Electronic voting machines and their software: Q&A with cybersecurity expert Bryson Bort

By Robert Gilway
|
November 17, 2020
| No Comments

The Internet is rife with theories about voting machines and how they can be hacked. Various self-proclaimed smarties about computing have expounded theories as to how the Democrats changed votes. These theories have gotten shared widely online and even have made their way into a few media outlets. The media has reviewed and cast doubt on the claims being made about election software being compromised (e.g., here, here, and here).

But since some folks on the right are hesitant to trust the media, I decided to consult with an expert who works for a right-leaning think tank — Bryson Bort. He knows cybersecurity and elections software. He is a senior fellow at the R Street Institute and is an advisor to the Army Cyber Institute. He also founded SCYTHE, a start-up building a next-generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy. Bryson also co-founded the ICS Village, a nonprofit organization that advances awareness of industrial control system security. Bryson also served his country — he was a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a captain.

Below is a transcript of
our discussion yesterday, which has been edited for length and clarity.

Kosar: Let’s cut right to the chase: Were there any hacks of the US election this year? Has the government’s Cybersecurity and Infrastructure Security Agency found anything?

Bort: So, short answer: no. Second, CISA works in collaboration with the State Department, the Election Assistance Commission, the FBI, the United States Cyber Command, and the National Security Agency, as well as all of the local and state jurisdictions. All of those agencies, all of those organizations, all of those volunteers — which are bipartisan by the way — across 50 different states, have no evidence of any hacking at all. What we did see in the lead up was some noise, we’ve seen some websites get hacked, which is defacement. There were phishing campaigns where there were bad actors trying to gain access to more jurisdiction-level IT systems, but nothing in any way to impact the actual election.

A poll worker feeds ballots into a tabulation machine. Via REUTERS/Mjs Ballots Absentee Nws Sears 11

So what do you make of the claim — recently leveled by President Donald Trump — that the political left has some sort of access to the Dominion Voting Systems and changed votes for Trump into Biden votes? Dominion Voting, for anyone who has not heard of it, has been in business since 2003 and makes election hardware and software.

So I don’t know why Dominion in particular has been singled out, but there are three major election machine vendors: Dominion (you’ve noted), Election Systems & Software, and Hart InterCivic. Those three manufacturers account for about 80 percent of the machines that are throughout the United States. There are some other smaller ones, and all of them have been around for some years. There is nothing in particular around Dominion versus any of the other two, versus the smaller vendors, one way or the other. 

There’s nothing special
about Dominion versus the other vendors … we do forensics analysis and
auditing all the time on these systems.

There have been, and I know that Donald Trump on his official Twitter account put out the NBC expose from the DEFCON Voting Village in 2019, so it’s really funny to see the first DEFCON callout by a sitting president. So the DEFCON Voting Village involves experts coming around to look at those kinds of things, like: What are the issues around the technical parts of this process? And so we bring voting machines in, and we demonstrate the different challenges with them. And absolutely, voting machines, like any other computer, have vulnerabilities. They do. That’s why, when you look at all of the work that’s been done — at the federal and state, to the local level, since 2016 actually — it has been putting in place a lot of safeguards and protections around these things to identify activity, which is why we can definitely say we haven’t seen anything happen. 

Because we’re really looking for it now. Previously, not so much. And so the only kinds of things you could really do to a voting machine would require close access to manipulate the machine, which you can go look at DEFCON videos demonstrating how that’s done. The irony is that in 2019 Rachel Tobac did a demonstration of that. And it was the Russians who amplified that vulnerability on social media. So they took what was good, sound research and amplified it for their own means to sow this very distrust and confusion. 

So when you said
physical manipulation, that implies a person being there to tamper with the
machine itself, not someone trying to log in from somewhere?

Yeah, so anything that
is internet accessible is hackable. A hacker can’t hack what they can’t touch.
That’s what made the internet so wonderful for us … I can touch something
through the internet, and a lot of these systems are more on the internet than
they should be. No doubt that’s a concern. But, like I’ve been saying, that
infrastructure to be able to protect and detect around that is much more robust
now than it was previously. The only part that is still the same is somebody
coming in and trying to do something to a machine in-person. They would need to
be highly trained, they would have very little time to do it. He would need the
right conditions, and then he’d only be affecting one machine. 

There also is this “Hammer and Scorecard” theory making the rounds, which has something to do with the Central Intelligence Agency or the deep state and votes being changed via software. What is that about?

This reads like a Tom
Clancy novel. Until recently, I hadn’t heard of this one because it’s really
that outlandish.

Let me break it down. Hammer is this mystical supercomputer that has been around for some unknown period of time. I went and read the primary sources where this guy named David Montgomery claims to have been a contractor with Inside Knowledge on this stuff. Apparently, in 2009, this supercomputer that had been around for some period of time, just running around exploiting things, and the Obama administration came in and gave the CIA a $5,000,000 investment to take this super computer to this extra high level, marrying it with this program called Scorecard, which is an automated exploitation framework. To translate to everyone at home: lots and lots of computing power was tied to this silver-bullet hacking solution to be able to get access to any computer.

Election worker Patricia Torres cleans an electronic voting machine at the Arroyo Vista Community Center in Moorpark on Tuesday, Nov. 3, 2020. The center saw nearly 600 ballots cast on the final day to vote. Via REUTERS/Moorpark 10

That’s just not how it
works. And so then, to follow it up, the equipment was then supplied by the
FBI, and then somehow this ties in the future to Robert Mueller. It started to
become unclear. But, this is just a next level conspiracy theory.

So there’s so many holes
in this. But in short, the claim is that in 2020, somebody somehow, I guess in
the deep state, elected to turn this system on — to flip it so that Trump
didn’t win reelection.

Now, the first obvious
question to me is if the Democrats had this kind of firepower, why wouldn’t
they have used it in 2016? The whole thing is just a Hollywood fever dream. It
makes no sense. 

Yeah, I have seen a few news stories that indicate that this Montgomery fellow who is the source for this rumor has previously been involved in some strange activities

He seems like an
untrusted source to say the least, and there are a number of holes that you
could poke through this thing. Stuff like that never stays hidden for long. I
mean, look at the scope of the surveillance apparatus that the intelligence
community had built and had started to snare US citizens back 10 years ago, and
that’s what came out with Snowden. Those things started to make it out into the
press in different kinds of leaks. These kinds of things can’t stay hidden
forever. Even assuming it’s real — which it’s absolutely not, I assure you —
stuff like this eventually comes to light because it’s just too many different
people of too many different sensibilities coming together who would have to be
part of a program like that. 

OK, so there is no
evidence of elections software being compromised, no way software was
manipulated to change votes. That said, are there real concerns about
electronic voting machines and their software?

My starting point, if I
were to have my druthers, would actually be around voter registration. Lots of
third parties can get access to that information. If you recall, there was an
incident before the election where — I can’t remember who it was — perhaps the
Iranians, who leaked it to make it look like they had access to voting
machines. So this is a great example of “I can undermine your trust and confidence
in a system” versus having to actually hack the system. I think that’s an area
where when we’re looking for free and fair elections with transparency, that
trust is critical. And so just giving the illusion of hacking chips away at
that. That’s what they were doing. 

The voting systems
themselves, like I said, there are three companies that have a near monopoly on
the market. The structure of those companies are not open and transparent.
Considering what they do, I think that’s something we should ask of them. Just
like anyone who produces hardware or software, I think there should be a
responsible disclosure policy, which allows access to those systems so that
independent security researchers looking at them can say, “Hey, I found these
things, and I want to disclose them.” 

We have this concept
called security through obscurity, which is the completely false notion that
“You don’t know anything about my system, therefore it’s hard to hack it.” And
that’s not true. Inevitably, that falls flat every single time. So we want to
encourage them to move beyond that. Again, transparency sets you free. There
have been pushes for them to be labeled as “critical infrastructure” — critical
infrastructure also has responsible disclosure and this kind of engagement.
Considering how important it is for the process of democracy, I don’t think
they should be given any different treatment than what we would all expect
reasonably to ensure they’re doing the right thing. 

Last point, certainly it would be nice if the elections venders were more open and supported better things, like a more robust vulnerability disclosure program … the voting machine vendors are still a little bit at odds with the independent researchers. Also, there is not full transparency behind the ownership of the three voting machine vendors. They’re owned by private equity firms, and who is exactly part of that is not clear. … So I think that’s something where the federal government could pass legislation that said, “Hey, if you’re going to take federal money, which of course all of them do, you should be required to disclose your ownership, just like we see in a lot of other federal government business.”

Thank you, Bryson.

Learn more: Some thoughts on the 2020 election just two weeks out | Voting in a pandemic | The Post Office’s secret weapon to keep mail-in ballots secure

The post Electronic voting machines and their software: Q&A with cybersecurity expert Bryson Bort appeared first on American Enterprise Institute – AEI.

Housing Finance, Housing Policy