality
to purchase
to operate
nationwide (including
SAFE’s own cyber

ballot marking security expert)

devices offer:
trust
the current system of DREs is insecure,
building on it does not make much sense

Repeatedly hacked over last 20 years,
there has never been an unsuccessful
hack of a Georgia voting machine
On April 16, 2018 Prof. Alex Halderman
demonstrated an air gapped attack
Does not require voting machines to be
directly connected to Internet or any other
network
No special physical access to DREs needed
In a real election, memory cards are
programmed by network connected
computers
Malware on computers used to program
memory cards installs malicious software on
memory cards
Election workers insert memory cards into
DREs
Malicious software on memory cards installs
vote-altering malware on DREs
Vote-altering malware erases itself after the
election

Laboratory demonstrations like these are
irrelevant because in GA we have these
layers of impenetrable security:
physical security
tamper evident seals
monitoring by trusted staff
systems air-gapped
layers of logical protection
ballot images store as a last resort
– GA Secretary of State’s Office
But in reality:
Haphazard physical security
Tamper evident seals easily defeated
Lack of training and loose monitoring of
staff
It is a myth the systems is not connected
to the Internet
Hardware and software date from 1990’s
–there are few security features
It is not true that ballot images are
stored: there are not independent back
ups
 Haphazard
Physical
random people security
unattended
voting machines
 • Theft not reported for days
• Stolen equipment never
recovered
• Memory cards not
accounted for
• Inconsistent accounts

April 2017
Electronic poll books stolen in
advance of GA 6 election
 Tamper-evident seals that are easily
defeated with a few minutes training
Ineffective
and Error-
Prone
Human
monitoring
 March 2017
KSU internal audit
uncovers operational
vulnerabilities

• ”Door to elections private network data

closet, was not latching properly”
• “The elections private network data closet
contains a live network jack to the [public
Internet]”
• “An operating system and application
security assessmet has not been
conducted on the CES Isolated Network”
• “A [non-KSU] wireless access point was
found when UITS did a walkthrough of the
CES house.”
• ”Inconsistent port colors…to indicate
which network is public and which is
private”
Isolation
from the
Internet is a
myth
Iran’s nuclear fuel processing system was air-gapped: Stuxnet attacked
it by using USB drives
The sole State expert presented in federal court was unaware that this
threat was equivalent to being connected to the Internet
Election Officials
Acknowledge Systems
Connected to Internet
Vulnerable logical
layers
• Targeted attacks
• Advanced, persistent threats
• Malware transmitted by mutating
software
• Triggered, quiet, self-erasing
• 2000-era hardware and software is
completely exposed
• Court filings indicate that election officials
are unaware of threat to logical layers, are
convinced that malware always leaves a
trace
 The “We
store ballot
images” claim
is fiction
SAFE recommended to keep the
same vulnerable technology
A Ballot Marking Device is like a DRE that prints a paper record of your
vote so that you can verify it
trust
bmds are even more vulnerable
Myth of voter verification
What’s wrong with barcodes?
 DOES THIS GET COUNTED?

Here’s a new
vulnerability:
ballot marking
devices print OR
DOES THIS GET
barcode
COUNTED?
ballots
 The human readable
ballot can’t vouch for the
barcode ballot: Bonnie
and Clyde are in cahoots

“Miss Parker, can you vouch

for Mr. Barrow’s whereabouts
last Friday?”
There is nothing in HB316
that prohibits barcodes or
even unreadable QR codes
like this one.
trust
by detecting vote manipulation through post-
election audits
There is a mandate for Risk-Limiting
Audits (RLA). An RLA is a post-election
audit that hand checks vote totals
against a scientifically chosen sample
set of ballots
The inventor of RLA says
BMDs and audits can’t
coexist
BMDs score
low on
usability
scales
Study after study:
Touchscreen devices
are not more usable,
accessible
• Out of 2.9M hand market paper ballots cast in
Franken vs Coleman, only 14 could not be
interpreted (sos.state.mn.us)
• Error rates for scanned fill-in-the-bubble ballots
0.6% vs 2.7-3.7% for touchscreen DREs (Everett,
2007)
• Most DREs do not meet HAVA and ADA
requirements for disabled (Runyon, 2007)
• Addressing visually impaired (1% of population)
disadvantages cognitively impaired (49% of
population) (McCrae & Costa, 1992)
• Voters who prefer DREs perform worse (Everett,
2007)
• GA Voters prefer hand market paper ballots (AJC,
2019)
• Fraud more likely to be detected with paper (NC,
2019) vs Electronic (Lt. Gov. 2019)
“Do you know
of any instance
where votes
have been
changed?”

• GA’s DREs lack any independent way to record the voter’s intent
• Plaintiff’s have been denied forensic access to machines that might reveal changed votes
• The absence of such a security feature cannot be used as evidence that vote flipping has not
occurred
How does something like
this happen?

• Not by chance 1:10000

probability of this happening
• Programming error
systematically triggered
• Election day manipulation
• Cyber attack
 BMDs cost GA
taxpayers more
to buy and to
operate
trust
Assurance: How the public gains
confidence in such a system
• Understand threats
• Reduce sources of risk (more computers = more
risk)
• Manage vulnerabilities
• Explain what happens when there is a failure
 What does a more secure
election system look like?
• Only allows essential computer technology
• Voter registration
• Vote tabulation
• Appropriate accommodation for disabled voters

• Applies NIST cybersecurity profiles to all computerized components

• Avoids single points of failure

• Subjected to end-to-end penetration tests

• Imposes no intermediate steps between record of voter intent and electronic tabulation of vote
totals

• Focuses on physical security and chain of custody of cast ballots

• Implements statistically valid post-election audits to reconcile

• Securely archived hand-marked paper ballots
• Electronically tallied vote totals