Election Security is (mostly) Solvable

of American democracy, confidence in our voting system. Whether hacking takes the form of masking the original source of a campaign message to make it seem like it comes from the grassroots, so called astarturfing, or disseminating intentionally false information, it all leads Americans to question the legitimacy of the democratic process. In twenty sixteen, we discovered Russian backhackers were

responsible for disinformation campaigns. In response, Congress directed three hundred and eighty million dollars to the fifty states to boost election security. But did it really help? Is it useful to compare electoral outcomes to poll results? You're not going to believe it, right, I mean, the problem of voting, as opposed to any other computer security mechanism is that after the fact, it's partisan. Is there a problem with the expectation we have than that the winner of election

ought to be declared immediately? So yes, a slower process would enable us to do more checking before announcing anything. The American people don't like that. I mean, even going to sleep before knowing is bad. With increasingly long election seasons, I'd sleep better on election night hearing than my candidate one, But wouldn't we all sleep better knowing that whatever the result, it was guaranteed to be accurate. The tech is real, but the tech is solvable. None of what you've described

is exotic or untried. Why has it been so difficult to convince other states to put in place some of these already available voting techniques Because the problems are not technical. The problems are political Elections security is mostly solvable. Brush Schneier is an internationally renowned security technologist. He teaches cybersecurity at the Harvard Kennedy School. My co host Malcolm Gladwell talked with Schneier about the threats that loom over the

vote this fall. When we talk about elections being hacked, what does that mean? I'm assuming that there are fifty different things that fall under that category. So we'll talk about hacking the voting process, and that's a process by which you cast your vote. We also talk about hacking the broader electoral process. So when the Russians hacked the Democratic National Committee and posted a dump a lot of information online, they weren't hacking the vote. They were hacking

the overall election process. So you can talk about fake news and propaganda and astroturfing and all of those things hack the greater process, the conversation around the election. And that's one very separate branch. The other branch is hacking the vote itself, or the process by which you and I go to vote. And there you have four places where you can affect things, sort of affect the outcome.

The first is the registration process, and we've read about and seen different hacks on the voting rolls so that when you go to vote, you can't at that point this particular kind of hacking. Is it really about taking people off the rolls. It's a couple of things. In California some years ago, people had their party affiliation change from Republican to Democrat. You can change the address of somebody, so they go to vote and they were told to go to a different poll. And some of these are easy.

Many states have online systems to change your registration that aren't well authenticated. Others is to pull people off the voting roles. Others are to erase the voting roles. What happens if we get to election day in a certain state and the voting roles don't work and we don't know why. So a lot of things against the voting roles. The second is the thing we talk about all the time, which is the vote itself. Is your vote recorded accurately.

The third is the tabulation process. May no matter how you vote, there's this sort of automated, sort of manual process by which the numbers out of each machine get increasingly aggregated, the numbers in the building, the numbers and the precinct, the numbers in the town, the city, the state, you know, all the way up to the national if that matters. And then the last, which I think people

don't think about a lot, is the reporting process. And we have seen and this was something that we think is thwarted in eighteen erroneous reporting where the numbers are right. But the press release says the opposite of those four things that you've identified, Can we rank them in order of seriousness? Which is the one that worries you the most? I would not rank them. I think ranking is dangerous.

I think they're all risky. Yeah, if I'm a chaos agent, how did what's the level of difficulty involved in spreading chaos in the American electoral system. It will depend on the technology. So we can talk about voting machines and some are more secure than others. And I vote in Minnesota. We use optical scan voting. I have a piece of paper, I fill in ovals and then that is tallied using computer.

That is the gold standard. It is a voter verifiable paper audit trail now is real hard to mess with that, and you can mess with the tabulating, but there's a paper backup. You can do a recount. Some states vote on touch screen machines. We've had times those machines have opened up and that it's been zero to zero, zero to zero. What does that mean? Right? No votes to no votes? Something went wrong today. Those machines are a lot worse than you want them to be. The companies

keep them very secret, but there have been audits. At Defcon hacker conference, I think a couple of years ago, we had a bunch of machines and a voting village and they were all hacked. Companies say they're all flying, they're often online. There's a lot of ways to go after those those machines. So this isn't like hacking into the NSA. This is like, this is some This is a lot more garden variety kind of hacking that we're talking about. It's a lot more garden variety. Give me

a description of the most vulnerable system. What would be the one? Touch screens, touch screen voting. Anybody voting on touch screen voting is taking a chance. Now that's in the US country like Estonia, they have internet voting that is even more dangerous than going to a machine. Yeah, I can't design a secure internet voting system. I can't design a secure electronic voting machine. I can't do it.

It can't be done. We shouldn't do it. And you'll come back to me and say, we're banking over the internet. We're doing all these other things over the Internet. Why in the world is this different? Why is it different? The short answer is that voting requires anonymity. That when you think about everything else to do in the Internet, your name is attached as an account attached. If there's a problem, you can roll it back, you can figure it out. MAF you came back to me and said,

we're going to dump the secret ballots. Right, all votes are now public, right, you know, and we could decide that's a reasonable way to vote. The Switzerland voted that way for many years, the Romans voted that way for a lot of their elections. Then it's a different story. And actually I could do voting easily. I can vote

by app, we can vote by Facebook. All that will work because at the end of the day you can go look online at the tally of votes, make sure your name is in the right column, and you know the votes accurate. I'm not sure to understand the fact that voting has to be we have to have a secret ballot makes the task of digital voting. You're saying

very very difficult. Why exactly, I'm not following that. Why can't I have an authentication system to get into the voting booth, But then you anonymize me once I'm inside the booth and the electronic booth and record my vote. So that works great. They are systems that do that. And now the question is do we trust the computer security? Right?

Are the computers that are doing this somehow magically better than other computers and they're not, so there'll be lots of ways to hack into that, just like there are lots of ways to hack into corporate networks and banking networks and all those comut to security stories we find. Now, if someone hacks into your bank and changes bank balances, you will know that, you will see that, you will go to the bank, the bank will figure it out.

The difference is that in the election case, you might not know it would happen, and there's no way to recover because there is that anonymity, because there's that break between the registration right getting into the system, as you mentioned, and the voting your votes anonymized. I can't have an audit system, and I can't post on a public website everybody who voted for candidate A ever and voted for

candidate B. Now that's a check. You do that, and we will all though those of us who care enough of us will will look at the lists, make sure we're there, and we have very high confidence that no one's been moved without their consent. You can't do that with an anonymous ballot. So what if I just said to you, Okay, if the risk of hacking is as large as you say, it is, why don't we do

away with the secret ballot? We could. Now that's a voting question, that's not I mean I'm a computer security person. That feels like a political science question. I mean, let's have experts talk about that. We can talk about some of the some of the risks. The risks are going to be coercion. So if I am in, I'm gonna make this up an abusive relationship with you. You can tell me how to vote, and you can make sure I vote the way you want me to. You could

buy my vote and make sure I deliver. Yeah. Now, we're in a world where many of us are transparent about our votes, but there is political value in the secret ballot, and that is probably a discussion we should have as a society today. So setting that aside for a vote, that's one that's one branch we could follow. And so you're saying, if we decided to do with the secret ballot, it makes the job of people like you a lot easier. Actually, it makes it trivial. I mean,

it's suddenly it's solved. You download an app, you vote anyway you want, webs kiosk on Facebook, nobody cares. Yeah, how do we know when there's fraud, So is it entirely possible that a lot of the fraud that goes on because you're talking about systems like say with a touchscreen system, it's quite possible. You would never something could be hacking. You'd never know, right, And that's true in pretty much all hacking is your email hacked? Who's reading

your email? You don't know? Yeah, and you know. I mean it's a famous hack against Apple Photo Archive where photographs of celebrities were stolen and then published. Were they not published, we would never know. Examples of networks, equifacts they were hacked. They figured it out like five six months later by accident. Lots of hacking in our world goes unnoticed, and the more skilled you are, the more you can cover your tracks. You talk about government hacking,

I bet a lot of it goes unnoticed forever. Criminal hacking tends to be noticed because the crime is going to be financial and eventually you'll see you lost money and you'll try to figure out how. But hacking for information, I think there's a lot more that goes on at the state, the state level than we know about because it is largely done in secret. So you're talking about some of these systems, say, with the test screen system, it's very difficult, too impossible to figure out whether hacking

has taken place. But are there proxies we can use? I mean, is it useful to compare electoral outcomes to poll results? And is there other ways to flag at least suspicious outcomes? There is, but you're not going to believe it, right. I mean, the problem of a voting as opposed to any other computer security mechanism is that

after the fact it's partisan. You know, we can do polling and compare polling with the actual vote and stuff that didn't matter, like what color eminem we want to choose, and we can use that say oh yeah, look there's been the balance stuffing the purple eminem people organized on four chan and they have stuffed the vote. But if you do that with an actual election and you're on the losing side, how do you feel when someone says the actual vote was different than the polls, You're going

to say, no, what do you mean? The actual vote is what counts the polls, don't people lied on the polls. Silent majority will have all these reasons, So scientifically we might be able to use that as evidence, but politically that will never fly as anything because it is so partisan. Is there a problem with the expectation we have that then, that the winner of election ought to be declared immediately?

Should we start by abandoning that that notion? So? Yes, a slower process would enable us to do more checking before announcing anything. The American people don't like that, you know nobody, I mean, even going to sleep before knowing is bad in our system. If we could abandon the immediate knowing, the exit polls, the guessing, all of that. As an election security person, as election to reliability person, I would like that change. So it's all right, place

you can have that. How long do you need for close elections? You want a little more time because you want to make sure everything's accurate in a normal election. My guess is only a few days. Because what I want to do is do automatic audits on all elections. There are systems of audits we can do where the level of audit depends on how close the election is. If the election is ninety percent to one, you have to audit one ballot, or you know, ten percent of

the ballots. If it's fifty one to forty nine, you have to audit and to make this up twenty percent of the ballots. The numbers are actually actually a lot lower than that, So you know, two thousand Florida, we actually wanted a lot of time, and politically we couldn't get it because that was a badly designed ballot. So it was a slow, manual recount that was triggered. I think one of the I think the Gore team to ask for the recount according to law, so I want

automatic recounts that don't have to be asked for. That we just do as a matter of course because we don't know where there's going to be problems. So it's really right now, it's going to depend on COVID. So we're going to have an election that will be a lot of mail in votes at the last minute, and some of the states say they have to be postmarked on election day, so which means what they delivered three

days later and they are counted slowly after that. I worry that they will be preliminary results on election night and that the demographics of the mail the late mail in voters will be different. I don't even know how in what way, but you know, it's plausible that there'll be some demographic that waits at the last minute, and then you'll have the person who's was declared the presumptive winner on election night. Say I was robbed when two weeks later all of these mail in ballots swing the

election the other way. And I don't even know which party is going to benefit. Right that it's not even obvious to me. Let's do Bruce's optimal system tell me what election, what the electoral process should look like in the United States. So this is so, I think we have a problem in that we require separate registration. I think registration should come with citizenship when you turn eighteen,

and a lot of other countries do that. We have a separate registration process that has largely been a voter suppression process, and we should do away with it. So you're saying, at the age of eighteen, everyone automatically has the right to vote, and that's true, but they should all they should automatically be registered, they should have ability to vote. Yeah, how does automatic registration work in practical terms?

I mean, I don't know. You automatically get a source security number when you're born, so maybe something's flipped when you turn eighteen. I mean I don't know how these processes work. Yeah, but I think removing that separate step will make elections better and fairer and will increase participation. Yeah yeah, I'd like there to be. What the US doesn't have is an independent voting commission. A lot of countries have a bureaucracy that's in charge of voting. Candidate

does the UK does. We have a bureaucracy in charge of the census, a similar breaucracy in charge of voting, in charge of accuracy, not partisan this, I think we'll go a long way to making this more more secure. So we should do that, and that group will be in charge of making sure these voting lists are accurate, are current, are sent to the precincts where they need to be sent. If they are problems, they can there's

a helpline to figure it out. As much of this should be done with paperbackup as possible, because we all worried about computer hacking, the voting itself needs to be done on secure machines. I mentioned Minnesota optical scan of voting that is the gold standard right now and all cases, in all elections, we do an audit. The size of it depends on the margin of victory. None of what you've described is exotic or untried or a lot of times when we do these solvable podcasts, we're talking about

a solution that's off on the horizon somewhere. These solusions are not off on the horizon. There some chunk of it is in the state of Minnesota. Why has it been so difficult to convince other states to put in place some of these already available voting techniques because the problems are not technical. The problems are political. If you believe that your side benefit fits from ignoring the problem, why would you spend money on the problem. I mean,

voting machines are for profit enterprises in this country. There's government lobbying on spying and selling voting machines. It's not likely again getting back to a government bureaucracy in charge of accuracy, we don't have that. So if you are a company that makes touching voting machines, you're going to shove out all this kind of noise on how great your machines are, and the election officials don't know better,

and they're going to buy them. After two thousand, we had to help America Vote Act, where Congress apportioned a lot of money to give to the states to improve their voting machines. A lot of those went to computerized voting machines that have been dumped since then because of security problems. So this is a very political issue. My problems are in technological that's it's not core science, Yeah,

it's policy and politics. Do you think there might also be a kind of implicit bias that among some people that as we move towards more digital digitalization of the system, we're making it safer. In other words, are people assuming that the application of additional technology here is what will improve things and not you're actually you're you're arguing for a return to a much more traditional way of voting. And this is how we started the podcast, Right, what's

different about the risks of voting? So, yes, right, there's a belief that, you know, we're putting computers on this, Computers are good computers going to make this better, safer, faster, do all of these things, and it turns out security is uh, you know, ends up being something that's that's flowing in the other direction, and that that makes this harder. What can listeners to this podcast, what can ordinary citizens and voters do to to help advance the case of

most secure elections. So there are organizations that are advocating for accurate voting, Verified Voting, dot Org, the National Electoral Defense Coalition, There's a group called True the Vote, the Brennan Center for Justice. So those are some of the organizations I support and think we all should. But if this is not a political issue, this will not change fundamentally. That is the problem. The tech is real, but the tech is solvable. We need the political will to solve it.

We need the money to solve it. Bruce, thank you so much. This has been fascinating. Thank you again. Hey, thanks for having me. This is fun. That was Malcolm Gladwell speaking with security technologist Brush Nier. Remember to check out our show notes for links to the suggestions our guest mate for ways that you can get involved. Solvable is brought to you by Pushkin Industries. Our show is produced by Camille Baptista, Senior producer Jocelyn Frank. Catherine Girardou

is our managing producer. Our executive producer is Mia Lobell. Special thanks to Heather Faine, Eric Sandler, Carl Migliori and Kadija Holland. I'm Jacob Weisberg.