EXPERT SIGN-ON LETTER TO CONGRESS:SECURE AMERICAN ELECTIONS

 

June 21, 2017
 

Dear Member of Congress:
 

Faith in American democracy rests on the integrity of our elections. So it stands to reason that lawmakers and administrators from both political parties should prioritize efforts to minimize election security risks. While there has been encouraging progress to improve election security in recent years, too many polling stations across the nation are still equipped with electronic machines that do not produce voter-verified paper ballots. Many jurisdictions are also inadequately prepared to deal with rising cybersecurity risks.

We are writing to you as members of the computer science and cybersecurity communities, together with statisticians and election auditing experts, to convey our concern about these and other vulnerabilities in our voting system and to urge you to take the following simple, straightforward, and cost-effective actions to set meaningful standards to protect American elections. We represent both major political parties, independents, and a range of academic institutions and private sector organizations, but we are united in our belief that the United States, the world’s oldest representative democracy, needs prompt action to ensure prudent elections security standards.

Specifically, we recommend action to accomplish the following objectives:     
 

1. Establish voter-verified paper ballots as the official record of voter intent.

·  Phase out the use of voting technologies such as paperless Direct Recording Electronic voting machines that do not provide a voter-verified paper ballot.


2. Safeguard against internet-related security vulnerabilities and assure the ability to detect attacks.

·   Create firewalls (software barriers) between internet and all voter registration, vote-tabulating machines, ballot delivery, and election management systems. Require layered backup systems to ensure that intrusions and corruption of the databases can be detected and corrected.

·   Review and document compliance with the recommendations and checklists prepared by the US Department of Homeland Security for security, penetration testing, network scanning, and detection and management of potential cyber-attacks. Review and track FBI security alerts.

·   Ensure that voting systems and information technology that supports voting systems have the latest security patches, and that those patches have been provided from trusted sources on trusted media. Limit physical access and regularly audit sensitive and critical election systems.

·   Discourage voters from voting online in any form—via web, email or fax—even in states where it is legal. Inform voters that electronically submitted ballots can be modified, copied, rerouted or simply deleted during transmission.

 

3. Require robust statistical post-election audits before certification of final results in federal elections.

·   Compare random samples of voting system totals to hand counts of the votes on the corresponding paper ballots.   

·   Audit in a way that has a large chance of detecting and correcting any incorrect electoral outcomes, whatever their cause.

·   Recruit technical experts to assist with tests and audits. Resources for finding experts, many of whom may provide pro bono services, include the Election Verification Network, professional societies such as the American Statistical Association, and academic institutions.

·   Allow public oversight of all audits, and prominently publicize all testing and audit results.

·   Report and publicize ballot accounting and final results in detail before certification

This is not an exhaustive list of recommendations. However, the above items can form the basis of robust, enforceable, sensible federal standards that can restore needed confidence in American elections.

Signed,

 

1.   Ben Adida, Vice President, Engineering, Clever

2.   Andrew W. Appel, Professor of Computer Science, Princeton University

3.   Arlene Ash, Professor and Division Chief, Biostatistics and Health Services Research, Department of Quantitative Health Sciences, University of Massachusetts Medical School

4.   Michael Bailey, University of Illinois at Urbana-Champaign

5.  Ron Bandes, Cybersecurity member of the Pennsylvania Joint State Government Commission's Advisory Committee on voting system technology

6.  Mary K. Batcher, Founding Partner, BDS Data Analytics and Former Executive Director, Ernst & Young

7.   Steven M. Bellovin, Percy K. and Vida L.W. Hudson Professor Computer Science, Columbia University

8.  Jan BenDor, MI Elections Administrator, MI Election Reform Alliance

9.  Matt Bishop, Professor, Department of Computer Science, University of California, Davis

10.  Matthew Blaze, Associate Professor of Computer and Information Science, University of Pennsylvania

11.  Scott Bradner, Professor, Information Science Department, Harvard University Extension School

12.  Harvey H. Branscomb, Election Quality, Colorado Voter Group

13.  Duncan Buell, Professor, Computer Science and Engineering and NCR Chair in Computer Science and Engineering, University of South Carolina

14.  Eric W. Burger, Research Professor and Director, Security and Software Engineering Research Center, Georgetown University

15.  David Chaum, ScanTegrity and Random-Sample Voting Projects

16.  Stephen Checkoway, Assistant Professor, Department of Computer Science, University of Illinois at Chicago

17.   Bryan Cunningham, Executive Director, Cybersecurity Policy & Research Institute, University of California, Irvine

18.   Robert K. Cunningham, Chair, IEEE Cybersecurity Initiative

19.   Reza Curtmola, Associate Professor, Department of Computer Science, New Jersey Institute of Technology

20.   David L. Dill, Donald E. Knuth Professor in the School of Engineering, Stanford University and Founder of VerifiedVoting.org

21.   Peter Eckersley, Chief Computer Scientist, Electronic Frontier Foundation

22.   David Evans, Professor of Computer Science, University of Virginia

23.   David J. Farber, Moore Professor Emeritus of Telecom, University of Pennsylvania and Adjunct Professor of Internet Studies, Carnegie Mellon University

24.   Ariel Feldman, Assistant Professor of Computer Science, University of Chicago

25.   Edward W. Felten, Robert E. Kahn Professor of Computer Science and Public Affairs at Princeton University; former Deputy United States Chief Technology Officer

26.   Bryan Ford, Associate Professor of Computer and Communications Sciences, Swiss Federal Institute of Technology Lausanne, Switzerland

27.   Carrie Gates, CEO, Securelytix Inc.

28.   Jeremy Gillula, Senior Staff Technologist, Electronic Frontier Foundation

29.   Alex Glaros, CEO, Center for Government Interoperability

30.   Ian Goldberg, Professor and University Research Chair, Cheriton School of Computer Science, University of Waterloo

31.   Sharon Goldberg, Associate Professor of Computer Science, Boston University

32.   Edward Gracely, Associate Professor of Epidemiology and Biostatistics, School of Public Health, Drexel University

33.   Matthew Green, Assistant Professor, Department of Computer Science, Johns Hopkins University

34.   J. Alex Halderman, Professor, Computer Science and Engineering and Director, Center for Computer Security and Society, University of Michigan

35.   Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology

36.   Eleanor O. Hare, Associate Professor Emerita, Department of Computer Science, Clemson University

37.   Candice Hoke, Co-Director, Center for Cybersecurity & Privacy Protection, Cleveland State University

38.   Ryan Hurst, Product Manager, Google

39.   Harri Hursti, Founding Partner, Nordic Innovation Labs

40.   David Jefferson, Visiting Scientist, Lawrence Livermore National Laboratory, Board of Directors, VerifiedVoting.org

41.  Jonathan Katz, Professor, Department of Computer Science, University of Maryland and Director, Maryland Cybersecurity Center

42.  Joe Kiniry, CEO and Chief Scientist, Free & Fair

43.  Alex Kreilein, Managing Partner and Cofounder, SecureSet Accelerator

44.  Jack I. Lerner, University of California, Irvine, Director, UCI Intellectual Property, Arts, and Technology Clinic

45.  Mark Lindeman, Adjunct Assistant Professor, Department of Political Science, Columbia University

46.   Victoria Collier, Director, National Election Defense Coalition

47.   Margaret MacAlpine, Election Auditing Specialist and Systems Testing Technologist, Nordic Innovation Labs

48.   David A. Marker, Senior Statistician and Associate Director, Westat

49.   Marilyn Marks, Executive Director, Rocky Mountain Foundation

50.   Morgan Marquis-Boire, Director of Security, First Look Media

51.  Neal McBurnett, Independent Election Integrity Consultant; Colorado Risk-Limiting Audit Representative Group member; Board of Directors, Center for Election Science

52.  Bruce W. McConnell, Global Vice President, EastWest Institute and Former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security

53.  Patrick McDaniel, Distinguished Professor of Computer Science and Engineering and Director, Institute for Networking and Security Research, Pennsylvania State University

54.  Aleecia M. McDonald, Non-resident Fellow, Stanford Center for Internet & Society

55.  Walter Mebane, Professor, Department of Political Science and Department of Statistics, University of Michigan

56.  Sascha Meinrath, Director, X-Lab, Palmer Chair in Telecommunications, Penn State University

57.  Suzanne Mello-Stark, Associate Teaching Professor and Cybersecurity SfS Program Manager, Computer Science Department, Worcester Polytechnic Institute

58.  Gregory A. Miller, Chief Election Technology Strategist, OSET Institute

59.   Justin Moore, Software Engineer, Google and Member of the Board of Advisors, VerifiedVoting.org

60.  Deirdre K. Mulligan, Associate Professor, School of Information and Faculty Director, Berkeley Center for Law and Technology, University of California, Berkeley

61.  Clifford Neuman, Director, Center for Computer Systems Security, University of Southern California

62.   Peter G. Neumann, Senior Principal Scientist, SRI International Computer Science Lab and Moderator, ACM Risks Forum

63.   Brian Nussbaum, Assistant Professor of Homeland Security and Cybersecurity, University at Albany

64.   Ben Ptashnik, Executive Director, National Election Defense Coalition, Retired Vermont State Senator

65.   Cooper Quintin, Technologist, Electronic Frontier Foundation

66.   Ronald L. Rivest, Institute Professor, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology

67.   Phillip Rogaway, Professor, Department of Computer Science, University of California, Davis

68.   Paul Rosenzweig, Professorial Lecturer in Law, George Washington University and Former Deputy Assistant Secretary for Policy, Department of Homeland Security

69.   Gabe Rottman, Deputy Director, Freedom, Security and Technology Project, Center for Democracy & Technology

70.   Avi Rubin, Professor, Computer Science and Technical Director, Information Security Institute, Johns Hopkins University

71.   Peter Ryan, Professor of Applied Security, University of Luxembourg

72.    Andy Sayler, Security Engineer, Twitter

73.    Fritz Scheuren, Former President, American Statistical Association (2006)

74.    Jeffrey I. Schiller, Computer Scientist, Massachusetts Institute of Technology and Former Internet Engineering Steering Group Area Director for Security (1994-2003)

75.    Bruce Schneier, Fellow, Harvard Kennedy School

76.    Alexander A. Schwarzmann, Professor and Head of Computer Science and Engineering Department, Director of the Center for Voting Technology Research, University of Connecticut

77.    E. John  Sebes, Chief Technology Officer, OSET Institute and TrustTheVote Project

78.    Lt. Col. Tony Shaffer (retired), Senior Fellow, London Center for Policy Research

79.    Micah Sherr, Provost’s Distinguished Associate Professor, Department of Computer Science, Georgetown University

80.    Barbara Simons, IBM Research (retired)

81.    Ashkan Soltani, Former Chief Technologist, Federal Trade Commission

82.   Richard Spires, Former Chief Information Officer, U.S. Department of Homeland Security

83.    Philip B. Stark, Associate Dean, Mathematical and Physical Sciences and Professor, Department of Statistics, University of California

84.   Paul Stokes, United Voters of New Mexico

85.   Justin Talbot-Zorn, Truman National Security Fellow

86.   Vanessa Teague, Senior Lecturer, School of Computing and Information Systems, The University of Melbourne

87.   Brad Templeton, Computing Chair, Singularity University and Chairman Emeritus, Electronic Frontier Foundation

88.   Zeynep Tufekci, Associate Professor, School of Information and Library Science, University of North Carolina

89.   Jessica Utts, President, American Statistical Association and Professor, Department of Statistics, University of California, Irvine

90.   Giovanni Vigna, Professor, Computer Science, University of California, Santa Barbara

91.   Poorvi L. Vora, Professor of Computer Science, The George Washington University

92.   Dan Wallach, Professor, Computer Science and Rice Scholar, Baker Institute for Public Policy, Rice University

93.   Mark Weatherford, Chief Cybersecurity Strategist, vArmour and Former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security

94.   Luther Weeks, Executive Director, Connecticut Citizen Election Audit

95.   Daniel Weitzner, Founding Director of the MIT Internet Policy Research Initiative and Principal Research Scientist, Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab

96.   Kenneth White, Director, Open Crypto Audit Project

97.    Filip Zagorski, Assistant Professor, Wroclaw University of Science and Technology

98.   Daniel Zappala, Associate Professor, Computer Science, Brigham Young University

99.   Amy B. Zegart, Co-Director and Senior Fellow, Center for International Security and Cooperation, Stanford University and Davies Family Senior Fellow, Hoover Institution

100.   Daniel M. Zimmerman, Principled Computer Scientists, Free & Fair

101.    Philip R. Zimmermann, Cryptographer, Creator of PGP, Associate Professor, Delft University of Technology, Netherlands

102.    Mary Ellen Zurko, Independent Cybersecurity Consultant

103.     Trevor Zylstra, President and CEO, IDVector

 

Please note: Individual affiliations are for identification purposes only and do not signify organizational endorsement.

The National Election Defense Coalition (NEDC) and coalition partners compiled signatures for this letter.