Feeds:
Posts
Comments

Posts Tagged ‘2016 Election’

Last time I wrote about how the complexity of the presidential voting process in the US is an important defense against cyber-terrorism, and specifically the risk of a foreign power impacting or invalidating such an election. While security by obscurity is not usually a best practice, it has been successfully used in the past. If you make something complex enough, it becomes very difficult to break.

With each state or sometimes county determining the voting process using multiple vendors’ products, and almost all of it not connected to the Internet, it will be very difficult for a coordinated attack against an American presidential election. But the more than fifty different results of the votes across the country are not the final result.

The Electoral College provides another level of defense. While the ballot may indicate a specific candidate’s name, in a presidential election you are voting not for a candidate but for an elector who may promise to vote for that candidate when they “meet” in mid-December. (Today they don’t actually physically get together, but they vote on the Monday after the second Wednesday in December.) Maine and Nebraska apportion the electors based on the popular vote in the state; the other states are “winner-take-all.”

To win, a candidate must get a majority of the Electoral College votes cast, not the largest number of votes cast. Currently, that means that a candidate must have 270 votes to win. The president and vice president are voted on separately in the Electoral College. In case there is no candidate with a majority, the House of Representatives selects the president and the Senate selects the vice president.

The intent of the Electoral College was that the electors would discuss the various candidates and decide on a candidate, hopefully representing the views of the people who voted for the electors. Today, of course, the electors are expected to vote for the candidate they represented on the ballot. Twenty-four states have laws to punish an elector who does not vote for the candidate they represent, but there are no federal laws covering that situation. In 1952, the Supreme Court ruled that such state laws were constitutional and that each elector is a functionary of the state, not the federal government. In other words, Congress may not pass a law restricting what an elector can do.

In case of the death, serious illness, or withdrawal of a candidate who had a majority of the electors before the Electoral College meets, the electors could choose another candidate, probably of the same party.

If no candidate emerges from the Electoral College meeting with a majority, the House of Representatives goes into an immediate session. For this “election,” each state has one vote, and a candidate must receive 26 of the state votes. A minimum of 34 states must be represented in this vote, and only the top three candidates can be considered. The session continues until the house elects a president. The House has chosen the president in 1801 (Thomas Jefferson) and 1825 (John Quincy Adams).

Similarly, the Senate goes into session and chooses between the top two vote getters for vice president. Each Senator gets one vote, and at least 67 Senators must be present. A candidate must get at least 51 votes to win, and the sitting Vice President does not get a vote. The senate chose the vice president in 1837 (Richard Johnson, VP for Martin van Buren).

It is therefore possible to end up with a president from one party and the vice president from another party, especially if different parties control the House and Senate.

The last word:

The constitutional process for the election means that no third party candidate is likely to become president. If the third party candidate does not get a majority of the Electoral College votes, but gets enough to prevent any other candidate from getting a majority, the election goes to the House. The existing members in their lame duck session are not likely to choose someone who isn’t a member of one of the two major parties.

However, this year there is one realistically possible, although unlikely, scenario where a third party candidate wins. And it is not Gary Johnson; it is unlikely that Johnson can get any electoral votes even if he gets more than 10% of the popular vote. But Evan McMullin could. McMullin is a 40-year old ex-CIA overseas operator with Middle East experience, plus experience as an advisor to the House Committee on Foreign Affairs, was the chief policy director of the House Republican Conference and holds standard Republican Party views on most issues. He is a Mormon, is running for President as an independent in Utah, and is polling just 4 percentage points below Trump in this historically solid Republican state. If Mitt Romney, another Mormon, endorses McMullin, it could push him over the top. If McMullin wins in Utah, he gets six Electoral College votes, possibly enough to prevent Hilary Clinton from getting 270 Electoral College votes. He is also on the ballot in ten other states, but unlikely to win any of them. If so, the election goes to the House. The Republican Party controls 33 of the 50 state caucasus, so Clinton will not win. But Trump has burned enough bridges that he will likely get less than the 26 required state caucus votes. The House keeps voting, and must pick from the top three Electoral College vote getters: Clinton, Trump, or McMullin. At some point, the Republican leadership will realize that having someone with Republican views as President is better than having Trump as President.

The Senate gets to choose from the top two vice president candidates, Pence and Kaine. With 54 Republican Senators, Pence will most likely become the Vice President.

Comments solicited.

Keep your sense of humor.

Walt.

Advertisements

Read Full Post »

With the news of targeted attacks against election systems, should the American voter be concerned that the upcoming presidential election could be manipulated or invalidated by a foreign government or cyber-terrorists?

In my view, the short answer is “no.” The reason is that the US election system is so complex and distributed such that there is no single attack point.

Our founding fathers deliberately set up this complex system because of the reality of the late eighteenth century. At that point, the newly born United States with its thirteen states was larger than any country in Europe, spanning over 1,000 miles as the crow flies. Messages and people could only travel at the speed of a walking horse or a sailboat. Just getting from New York City to Philadelphia would usually take at least three days. A voter in Boston would know very little about a candidate from Virginia. With slow communications in mind, the Constitutional Convention made a series of compromises in the summer of 1787 to balance the rights of the individual states and the power the national government needed to make a strong country. One of those compromises gave us our House of Representatives, representing the people, and the Senate, representing the states. For the current topic, the two important compromises were the creation of the Electoral College and giving each individual states control over the election. The result is that each state is responsible for the number of precincts and the number of polling places in that state, and the manner in which votes are cast and collected. While various voting rights acts have impacted the way precincts and districts are defined, the states still retain control over the voting process. In many states, this responsibility is passed down to the individual counties, so that voters could be using multiple voting mechanisms within the same state. A few states, like Oregon, have switched or are in the process of switching to mail only voting.

In the 2004 election, according to Election Data Services, there were about 186,000 precincts. Each precinct represented between 436 and 2,703 registered voters, with an average of around 1,100 registered voters per precinct.

ABC News reported that Russian hackers have targeted more than twenty state voter registration systems and have been successful in hacking four (Illinois, Arizona, Florida, plus another that I have not be able to identify).   Of course, these are the states that have actually made the effort to determine if they had been hacked. How many others have been attacked?

The US Department of Homeland Security (DHS) has offered to help state election boards stay secure, but as of this posting only eighteen states have expressed any interest in that help. DHS has also offered a more comprehensive on-site risk assessment. While four states have expressed interest, DHS is offering this service so late that it will likely only be able to provide one state this service before Election Day. This is yet another example of how the US government is late and slow to respond to cyber security threats.

These attacks may be more about stealing personal information for future identity theft activities, but it is difficult to determine the real purpose of these attacks if they are from Russia.

The good news is that these voter registration systems are not integrated into the actual voting systems. Even if a registration system is damaged, each state has procedures for a “provisional ballot.” You submit a ballot on Election Day, usually on paper in a sealed envelope, and election officials have time to research and confirm or deny the ballot after Election Day but before the official results announcement. Provisional and absentee ballots are generally only counted if they could possibly make a difference for any ballot position or question. The insertion of the Electoral College process provides a significant time window to deal with absentee and provisional ballots.

We have more than fifty different voting systems from multiple vendors distributed across all fifty states, plus precincts in the District of Columbia, territories like Puerto Rico and foreign locations including some embassies and military bases. Since almost all of these voting systems are not connected to the Internet, it will be very difficult for hackers to make a successful attack that can impact an election.

The last word:

This does not mean that we will have a fraud-free election, but it means that we need to continue to be vigilant for the relatively few cases of voter fraud, voter intimidation by groups or individuals, or “lost” ballot boxes. If you are sleeping too much, search for “lost ballot box” on Google.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

VoteIn addition to being a huge source of interest, amusement, annoying commercials, robo-calls, and anguish to all of us in the US, the 2016 election cycle is likely to drive cybercriminal and hacktivist activity. The Forcepoint 2016 Cybersecurity Predictions Report describes some interesting possibilities.

As an individual, expect to be targeted. By the 2012 election cycle, social media was an important method of getting a candidate’s message out, gauging voter interest, collecting donations, and promoting engagement hopefully leading to a vote. For some candidates, social media is at least as important as the traditional new media. Attackers will use the intense interest in this election cycle to create highly effective email lures and misdirects to push malware to the unsuspecting public.

Some of these attacks will be advanced cyber attacks against specific organizations unrelated to the election, potentially including your company. The cybercriminals will target individuals pursuing election-related information, with the expectation that the cybercriminals can gain access to personal or company information for financial gain or negative business impact unrelated to the election.

The candidates themselves, as well as the news media, will become vulnerable to attacks on their social media sites. These attacks may be by opponents, foreign governments, or hacktivists with a specific political agenda. Expect to see these attacks used to spread inaccurate messages and information. Even if a candidate can quickly correct the information, the false information lives forever and may impact the outcome of an election. In the US political circus, the message is critical.

These attacks on a candidate’s social media could also impact the data the candidate is collecting on probable voters and donations. Corrupting that data could have a huge negative impact on a candidate’s ability to run or fund a campaign.

InfoSec Institute published “Which Top 5 Presidential Candidate is Most Likely to Be Hacked?” back in October, 2015. The only candidate with an “A” rating was Ben Carson (remember him?), largely because he outsources donation and volunteer services and does not have an on-line store; he has a very small attack server. Hillary Clinton and Donald Trump got a “B,” Bernie Sanders and Jeb Bush got a “C.” Several of these candidates are using unsecured or only partially secured WordPress sites that may leak internal usernames and other information, making them relatively easy targets. While she did get a “B,” Hillary has the largest attack surface based on a quickly built custom application. Her development team’s motto is “ship early and often; done is always better than perfect.” Security may not be high on the team’s priority list, and security testing is likely to be a low priority task.

As the Forcepoint report points out, “Technology decisions made by candidates during their tenure can expose them to data theft attacks (as seen by Clinton’s use of a private email server).” It is also likely true that technology decision made during a campaign may give a hint as to how that candidate will behave relative to data security when elected. If you see a candidate reacting to incorrect information on their web site or social media, then expect that their concern about data security is very low. Put that on your scorecard as one factor as you decide how you will vote.

It will not be just the candidates’ web sites and social media sites, but also those of the hundreds of issue-related websites that represent PACs and other special interest groups.

The bottom line is that you need to be very careful. Before you click on a link in an email or on a website, carefully look at it. Even if you know the sender of an email, if all it says is something like “check this out” or some other short message, be careful: the email may only appear to be from a friend or co-worker. The safest way is to copy the link (right-click on the link and select “Copy Link Location”) and then paste that into your browser’s URL line and make sure you recognize the web site.

The last word:

SEAIf you think it unlikely that a foreign government would attack a candidate, consider the Syrian Electronic Army (SEA), a group of attackers supporting Syrian President Bashar al-Assad. Beginning in 2011, the SEA targeted political opposition groups within Syria, western news organizations (including the BBC, Associated Press, and The Washington Post) and human rights groups. The SEA has managed to send false tweets from Twitter accounts for 60 Minutes, Reuters, Associated Press, ITV News London, and many others. It has defaced the web sites of Forbes, NBC, CBC News, and hundreds of other sites including the National Hockey League.

Of course, the SEA is only one potential government sponsored hacktivist organization, and in my view, not the most dangerous by far. There is a reason why the US and China agreed to a pact to not use cyberattacks to steal company records for financial gain. Of course, China does not admit to ever having done anything like that. A careful reading of the pact indicates that the pact does not bar cyberattacks for other reasons such as political.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »