Monday, December 19, 2016

Hacking Elections

We’ve heard it on the radio. We’ve seen it on the TV. We’ve read about it on social media. Election hacked … likely by Russia with direct involvement of Vladimir Putin. What do you think?

What do I think?

Well, I think hacking is a very serious threat to our way of life, our democracy, our economy, our government and corporate information, and the US as a whole.

What are we to do?

Speaking as a computer professional, I believe key risk issues for our modern, computer dependent society are issues relating to trustworthiness and must be evaluated based on the entire system, and must address the entire set of requirements (not just safety or security or reliability or resilience or robustness or whatever is critical to the particular system).

The number of key systems that depend on security is steadily increasing. This is in part the result of the reality that the systems we have to build upon are simply not trustworthy enough. (I'm referring to operating systems, network software, and Internet as a whole, etc.) However, it also results from a commercial factor that not enough commitment is made by developers and corporate users to significantly improve the situation. It also results from the fact that some government agencies such as the FBI and law enforcement in general have serious difficulties in dealing with even the already broken systems.

Thus the preponderance of security-related stories in the journals and the press. Things are NOT getting better. Contrary, they are getting worse. The so-called “Internet of Things” has even less security (and much less update capability) than the networks and computers we’ve all become so accustomed to now. We need better system engineering and a realistic goal of trustworthiness.

Whether it is stories of self-driven cars crashing, trains jumping off their tracks, spills (yes computers can be involved in these spills), or aviation disasters traced back to computer and automation failures, not to mention the loss of operator skills as “ease of use” leads our pilots and operators to depend too much on the automation tools built in modern devices. Remember those tales of drivers believing their GPS resulting in driving into lakes and rivers.

Some times it is as simple as the large expensive summer home in Aspin, Colorado that had all its pipes freeze when the batteries in the programmable thermostats died leaving the furnace off during a cold snap. Sometimes it is just one line of inerrant or obsolete code in a 100 million lines of programming. Sometimes it is failure to consider the odd corner case in testing and reviews, but then humans are fallible and computer software suffers from these human failures.

Yahoo just announced the largest hack yet and the loss of customer data — including poorly encrypted password files. And what about users that use passwords such as “password” or “S3CR3T.” (That’s secret with a numerical substitution.)

It is important to remember that no evidence has been reported that the recent presidential election was hacked. By that I mean some entity modifying voting machines to change the outcome. The current news is really about the emails and other information stolen from the Democratic National Committee and candidate’s staff emails accessed, stolen, and then published in WikiLeaks and elsewhere.

Very embarrassing for certain and, combined with the Hillary private server issues, created a drum beat against her candidacy. Further, it isn’t just these private communications being released, but the echo effect and constant drumming on social media combined with fake news and highly partisan news sites. Throw in the conspiracy theorists who are mostly certain the earth is flat and all those NASA pictures are fake and the moon landing was all Hollywood special effects. You certainly can “fool some of the people all of the time.”

More subtle were results from search engine algorithm manipulation effect. The commercial advertisers know how to raise the level of a post on Google or Bing, and the political campaign staffs are well aware of these Madison Avenue tricks.

Further, the proprietary software used by these commercial entities are protected by law and court rulings. We (and that may include the FBI and other responsible agencies) don’t even know what’s inside those black boxes.

Do I think the election machines were hacked? Well, honestly, no. There doesn’t seem to be any evidence of that occurring this time. But then would there be evidence? In 2016 about 80 percent of the U.S. electorate voted using outdated electronic voting machines that rely on proprietary software from private corporations. Some of these corporations are led by highly partisan entrepreneurs from George Soros on the left to the Koch brothers on the right.

A recent study by the Brennan Center for Justice at the New York University School of Law identified “increased failures and crashes, which can lead to long lines and lost votes” as the biggest risk of using these out of date systems, but it is important from a security perspective to realize that old software is riskier because new methods of attack are constantly being developed and older software is likely to be vulnerable.

Some of these systems provide almost zero auditing trail and paper documentation, so it begs the question if we would even know if the actual vote was hacked. In this modern, automated world of high cost of human labor, even the paper ballets are usually not counted by a human, but rather by a machine. At least in the case of paper ballets (such as those used in Colorado), there is a paper trail to study and evaluate error rates and possible malfeasance and hacking.

(In my opinion, this kind of auditing and recounting capability MUST be DEMANDED in all our voting machines.)

There’s plenty of room for human error when you try to count the hundreds of millions of voters in a national election, and there certainly are some elements seeking to defraud the election through multiple votes, denying certain groups from voting, and other shenanigans. But as any office worker knows, humans are error prone, but to really screw up takes a computer!

Will the next hack cause our entire electric grid to fail? Will the Russians or the Chinese steal the plans to our most advanced weapons? (Already happened.) And worst of all, even if we realize it happened, will we know for sure who did it?

My advice, improve the trustworthiness of all our automated systems. It won’t be cheap. But it might be the best money we ever spent. Do I think it will happen? No, I don’t think it will. We are going to keep on keeping on our current path toward Computer Armageddon. Forget about Skynet. A.I. isn’t the threat. It’s the old fashioned human intelligence … or the lack thereof.

No comments:

Post a Comment