Kim Zetter is longtime cybersecurity and national security reporter, and author of the book Countdown to Zero Day. She joins us to discuss her recent feature for the New York Times Magazine, titled The Crisis of Election Security. In it she explores the structure and fragile integrity of the US election system, how we got to where we are today, and what can be done to reestablish confidence in the system.
Kim Zetter's feature The Crisis of Election Security: https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html
Dave Bittner: [00:00:03] As we publish this CyberWire special edition, we're just weeks away from the 2018 midterm elections. And it's not just hype to say this election cycle is particularly hot and contentious. In addition to the amplified partisan posturing, there are lingering concerns about the integrity of the election process itself, the security of the voting machines and the possibilities that foreign governments might continue the interference they were alleged to have engaged in back in 2016. Kim Zetter is longtime cybersecurity and national security and author of the book "Countdown to Zero Day." She joins us to discuss her recent feature for The New York Times Magazine titled "The Crisis of Election Security." In it, she explores the structure and fragile integrity of the U.S. election system, how we got to where we are today and what can be done to reestablish confidence in the system. Stay with us.
Dave Bittner: [00:01:04] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course, you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance - artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.
Kim Zetter: [00:02:05] I've been covering election security going all the way back to 2003, so this is sort of a culmination of all of that reporting. I was really heavily involved in it for a long time between 2003 and around 2008, 2010, and it really sort of fell by the wayside. People weren't really concerned anymore about the voting machines because a lot of the places - a lot of jurisdictions around the country had actually started switching to paper ballots or paper trails on touch-screen machines. And so there were a lot of people that sort of, you know, thought that, OK, we've solved this problem. I didn't think that we'd solved it, and a lot of people didn't think that we'd solved it, but it went out of favor in terms of the public wasn't thinking about it anymore.
Kim Zetter: [00:02:49] And so when the Russian interference in the 2016 election occurred, it brought this into sharp focus again. And so it was - the problem hadn't been solved. I mean, many of us already knew that. But now that there was actually people paying attention to it again, it was time to raise the issue. And my point with this piece was really to show that the Russians weren't the problem. They're sort of a symptom of the problem and sort of an urgency to the problem, but it's been a problem going all the way back to 2002. And it really hasn't been addressed properly.
Dave Bittner: [00:03:33] Can you take us through - what are some of the challenges that we face when it comes to getting this under control?
Kim Zetter: [00:03:38] Well, there's really - I guess it's sort of multifaceted, you know, securing the machine, the sort of the long - the long haul way of addressing this. But you're never going to get a machine that's fully secure and not hackable. So what you have to do is you have to have a system in place that would help you know in the first place whether or not the software has been altered. And we don't have that right now. We don't have the ability to examine the software at all once it's on machines because it's this proprietary software. And the voting machine vendors have gone to court to prevent anyone from looking at their software. And we don't have sufficient audits in place that would compare - where we do have paper ballots - that would compare the paper ballot against the digital tallies to uncover discrepancies. So we've really been almost willfully resistant to engaging in methods that would actually tell us if there was a problem with our elections. And that's always been very curious to me. There's almost - there's a sort of willful resistance to actually taking the steps needed to ensure the integrity of election outcomes.
Dave Bittner: [00:04:56] And what do you think's behind that? Why do you suppose that is?
Kim Zetter: [00:04:59] The voting machine vendors were very resistant and engaged in strong lobbying activity for many years to prevent even the paper trail from being added to paperless machines. It's always been very curious to me why they had such an interest in resisting that. But it wasn't just them. Election officials were really swayed by the voting machine vendors. They were really under the thrall of voting machine vendors for a long time and would follow their lead on many things. And so they sort of parroted the arguments of vendors that the paper trails would - it would be more expensive to install printers, that the printers would cause problems at the polls, just - you know, it would be inconvenient for disabled voters who couldn't see them - a lot of arguments against that. And election officials were, you know, sort of the driving - I guess the end-stop, right? So if they decide that they don't want them, it's not going to happen.
Dave Bittner: [00:06:00] And a lot of that is because here in the United States, the elections are run at the state level.
Kim Zetter: [00:06:06] They are not just - no, there's actually - they're run at the county level. So the secretary of state, in many cases, is sort of the chief election official but doesn't really have a lot of involvement in the day-to-day running of elections. And elections don't just happen, you know, when you go to the polls. There's a lot of prep work and a lot of smaller elections that take place throughout the year that involve sort of ongoing activity. And the secretary of state will be involved in, let's say, setting procedures, maybe some protocols, but even that is sort of high level. And they engage only when - in the past only when there's been a problem. And so really county officials who are, for the most part quite often not tech savvy at all, are left - have been left to make these decisions on their own. And that's how the voting machine vendors have become so influential.
Dave Bittner: [00:07:03] And what led us to this situation? Is this a relic of how - I don't know - the growth of our country? I mean, what brought us here?
Kim Zetter: [00:07:13] Well, you know, under the Constitution, the - it's every state's rights and constitutional rights to conduct elections. We don't want the federal government interfering in elections - right? - because then that raises the possibility for some kind of real interference. And so there's always been this pride about - in counties running elections on their own, but that actually doesn't get us the lack of interference that we think it does because many county election officials are very partisan. They've been elected themselves, and they are part of a party. And so we've sort of given, in many cases, partisan people control over elections and also not had any oversight over their day-to-day operations of the choices that they make and the things that they do. And we've really sort of neglected that because we don't really want to know about elections at any time except, you know, the day we go to the polls. It's really - it's a problem with legislators. It's a problem with the public. No one wants to hear about this stuff, and no one really cares about it until an election year or until a problem arises. They want to think that the, you know - they want it to be in the hands of someone else. No one wants to really deal with it.
Dave Bittner: [00:08:30] And so leading up to the 2016 election, were there people who were sounding the alarms?
Kim Zetter: [00:08:36] For a decade (laughter).
Dave Bittner: [00:08:38] Yeah.
Kim Zetter: [00:08:39] Well, so specifically about the sounding the alarm around the Russians - I mean, obviously there was - DHS was coming out talking about the probing of voter registration databases. But they were very emphatic that there wasn't any evidence that anyone was targeting voting machines or the election infrastructure aside from those voter registration databases, which is alarming in itself - right? - but not the machinery that is used to tabulate or cast ballots. But we all know, you know, people who have been on this beat or overseeing this issue for a decade, that it's not that hard to go from a voter registration system to the systems that are then used to control and count ballots. So there were people - obviously when the first hints came out that Russians were probing even voter registration databases, there were people that knew ultimately what that could mean. But there was no time to do anything about it.
Dave Bittner: [00:09:43] Now, one of the things you point out in your piece here is that the security agencies in the U.S. say that there's no evidence that the Russians had changed any votes. But you think it's a little more complicated than that.
Kim Zetter: [00:09:56] Yeah. So when they say - and I want to point out that they changed even the wording of that. Right after the 2016 election, they said no one changed any votes, and there was pushback. I mean, I engaged in a lot of pushback with the government about that kind of definitive statement. And they've altered it and said there's no evidence that votes have been changed. Now, there are problems with that statement because no one has looked for evidence. When the government says that there's no evidence, what they're talking about is just signals intelligence evidence. So the intelligence community monitors, you know, chatter over the waves from, you know, Russian officials and Russian hackers. They monitor machines. They have sensors set up. They're looking for anything like that. If there are people are talking, they're looking for their human sources and intelligence sources. They're looking for any evidence that people have been talking about altering votes or to see if there is any kind of chatter online about it. They may even look at - to see retroactively if they can find any activity going into Election Network. But it's unclear even if they went that far. So when they are saying there's no evidence, that's the kind of evidence they're talking about.
Kim Zetter: [00:11:19] But these machines have been vulnerable for more than a decade, and at any time in that decade, anyone could have gotten into these machines. And so when you're talking about looking for evidence - did anyone get into those machines right before 2016 - they're missing the entire decade of activity whereby someone may have already gotten to the machines, and they have been sitting there for the last decade doing nefarious activity. Unless you actually do forensic investigation of the machines, the voting machines themselves, you can't know what has been on those machines and whether or not votes have been altered. The only way that you can even find some sufficient - because even if you actually do a forensic examination, if the attackers are really skilled, they're going to erase their tracks on the machine and so you won't find it that way. That's why you need paper ballots, and you need mandatory audits to compare the votes on the voter-created ballot against the digital ballots. And that's the only way that you'll see whether or not there's any evidence that would point to the software because you may not - like I said, if you go back into the software, you may not see anything. But you will see the evidence of it in that comparison if they don't match.
Dave Bittner: [00:12:36] Why do you suppose Congress doesn't take this more seriously? What's holding them back?
Kim Zetter: [00:12:40] Lobbying. So Representative Rush Holt tried multiple times, four or five times, to pass legislation that would mandate paper ballots and to mandate audits. And he was unsuccessful in all of those times in getting any traction to his bill. Some people say it's because they were Republican-controlled Houses at that time, congressional Houses, Senate. And so it was hard to get any leverage there. But even when it looked like there was, you know, a lot of Democrat interest, it didn't actually go far enough in - you know, I should point - or I point out in the story - The New York Times story - where I interviewed Steny Hoyer from Massachusetts, and he was the architect of the legislation that got us these voting machines. And he said - I asked him why once you became aware or once the public became aware that there were problems with these machines and Rush Holt brought up the legislation again to ensure the integrity of ballots by mandating audit and paper trails you still didn't pick that up and vote for it. And he said he just didn't believe Rush Holt, that this was a problem. He believed that the machines had integrity.
Kim Zetter: [00:13:57] And it really is that the - you know, we have a case of lawmakers who don't understand technology. And so they're really at the mercy of whatever the tech companies - the voting machine companies, in this case - tell them. And they don't seem - they seem to be very out of touch with anything that happens outside of the Beltway. So while everyone outside of the Beltway, including academics and computer scientists, actually - actually, even in the Beltway, computer scientists in Maryland and D.C. were trying to point out problems. They just weren't listening to them.
Dave Bittner: [00:14:29] Yeah. It's really striking to me that something so crucial to the foundations of democracy as our ability to have confidence in our elections is basically under the control of private, for-profit companies who aren't really allowing us to take a look at what's going on under the hood.
Kim Zetter: [00:14:48] Right. And I - there's just been no impetus for forcing that on them. Like I say, the election officials for a long time really trusted vendors. And they were also, you know - they had good lobbyists. So even among federal lawmakers, it was hard to get any traction on any of this.
Dave Bittner: [00:15:07] Now, you know, leading up to the 2016 election, we had then-candidate Trump, who was sort of sowing the seeds of doubt when it came to the election integrity. He was - leading up to Election Day, he was saying the election is a sham; it's a scam. We have other observers saying that the Russians feel it isn't necessary to sway the outcome but just to shake our confidence in our democratic norms. How much confidence do voters have these days? Have they - has that shake-up been successful?
Kim Zetter: [00:15:39] Yeah, I mean, so that's the difficulty here, that your - we've never had a situation like this - right? - where a president going into the election himself was already questioning the integrity of the outcome of the election. And then after the election, of course, we're looking at the prospect, well, if the Russians actually did accomplish some of it, then that was their goal, and they achieved it, right? They raised questions. And so now anyone who tries to shine a light on this and - can be accused of aiding the Russians. So you're - you don't win either way, right? You're trying to actually secure elections, but now you become an enemy of democracy if you're actually - in trying to secure elections against the Russians, you now become an aid of the Russians by sowing doubt in the outcome. And that's - we've never had that situation before and - you know, in the many years that I've been covering this.
Kim Zetter: [00:16:39] So this is a new sort of wrench thrown in. And it's a difficult wrench. But I think that it was - we've overcome that. I think that election officials have sort of embraced some assistance from DHS. They've accepted that they need to become more security conscious and raise their security profile. So I think that even though there are still some people that say, hey, don't talk about this; you're helping the Russians, there are many more that say, you know, no, we need to actually address this.
Dave Bittner: [00:17:10] So where do we stand now, where we're heading into the 2018 midterms? Has there been any meaningful change, or are things the same as they've been? It the - having a light shone on this, is that - has that made anything better?
Kim Zetter: [00:17:23] It's definitely made election officials more, let's say open and cooperative about seeking assistance. In the past, election officials really haven't been able to - first of all, they didn't have the will to go look for assistance. But they also had a resources problem, that they don't have money to actually hire security staff on their own. So having the systems offered by DHS has really improved things. And it's improved the awareness. And it's improved the willingness. But what DHS can do is very limited. What they are doing is they're scanning internet (unintelligible) systems, so like the voter - the voter registration database, the server, anything connected online. They can do remote scanning of that to see if there are any unpatched software holes in that database software or the server software. And they can help officials get that patched. But that's a very, very small part of the election infrastructure. And most of the infrastructure is not supposed to be connected to the internet (ph). And it's not in a position of being scanned. And yet, it is just as vulnerable.
Dave Bittner: [00:18:31] What would you like to see going forward? Are there any solutions available to improve the situation that have any hope of being pushed through?
Kim Zetter: [00:18:40] Mandatory audits and paper ballots. That is - if we can do anything, that would, you know - it's very hard to get security right. Security is a huge uphill battle. Even when you think that you've secured your system, any change that you make to your system afterwards can introduce new vulnerabilities. So you can't rely on getting the tech so secure that no one will ever be able to change anything. And also, you're - we're dealing here with an insider threat, right? We're not just dealing with Russians, who we have to look at coming from the outside over the internet. Voting machines are also vulnerable to being manipulated by a trusted insider. And so you can't just - you can't necessarily defend against that by doing the tech. That's why you have to implement something after the fact to do some verification.
Kim Zetter: [00:19:35] And if you have audits - and, I mean, they have to be well-designed audits. Risk-limiting audits is the kind of audit that states and counties want to be doing. And there's only one state now that currently does that. So you want to have paper ballots created by the voter, not a paper ballot that's produced by a machine, but the paper ballot that's created by the voter. Then you can scan it. Then you can count the digital votes taken from that ballot. But you need to actually look at that paper ballot. And you need to do a mandatory audit. And that's really the only hope that we have of knowing when the election has been manipulated and trusting if it hasn't - that is hasn't.
Dave Bittner: [00:20:16] Our thanks to Kim Zetter for joining us. The title of the article is "The Crisis of Election Security." She's also the author of the book "Countdown to Zero Day."
Dave Bittner: [00:20:27] Thanks to our special edition sponsor, Cylance. To find out how they can help protect you, visit cylance.com.
Dave Bittner: [00:20:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2018 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com