At a recent Iowa State Association of County Auditors (ISACA) meeting in Iowa City, I heard officials from the Iowa Secretary of State’s Office (SoS) discounting the value of any news or reports coming out of the Voting Machine Hacking Village at DEF CON® 26.
I went to DEF CON anyway. I arrived on Thursday, soaked up as much as possible on Friday, and returned home on Saturday. As the metaphor goes: It was like trying to drink out of a fire hose.
Contrary to what the SoS said, I found the opposite. Every person I met seemed interested in elections, interested in the equipment we use, and interested in showing us the vulnerabilities of the equipment we use with an unexpected twist. That twist: What can I do to help election officials fix the problems?
Imagine. A bunch of techies who cared about our democracy and elections; who were asking tough questions; and receiving accurate answers from researchers who had obviously spent plenty of time studying the voting machines, many still in use across the country. One of the machines used in Iowa, an ES&S DS650 high-speed scanner (Linn County uses the DS850), was being analyzed by a team of twenty- somethings when I left the Village Friday evening.
I was reinvigorated to see so many strangers excited about voting machines. I have witnessed many public tests of Linn County’s voting machines over the years where no one attended our public tests. Maybe that will change going forward?
So what was the value of DEF CON to me and the taxpayers of Linn County?
Confirmation. Confirmation that Iowa’s biggest election vulnerability is the voter registration database, i.e., I-Voters, managed by the SoS, along with the I-Voters clients in each of the State’s 99 counties, and along with the voter registration databases stored on the electronic pollbooks (ePollbooks) in almost every county.
At one point, I came into the Village just as a couple of techs finished up successfully hacking into an ePollbook (not the one used in Linn County) while NHK Japan’s TV cameras were rolling. NHK interviewed me earlier in the day for a story they will broadcast before our November 6th election.
While Iowa has Election Day registration (EDR), which would become the backup for any voters deleted from a voter registration database aka the election register on Election Day; the confusion, frustration, and inconvenience of my 90-year-old mother having to re-register to vote on Election Day would undermine trust in our elections. And for those states without EDR laws, disenfranchisement would occur.
If you read David E. Sanger’s book – The Perfect Weapon (I am reading it now) – combined with the news reports about the Russians scouting some Iowa counties, you would likely conclude that some fourteen-year old in Prairieburg is not likely to be motivated to hack into I-Voters unless they were getting a million dollars in Bitcoin to do it. However, Bitcoins leave tracks; whereas, nation-states have the ability to skew tracks. Maybe we will know who did it; maybe not. And even if we have conclusive proof, will the suspected nation-state admit it? Come on Russia; admit it.
No. If I-Voters is going to be hacked – assuming it has not been hacked already – it will be by a nation-state. And even if I-Voters has been hacked and Iowa’s State officials know about it, they have likely been forbidden from telling me and my peers for fear of undermining the upcoming election. I guess they would rather wait until after the election to tell us, when we will already know the answer and be suffering the consequences. That will so much better for our democracy. Not!
Look. The SoS keeps telling us that the Russians were merely walking around the neighborhood turning the doorknobs, looking for an unlocked home. But they did not get inside the house.
I contend that their walking around the neighborhood was a distraction. When what they were really doing was hacking into an I-Voter’s client sitting in the Podunk (not a real name) County Courthouse via a thumbdrive that one of the employees thought fell out of another employee’s purse because it looked exactly like the one he uses at work. When that thumbdrive was inserted into a County computer the next day, it gave a nation-state remote access into I-Voters. And the malware has been there ever since. Waiting. Patiently waiting.
If I-Voters has already been hacked, I cannot do anything about it and I will not be told about it. So I have to do what I can do to remove any weaknesses in Linn County Elections – which my team has been doing since August of 2017.
Every county in Iowa is interconnected to every other county in Iowa via I-Voters as required by HAVA. While I do not believe Linn County is the weakest link in Iowa’s election infrastructure chain, it does not matter because the weakest link can affect Linn County. DEFCON confirmed that fact to me, too.
A couple of months ago, I talked to the Linn County Board of Supervisors (BOS) about deploying a tech from Linn County to assist other counties with shoring up their election infrastructure defenses. The BOS indicated I did not need their permission. I made the offer to the SoS and the Iowa’s Office of Chief Information Officer (OCIO). I never received a request from either office.
On July 26th, I asked the OCIO’s representative in front of 50+ county auditors how many of Iowa’s counties were still not being monitored by the OCIO’s Security Operations Center. He answered, “40”. That is the same number that he gave me in March 2018 when I asked the same question.
On that same July 26th, before leaving the Auditors’ meeting room, I told the SoS’s Deputy Commissioner of Elections that I truly believe Iowa’s elections infrastructure is vulnerable. His reply, “I appreciate your passion.”
Is Iowa’s elections infrastructure going to be ready for the November 6th general election? What is the likelihood it has already been compromised?
To the team who put together the Voting Machine Hacking Village at DEF CON 26. Thank you! To those who made elections related presentations at DEF CON 26. Thank you! To David E. Sanger for confirming what I have been saying about voter registration databases. Thank you! -Joel D. Miller – Linn County Auditor & Commissioner of Elections