Podcast: Michigan Minds: Validation and verification for elections

October 14, 2024
Contact:

EXPERT ADVISORY

In this episode of the Michigan Minds podcast, J. Alex Halderman—the Bredt Family Professor of Engineering and director of the Center for Computer Security and Society—discusses weak points in the U.S. electoral system and how to fix them, as well as the results of investigations following the 2020 election.

Kate McAlpine:

Welcome to the Michigan Minds Podcast, where we explore the wealth of knowledge from faculty experts at the University of Michigan. I’m Kate McAlpine, engineering news editor for the Michigan News Office. I want to welcome Jay Alex Halderman, the Brett Family Professor of Computer Science and Engineering, and the director for the Center for Computer Security and Society who will tell us about election security. Professor Halderman has been called to investigate elections, testify before Congress and co-chair, the state of Michigan’s Election Security Advisory Commission.

To start off, can you give us a brief overview of your expertise on election security?

Alex Halderman:

I’m a computer scientist and my research is primarily about cyber security. One thread of that for many years has been the security of election systems. So modern elections are based on computer technology inherently, we use computers to register to people to vote. We use them to often cast votes. We use them to count votes, we use them to report votes. And all of that rather complicated modern computer technology raises security questions because we’ve got to make sure that it’s secure, that it’s going to be trusted by the public and it’s going to be worthy of that trust. So going back now almost 20 years, one of the things that I’ve done in my research is examine and do security reviews of election equipment systems for casting and counting votes.

Kate McAlpine:

What are the key attributes of a secure election process?

Alex Halderman:

Right. So at the highest level, what we need from a secure election process is that it has to be trustworthy and it has to be trusted by the public. By trustworthy, I mean actually difficult for attackers to violate the properties that we want, that the ballots are going to be secret, the results are going to be right, and the system is going to be available and operating on election day. By trusted, I mean that the public is going to believe that the system is going to keep their results secure and that it’s going to produce the right outcome. And those are a little bit different because look, our elections today, both face threats of real hacking, including as we saw in 2016 risks of attempted attacks from foreign nation states, some of the most sophisticated and well-resourced adversaries in the world. At the same time as we saw both after 2016 and 2020, if people don’t believe the election result, well that can be a major threat to our democracy too. And even if there is no attack, it can be possible for people who are politically motivated to discredit the results.

So we need both trustworthiness and to establish public trust. When the election is finished… It shouldn’t be finished until there has been enough scrutiny and enough transparency about the data and process. For any rational observer to be able to establish that the result is very likely right. Now, traditionally, quite often we say, or the way our elections work, the public is expected to believe the result because there’s no obvious sign of a problem. We’re asked to trust the people and the technology involved. And I know lots of election officials, and by and large, they’re extremely trustworthy, upstanding people who really care about what they do. But at the same time, I don’t think that the public should be required to trust them in order to be able to have faith or confidence in the results. Rather than this kind of faith-based approach that we’ve taken where you have to trust your election officials and the technology involved, we should have an evidence-based approach.

And what that looks like in practice is there are two really important core components. One is recording votes on pieces of paper. Ballots marked by voters when they can, and for voters who need some kind of technological assistance, that’s okay, but people who can vote by marking a piece of paper should be doing that. And then two, we need a public process that inspects enough of that paper to establish with high statistical confidence that the result is correct. And this is called a risk-limiting audit, and that’s something that the National Academies has called on every state to do for every major contest. We’re still unfortunately at the point where not all states have paper trails of any kind. There’s one left that has no paper. Several states don’t have paper that’s marked by hand for the majority of votes, and only a few states are regularly conducting statistically rigorous audits to ensure that the results that the outcome matches what’s on those pieces of paper.

What you get with a system like this is you get a system where problems with the election technology cannot affect the ultimate outcome, because a piece of paper marked by hand can’t later be changed in a cyber attack, and any error or any attempted fraud during the electronic counting process would be surfaced and corrected by that kind of risk-limiting audit I’m talking about. So these are components that can generate a process that produces evidence through observation of that auditing process, through humans looking at the pieces of paper that the election outcome was right. And it’s a process that is resilient to any error or hacking of the computer technology involved in the casting and counting process.

Kate McAlpine:

So how does it feel to be in computer science and be like, “The computers can’t hack this, we need to go back to paper.”

Alex Halderman:

Well, it may seem retrograde to be calling for paper ballots, but that’s almost the universal recommendation of security experts when it comes to voting. And really when you think about it, it’s kind of a high-tech defense here in any kind of critical system. If we can have a physical fail-safe, that’s going to be much, much better than not being able to rely on one. So for instance, in modern aviation, we rely on sophisticated satellite-guided computer navigation systems, but still by law, every aircraft has to have a magnetic compass in the cockpit just in case those computers fail or you’re driving your car, you really want there to be some kind of physical linkage between the brake pedal and the brake just in case the electronic systems in your car stop working for whatever reason. So having a physical fail-safe in elections, what that looks like is the paper ballot and these actual physical records, we can go back and check independently of the election technology.

Kate McAlpine:

So how has the field changed now? As you were saying before that we have political candidates who are using election vulnerabilities to undermine the confidence in election outcomes. How has that changed the field of election security?

Alex Halderman:

Oh, gosh. It’s made it just so much more complicated to pursue greater security in election systems. Looking at the timeline of things, just in 2018, the National Academies came out with a consensus report, its strongest form of policy guidance that highlighted numerous problems with the security of election technology and the administration of election security. Everything from lack of resources, to aging infrastructure, to simply finding that it would ultimately not be possible to guarantee that the computer systems involved in voting would be safe from cyber attacks absent having the kind of physical fail-safes that I’ve discussed. But then two years later, in 2020, we had one political candidate who was the sitting President of the United States alleging that the election result had been stolen by hacking. We had his head of the Cybersecurity and Infrastructure Security Agency, the federal agency, responsible for election infrastructure security publicly stating that the 2020 election was the most secure in history. It’s going off the rails in both directions. Neither of those is backed by good evidence.

So it’s become much more complicated. And the problem is that to make election security much better, it’s going to require coordinated action across the country. We need continued resources for state and local election offices in order to upgrade equipment and upgrade security measures. We probably need federal policy changes in order to coordinate auditing after federal elections in jurisdictions across the country to make sure everything is audited that needs to be. And it’s hard to get either of those things without public support for the issue. But unfortunately, election security has become so politicized, especially post-2020, that it’s very difficult to have a nuanced public conversation about it. People either think that you are some kind of election denier claiming that 2020 was all a fraud, or that just by mentioning the issue, you’re going to suppress the vote. All of this is counter to the goal, unfortunately, of making sure elections are worthy of people’s trust.

Kate McAlpine:

So let’s say that I am in one of those states where they use ballot marking devices. How can I try to make sure that my vote is accurate and what do my election officials need to do?

Alex Halderman:

Right. So how you vote, what the risks are going to be and what you can do is going to vary a lot based on where you live. In Michigan, for instance, essentially every ballot is recorded on a piece of paper, and the vast, vast majority of those pieces of paper are marked by hand in the way that scientists recommend. So we are in relatively good shape, but other places, for instance, the state of Georgia, they use a very different voting system where every voter who goes to a polling place is going to use a touch screen computer to mark a ballot that then gets printed out and scanned in and counted by machine. Now in Georgia, I have gotten to do a hands-on security analysis of their current voting system as part of a long-running lawsuit in which I served as an expert. And I found numerous vulnerabilities in those touchscreen ballot-marking devices they’re called, some of which could allow an attacker to smuggle in malicious software that would change what was recorded on that ballot.

Those ballots record the vote actually in two ways. They print out a summary of your choices in a way you can read, but also they print a QR code, a form of barcode on the ballot. That’s actually the only thing that is read by the ballot scanners. So one thing malicious software could do is change what’s in that QR code, so that the scanners record different votes than you thought you had intended. The best defense against that ultimately will be to do some kind of audit of the human-readable portion of those ballots. But for an audit like that to be meaningful, what’s printed on the ballot has to reflect what the voter really wanted to vote for.

So as a voter, very carefully reviewing your ballot to make sure that all of the choices actually are what you intended, and if anything is wrong, reporting that so that people know there’s a potential… A more systemic problem going on with the equipment. That that’s the best way that you as a voter with those machines can protect yourself. If you have the option to vote by mail, that could also be a way to ensure that you get to vote a hand-marked ballot in a jurisdiction that uses ballot-marking devices with potential security problems.

Kate McAlpine:

So in 2020, Antrim County, Michigan was called for Biden, even though it was a solidly Republican district. You were called in to investigate. What did you find?

Alex Halderman:

Antrim County is a fascinating case. It has been one of the focal points of concerns about election integrity and indeed conspiracy theories ever since election night in November 2020 where, as you say, Antrim County really did announce the wrong election night results in the presidential contest and other contests all down the ballot. Although the state quickly ascribed the problem to human error, there was still significant public question about what happened. And a lawsuit filed in the state courts in Antrim alleging that the apparent problems were some kind of indicator of broader integrity or problems or fraud. So the Michigan Secretary of State and Attorney General after those problems occurred, commissioned me to do an independent investigation of what happened, to look into all of the data and forensic evidence, try to figure out what really happened and make sure the results were now corrected, and see what lessons we could find for what should be changed in the future to prevent the problem from occurring again.

What I found in my investigation was yes, the problem was ultimately caused by human error, but it was a much more complex chain of multiple errors by people in different places coupled with deficiencies in the design of the election systems and computer software that allowed these errors to slip through. And that although the presidential contest had been appropriately corrected, there were still minor lingering errors in down-ballot races that slipped through even the final certified results. Including in the worst case, a one-vote difference in a local ballot measure that probably did cause that contest to have the wrong outcome. So it’s a mixed lesson.

The analysis showed on the one hand that the presidential outcome almost certainly is exactly right, and we know that in Antrim County because the initial errors are exactly explained by this relatively small human error that we know happened in the configuration of the equipment. And we know that furthermore, because the state went in and counted the presidential vote on every single one of the paper ballots and got almost exactly the same result as the final corrected official count. On the other hand, these lingering errors in other down-ballot contests that I found that had not been corrected despite the intense scrutiny that Antrim got post-election, highlight how fragile our election results can be, how much they are dependent on care by the human operators in the system at every level.

In Antrim unfortunately, not only did the election official configuring the system make a mistake, but there were further mistakes by poll workers on election night and then after the election by people who were tasked with canvassing the results and checking them for mistakes like typos. And as a result of those errors lining up, certain errors in the election results slipped through even all the way to certification and the ultimate determination of the winners. So problems can happen, elections can sometimes get the wrong result, and that’s why we need better engineering, better science applied to the problems of combating human errors, making systems usable for officials, having better more scientific quality controls in place, and of course having protections against hacking.

One of the things I found during my Antrim investigation, that there was no evidence whatsoever that those deficiencies had been attacked or exploited during 2020. I looked and there wasn’t any. We learned certain things that should be corrected for next time, and I think the state has beefed up some of its controls at the county level across the state going into 2024. But I think the bigger picture is that this kind of post-election investigation is very, very rare in this country. It’s only happened a handful of times in the history of modern election technology. One of the focuses of my research today is to try to use science to make election administration stronger, and there are a couple of ways that we’re doing that. One problem we’ve been working on is how election officials test the configuration of a voting machine before voters go to use it on election day.

And for years, all across the country, officials have used a process called logic and accuracy testing, where they vote a set of test ballots and make sure that the machine produces the expected totals. And the goal of this is to make sure that the machines are essentially set up correctly, that they’ve been configured to count a bubble that’s marked in the first column in the first blank as a vote for candidate A, and in the next blank as a vote for candidate B, and so on down the ballot. If that kind of configuration is mistaken or doesn’t match what’s on the printed ballots, the machines can count the ballots in the wrong way, and a version of that affected parts of Antrim County in 2020.

The problem with current logic and accuracy testing processes is that they were developed almost a century ago for testing much less complex forms of voting equipment. So testing them required a much less exhaustive form of logic and accuracy testing than testing modern high-tech computerized voting equipment would. So the problem is the form of the test, the rules for how you do the testing generally haven’t been updated during that intervening 100-year period, at least with regard to the core question of is the machine configured to count votes accurately? So in my research group a couple of years ago, I asked one of my PhD students, Braden Crimmins, to go and try to prove that it was actually impractical to do much stronger logic and accuracy testing than states do now.

That is that in order to test all of the different ways that a machine could be misconfigured, you’d need so many test ballots that it would take hours and hours. And Braden, who is an extremely sharp Michigan student, ultimately did the opposite. He, along with a colleague of ours at the University of Illinois in the operations research field, was able to show that using some sophisticated modern algorithms, we could design tests that were tailored for each ballot and could detect configuration problems in a very, very broad range of possibilities while using no more ballots on average than the current state-of-the-art tests do. And we’ve been piloting that in small portions of the state of Michigan in partnership with the Michigan Bureau of Elections. So in real elections, people have used this technology, and we’ve recently working through the Michigan Office of Innovation Partnerships. Spun out a company to try to ramp this up to statewide scale, and the state of Michigan has just signed on as our new company’s first customer.

We’re hoping that this is something that can improve the security and efficiency of pre-election testing in states across the country, and ultimately help catch both human error and potentially attempted fraud before it can reach voters during an election.

Kate McAlpine:

So hopefully that would give us some of the evidence that voters need to believe election results.

Alex Halderman:

Well, so this is part of an evidence-based approach. An evidence-based approach, we want to have paper ballots that every voter who can has marked by hand. We want to be rigorously auditing those paper ballots to make sure the outcome is right, but an audit of the paper ballots if there’s been a problem with the computerized count, it only tells us after the fact that the initial count was wrong or had some error due to human error or fraud. What logic and accuracy testing can help with is heading off problems before they can affect the count or glitches before they can affect voters and generate those disturbing headlines that something had gone wrong. So the two go hand in hand, but there are certain types of human errors or even relatively easy modes of attempting fraud, that logic and accuracy testing can catch first and catch early. It can’t catch everything that could potentially go wrong with a voting system, but it can head off these common or easy modes of error and fraud before they shake voters confidence.

Kate McAlpine:

In all your investigations and the investigations of others that you’ve read, have you seen any evidence that an election was hacked?

Alex Halderman:

It’s extremely important to bear in mind that while election systems really do have certain vulnerabilities that need further attention from the public, there is no good evidence whatsoever that those vulnerabilities have been exploited to change the outcome of any past US election. And the 2020 election in particular at this point is probably the single most scrutinized contest in all of American history. And despite state audits and investigations, independent scrutiny from parties all over the country, there is at this point no good evidence whatsoever that any election, any state contest as part of the 2020 election was affected by error or fraud that could have changed the outcome. There’s just no good evidence at all.

Kate McAlpine:

Thank you very much Professor Halderman for telling us about election security.

Alex Halderman:

All right, pleasure speaking with you.

Kate McAlpine:

Thank you for listening to this episode of Michigan Minds, produced by Michigan News, a division of the university’s office of the vice president for communications.

A sample of the interview with Halderman:

You were saying before that we have political candidates who are using election vulnerabilities to undermine the confidence in election outcomes. How has that changed the field of election security?

It’s made it just so much more complicated to pursue greater security in election systems. Looking at the timeline of things, just in 2018, the National Academies came out with a consensus report, its strongest form of policy guidance that highlighted numerous problems with the security of election technology and the administration of election security. Everything from lack of resources to aging infrastructure to simply finding that it would ultimately not be possible to guarantee that the computer systems involved in voting would be safe from cyber attacks absent having the kind of physical fail-safes that I’ve discussed.

But then two years later, in 2020, we had one political candidate who was the sitting president of the United States alleging that the election result had been stolen by hacking. We had his head of the Cybersecurity and Infrastructure Security Agency, the federal agency responsible for election infrastructure security, publicly stating that the 2020 election was the most secure in history. It’s going off the rails in both directions. Neither of those is backed by good evidence.

Contact: [email protected]


Michigan Minds is produced by Greta Guest and hosted by Michigan News staff. Jeremy Marble is the audio engineer and Hans Anderson provides social media animations. Listen to all episodes of the podcast.