Election Security is not a hoax
How safe are our elections?
It depends on which element of the election structure you’re talking about. Voting itself is very secure across the board and legitimate reports of fraud and voter impersonations are extremely low. But voter registration systems are another story. And technology in the form of social media has helped add a whole new way to supress or dissuade voters through fake accounts, bot-nets, and deep fake videos.
US intelligence services already see Russia attempting interference in the 2020 presidential election in both the Trump and Sanders’ campaigns.
Add to that some self-inflicted wounds like the disruptive impact of uncertainty regarding the Iowa caucuses, and you’ve got a very unsettled environment at a very dangerous time.
In Iowa, there is plenty of blame going around. Some say the app was the problem, some say hacking occurred, others say the Democratic National Committee was “overly paranoid” about hacking, and still others say they weren’t well trained.
In fact, all those things appear to be true - except for the overly paranoid part. You’re not paranoid if they really are out to get you.
And, in fact, it is clear that disruptive actors did play a role in messing up Iowa’s election night, although in a rather low-tech way. Messages on the internet forum 4chan, a popular site for Qanon followers, deep staters, and conspiracy theorists, urged people to call the phone line set up for results reporting to “clog the phone lines” and prevent legitimate results from getting through.
The Iowa Democratic Party confirmed it “experienced an usually high volume of inbound calls” that “delayed the collection of results.” Of course, Qanon could not have hoped for all the other problems that made this pretty low-tech prank a big part of an even bigger problem.
A similar issue would be a “denial of service attack”, where malware bots distributed to unwitting computers around the world are activated to constantly ping a single server, overwhelming it and crashing the server and opening a window for hackers to exploit. Your computer could be one of these and that’s why daily virus updates are critical. Read more about DDOS.
The FBI recently reported that a DDOS attack had targeted a state voter registration system. Although not releasing which state was the target, the FBI said hackers had flooded a DNS server with large amounts of queries designed to overwhelm the system and shut the site down. Whether or not, a successful attack could have gained access to – and potentially changed or deleted – voter registration records isn’t known.
Had it happened, it wouldn’t be the first time. In June 2016 breach of Illinois voter database remains the warning sign for election system vulnerability, with national security experts now saying all 50 states had been targeted for Russian intrusion. Russian hackers gained access to 76,000 records and, according to the Department of Homeland Security, would have had the ability to change or delete records. But HHS found no forensic evidence that had happened.
In September, a senior US official had this warning: “We assess these systems as high risk,” said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet.
Accessing voter registration systems could have a range of impacts from changing voter status, removing voters completely or simply changing a piece of information such as party preference on the voter record that could cause disruption when the voter gets to the polls. In a state like South Carolina with 3 million+ voters, a programmatic change affecting 1 percent of the database could easily fly under the radar, and yet could impact 30,000 votes. In 2016, Trump won the election because of 78,000 votes in three Midwest states.
But what has been bourne out through Iowa and Nevada is that the biggest problems with new election technology is less the programming behind it and more the implementation and management of it.
In Iowa, the application seems to have been developed with little - if any - input or involvement of actual users. Users of the app had trouble installing it and found insufficient technical support for even that problem. Those trying to connect the day before the caucuses had failures, which led many to decided not to use the app at all. Although backup plans were developed, they were also untested and resulted in more problems and delays in transmitting vote totals.
There are some lessons to be learned from this and, no, it’s not don’t try to insert technology into our elections.
Most systems implementations fail because the rank-and-file refuse to adapt to the system. Often that’s because they weren’t involved in either the planning or development process so the final product may have systemic weaknesses that could have been avoided.
Testing is sorely misunderstood. In my experience, people test systems or processes by doing the exact right thing in the exact right way. Perfect, it works. But testing should be conducted with a written plan and a checklist that includes testing for failure. Backup processes - like those that fell short in Iowa - need to be tested all the way through as it is always the small details (like a pin or password, in this case) that cause the biggest problems.
Don’t deploy a new system during your make or break period. Admittedly, that would be hard in Iowa where you only need the app once every four years. Hard but not impossible. Think of all the hazardous material-first responder scenarios that are run. In a business or organization, you have other options like small pilot programs designed to ferret out the bugs or the unforseen circumstances. You do not go from testing – especially limited testing – to live.
These are pretty basic project management rules. It’s too bad these first forays into technology had political parties instead of project managers at the helm.