- Brad Friedman, The BRAD BLOG
"I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to...make bad things happen," CIA cybersecurity expert Steven Stigall explained, in a stunning presentation to a U.S. Election Assistance Commission (EAC) field hearing held one month ago in Orlando.
As initially reported earlier this week by Greg Gordon at McClatchy, "Stigall said that voting equipment connected to the Internet could be hacked, and machines that weren't connected could be compromised wirelessly. Eleven U.S. states have banned or limited wireless capability in voting equipment, but Stigall said that election officials didn't always know it when wireless cards were embedded in their machines."
"The CIA got interested in electronic systems a few years ago," Gordon reports Stigall as explaining at the EAC hearing, "after concluding that foreigners might try to hack U.S. election systems."
But as disturbing as Stigall's presentation was, what's almost as disturbing is that it took more than 11 days, McClatchy's coverage, a number of FOIA requests from VotersUnite's John Gideon (a frequent guest blogger here), and a couple of articles from BRAD BLOG alum, Michael Richardson of the Examiner (his coverage is here and here), before the EAC finally released the complete transcript of the meeting [WORD], including Stigall's remarks.
"The presenter did not provide the presentation, 'Computers and Elections: The Growing Potential for Cyber Vote Fraud', to the EAC, so we have no materials responsive to your request," Gideon was told in response to his Freedom of Information Act (FOIA) request to the EAC, as reported by Richardson. "We received the transcript on March 16, 2009, and it will be publicly available in the next few days."
As of last night, 10 days since the EAC admits they received the transcript of their own event which had taken place 20 days earlier, they had neither sent it to Gideon in response to his request, nor posted it on their website. As of this morning, a month since the hearing, it's finally up on their website, thanks in part, no doubt, to the pressure brought on the EAC by the public to do so. Even then, Stigall's remarks are not posted separately, as other presentations are, but rather, one has to go looking for the full transcript of the actual event to find it. So why both the delay and obfuscation from the famously dysfunctional (a nice way to put it) federal agency? Make your own best guesses, since there is no official explanation for the moment.
Happily, there were others at the meeting who had transcribed the CIA cybersecurity expert's startling remarks --- decimating the idea of supposedly "secure" e-voting --- independently, who then helped to bring it to the public's attention. Clearly, the strongly pro-e-voting EAC had/has little intention of doing so themselves.
Stigall's presentation, and we've got much more of it excerpted below, include a passel of disturbing thoughts. Many of them we've tried to impart on these pages for years, including comments which point up the dangers we've tried to warn about concerning pre-election voting machine "sleepovers" at the houses of pollworkers, and more indications of the dangers of Sequoia Voting Systems clandestine, on-going relationship with the Hugo Chavez-tied Venezuelan e-voting firm Smartmatic, as we reported exclusively here one year ago --- to little interest from the corporate media, despite Sequoia's claims to federal investigators that they had severed all ties with the firm...
First, here's a bit more from Gordon's coverage at McClatchy:
Appearing last month before a U.S. Election Assistance Commission field hearing in Orlando, Fla., a CIA cybersecurity expert suggested that Venezuelan President Hugo Chavez and his allies fixed a 2004 election recount...
Steve Stigall summarized what he described as attempts to use computers to undermine democratic elections in developing nations. His remarks have received no news media attention until now.
Stigall told the Election Assistance Commission, a tiny agency that Congress created in 2002 to modernize U.S. voting, that computerized electoral systems can be manipulated at five stages, from altering voter registration lists to posting results.
"You heard the old adage 'follow the money,' " Stigall said, according to a transcript of his hour-long presentation that McClatchy obtained. "I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to...make bad things happen."
Stigall said that voting equipment connected to the Internet could be hacked, and machines that weren't connected could be compromised wirelessly. Eleven U.S. states have banned or limited wireless capability in voting equipment, but Stigall said that election officials didn't always know it when wireless cards were embedded in their machines.
The CIA got interested in electronic systems a few years ago, Stigall said, after concluding that foreigners might try to hack U.S. election systems. He said he couldn't elaborate "in an open, unclassified forum," but that any concerns would be relayed to U.S. election officials.
We'll post more disturbing excerpts from the CIA cybersecurity expert's presentation in a moment, but two issues of note were raised by Stigall, and in McClatchy's coverage, that we want to make sure to highlight here...
Exit Polls Are Accurate...(Everywhere but in the U.S.A., of course)
In addition to the troubling (if well-familiar to readers of The BRAD BLOG) assertions that Stigall makes about the dangers of e-voting in general, he goes on to explain, via the complete transcript, how a statistical analysis of an August 2004 referendum on recalling Hugo Chavez in Venezuela set off red flags among statisticians that the election was likely gamed by a "subtle algorithm" implanted into the e-voting system.
"[T]he mathematicians," Stigall pointed out in his presentation, "produced lots of interesting facts and figures in the statistics to show that [the voting patterns were] statistically really not possible. And they used that as an argument that Chavez, because of his complete control of the voting machines and their infrastructure, that Chavez was able to insert computer code into the system to adjust the vote surreptitiously."
Of course, as regular readers here know well, when similar statistics, compiled by well-respected mathematicians and university professors in this country were produced following the 2004 Presidential election, suggesting a similar statistical impossibility for the variance from Exit Polls to the final results declaring George W. Bush the "winner" of that election, the academics were dismissed as crackpots and conspiracy theorists, and the startling numbers were otherwise all but ignored by the establishment media and politicians alike.
"Polls in thirty states weren't just off the mark --- they deviated to an extent that cannot be accounted for by their margin of error," Robert F. Kennedy Jr. wrote in Rolling Stone in June of 2006.
"[W]hen exit polls revealed disturbing disparities in the U.S. election, the six media organizations that had commissioned the survey treated its very existence as an embarrassment," he explained, describing the alarming dismissal of Exit Poll analysis made by U. of Pennsylvania's Steve Freeman and others. "Instead of treating the discrepancies as a story meriting investigation, the networks scrubbed the offending results from their Web sites and substituted them with 'corrected' numbers that had been weighted, retroactively, to match the official vote count. Rather than finding fault with the election results, the mainstream media preferred to dismiss the polls as flawed."
"As the last polling stations closed on the West Coast," RFK continues, "exit polls showed Kerry ahead in ten of eleven battleground states --- including commanding leads in Ohio and Florida --- and winning by a million and a half votes nationally. The exit polls even showed Kerry breathing down Bush's neck in supposed GOP strongholds Virginia and North Carolina. Against these numbers, the statistical likelihood of Bush winning was less than one in 450,000."
But, in the end, Kennedy details in his landmark article, "In ten of the eleven battleground states, the tallied margins departed from what the polls had predicted. In every case, the shift favored Bush."
If, as Stigall alleges, the CIA's own mathematicians found a similar statistical anomaly in Venezuelan to be of concern, why then are similar anomalies in the U.S. seen as little more than fringe "conspiracy theories"? We report, you decide.
One of U.S.'s Top E-Vote Companies, Still Tied to Chavez-related Firm
McClatchy's Gordon describes Stigall's explanation of how Chavez was likely able to "defeat the paper trail" in a post-election "audit" of the "receipts" produced by the country's, supposedly "open source", touch-screen e-voting system, before explaining how the concerns about Venezuela's election system tie directly into concerns about the voting systems used in more than a dozen states across the U.S.:
Reacting to complaints that the arrangement was a national security concern, the Treasury Department's Committee on Foreign Investment in the United States launched an investigation. Smartmatic then announced in November 2007 that it had sold Sequoia to a group of investors led by Sequoia's U.S.-based management team, thus ending the inquiry.
But as The BRAD BLOG reported exclusively last year, the "sale" of Sequoia by Smartmatic was not all that it seemed, despite apparently having fooled federal legislators and the media into believing otherwise.
As we revealed, Sequoia --- one of this nation's largest voting machine companies, controlling 20% of the votes cast here --- uses software that is still actually owned by Smartmatic, the Venezuelan firm associated with Hugo Chavez. Despite Sequoia's claims to have broken all ties with the company, after the matter had piqued the ire of several members of Congress, and a number of rightwingers in the media (such as CNN's Lou Dobbs) and in the blogosphere, Smartmatic still retains the Intellectual Property (IP) rights to virtually all of the Sequoia voting systems now in use in the United States.
Court documents [PDF] obtained and posted by The BRAD BLOG last year, while covering the previously-unreported hostile takeover attempt of Sequoia by Hart Intercivic, a competing e-voting company, confirmed that Sequoia had no claim to the IP rights of voting systems bearing the name Sequoia. That, despite an agreement between federal investigators from the U.S. Treasury Department's Committee on Foreign Investment in the United States (CFIUS) and Smartmatic which disallowed even "indirect" control over Sequoia by the Venezuelan firm with murky ownership associated with Chavez.
Following our story, Sequoia CEO Jack Blaine further confirmed his company's continuing ties to Smartmatic during a hastily convened, "confidential" company-wide teleconference, scheduled to explain our exposé to Sequoia's rank-and-file employees who had previously known nothing about the attempted takeover by Hart.
"It doesn't matter whether you have the IP rights, or you don't have the IP rights," Blaine explained to an employee who inquired on the call about the IP rights licensing agreement Sequoia maintained with Smartmatic, as we'd disclosed. Blaine admitted --- while repeatedly stressing that information discussed on the call should remain confidential: "We have the source code, and we have the right to modify it any way we want to modify it...So it doesn't matter really whether we have the IP or not."
"I didn't particularly want the IP," Blaine revealed to employees on the "confidential" call, about the agreement he'd struck with Smartmatic when supposedly divesting from the Venezuelan firm. "As we've discussed in the past, I believe we've really come across the perfect time to change our portfolio going forward. And it's not gonna be dependent on the Smartmatic technology, or the IP or anything else. It's gonna be dependent on what we collectively believe the market, and what the future standards, will require."
In a later report we revealed that Blaine had blatantly lied to Cook County (Chicago), IL officials during testimony, in which they had expressed concern that the Smartmatic divestiture might be "a sham transaction designed to fool regulators."
But despite Blaine's misleading testimony to Chicago officials, and his company's own press release trumpeting the "new corporate ownership" of Sequoia in late 2007, maintaining that they'd "completely eliminate[d] Smartmatic's ownership, control and operational rights of any kind in Sequoia," the transaction was a sham which seems to have, apparently, succeeded in fooling federal regulators.
Despite all of the hard evidence unearthed by The BRAD BLOG at the time, the matter has still not been picked up and/or advanced by the mainstream corporate media in this country, despite Sequoia/Smartmatic's e-voting systems continuing in use in more than a dozen states across the nation.
Gordon's McClatchy coverage of Stigall's remarks to the EAC panel represents the first coverage by a major outlet to revisit the matter to any extent since our series in March and April of last year, though he too has yet to deal with the Smartmatic ownership issues that we divulged on these pages a full year ago.
More From Stigall's Startling Presentation
The complete transcript of Stigall's remarks [WORD] offers much more than Gordon or Richardson's articles have been able to cover to date. One point after another underscores so much of what we've been reporting on these pages for years, but it's worth highlighting them in the exact words of a CIA expert whose job it is to monitor how electronic voting systems work --- or don't --- around the world:
- "For several years, I've worked with others in my organization to try and identify foreign threats, emphasis on 'foreign threats,' to important U.S. computer systems. A few years ago it occurred to us that that should include potential foreign threats to the computers upon which our elections in this country are increasingly dependent."
- "[W]hen I look at an election system, I'm not an election analyst. I'm not a political analyst. ... When I look at an election system, I see a computer system, because increasingly that's what they are. And to the extent that there are foreign hackers who have shown interest in developing unauthorized access into U.S. computer systems, that's where I get interested in it."
- "I am not a politician, a political analyst. ... I looked at this as a computer network, as a computer security issue. ... [Y]ou've heard the old adage, "Follow the money." Here I follow the vote, and wherever the vote becomes an electron and touches a computer that is an opportunity for a malicious actor potentially to get into the system and tamper with the vote count or make bad things happen."
- "I'm not so much looking at shenanigans on Election Day as I am all of the things that foreign actors try and do to effect the outcome of the election long before Election Day."
- "[A]ny computer hooked up to the Internet either through a wire or through a wireless connection is a portal for hackers. You've heard that and I'm here to confirm it very simply."
- "[I]f you think a computer is not hooked up to the Internet there's a variety of things that also are into play. We now have, of course, wireless connections. Perhaps a wireless connection is enabled, is file sharing enabled, this kind of thing. It's no longer enough simply to unplug something, to unplug that Ethernet jack or that, you know, 56K modem wire. A computer that is hooked up to the public Internet is problematic in this regard and the computerized registration of voters is the first indication we see that there's a potential for fraudulent behavior in the electoral process."
- An electronic voting machine is a computer. That's the way we look at it. It has memory. It has so-called firmware, it has software built in to the hardware of the machine to tell it what to do, and most interestingly not only can it be networked but it can be interrogated from outside. It's a computer. That's essentially what it is, and because it's a computer it carries with it all the vulnerabilities that a computer has.
- The first question that one asks about these voting machines is, are they password protected? Okay, well there's passwords and then there's passwords. Is the password the name of your granddaughter? Is it the name of your pet? If it is, I'm going to have that password in an hour. Not me personally, but I mean a dedicated hacker. That's what they do. If it's a so-called "strong password", in which you use a mix of letters and numbers and special characters, you do greatly complicate the task for a malicious actor. But then you have to ask yourself, are the passwords changed from election to election or is it the same? And our favorite scenario, where I come from, is your password p-a-s-s-w-o-r-d? You would be surprised.
(Ed Note: We're not surprised at all. Diebold's default password, often never changed by the administrator, is "1111", and everybody has known that for years. And still, it's often not changed by election administrators in this country.)
On "sleepovers" and other pre-election storage issues that we've long tried to warn about here (we've been credited with having coined the word "sleepovers" in regard to the pre-programmed, election-ready voting machines that poll workers are often allowed to take home with them for sometimes days and weeks prior to the election, before bringing them to the polling place themselves on Election Day):
- "When I look at a foreign country, and I suspect that the regime may be playing games with the computer component of the election system, one of the first questions I ask is, where are those machines stored? Or where are they stored, period, long before Election Day and afterwards? And I want to know if those machines can be interrogated electronically remotely on Election Day. Is there a wire or a connection connecting those machines to, quite frankly, the public Internet?"
- "[I]n a traditional voting scheme the greatest opportunity for fraud that we have seen in other countries, is at the local level. When you introduce computers into the equation, you're moving that fraud potential upstream and you're allowing an electronic single point failure, meaning the potential for mischief, can occur higher up the food chain electronically much faster and affect a lot more people in terms of the vote count than would be the case of fraud at an individual level where again you're talking about the classic scenario where ballot boxes get thrown in the river or fraudulent ballots get produced; here it's electronic."
The greatest threat to e-voting security, as we've reported frequently over the years, based on the repeated warnings from computer scientists and security experts, is not from the voters on Election Day, but from election insiders who have access to the voting machines, memory cards and electronic tabulation computers. That, despite repeated admonitions from election officials and the e-voting industry that, though their systems may not be secure, we can trust that election officials and the company employees who often program and service them would never do anything untoward. Stigall seems to concur that assessment, made by election insiders about election insiders, is absurd:
- [W]hen you look at all the reports from overseas about where computer vote fraud is most likely to occur, if you judge it simply by where all the reports in various foreign press or whatever discuss, it's pretty clear that the central election headquarters, which is where all the computers are processing the votes or the one computer, this is a place where a lot of this can occur."
The way the results of the 2004 election in Ukraine were transmitted and reported electronically, Stigall recounts, when the ruling party there was set to lose the election to the challenger, was startlingly similar to the allegations of what may have occurred on Election Night 2004 in Ohio when the incoming vote counts of the state's 88 counties were surreptitiously rerouted to a hard-right Republican firm in Tennessee, in the middle of the night, before the final numbers were released to the public and the media:
- [The ruling party in Ukraine was] monitoring the vote count coming in from different parts of the country, and they were making subtle adjustments to the vote. In other words, intersecting the votes before it goes to the official computer for tabulation.
That's nearly the precise allegation of those who have questioned the Election Night results reporting system created by then OH SoS J. Kenneth Blackwell in cahoots with the GOP's high-tech guru Mike Connell. Based on those concerns, Connell was subpoenaed and then forced by a federal judge to give testimony in Ohio to plaintiffs who have had a long-standing voting rights lawsuit concerning the '04 Presidential election there. Not long after Connell was compelled to sit for a deposition with plaintiffs, on the Monday prior to Tuesday's 2008 General Election, following reports that he had been threatened by Karl Rove if he did not "take the fall" for what happened in '04, Connell died in a tragic single-engine plane crash in December.
- "I've referred a lot to hackers in this presentation, but understand I'm not really concerned about the 18-year old wannabes. I'm concerned about the 28 or the 38-year old folks who have been doing this a long time and who may be under contract for some other organization. In other words, an organized structured effort to throw an election, or to compromise a computer system in that context."
- "[W]here is the voter registration list before the election? Is it sitting on a computer that's hooked up to the Internet? Is it sitting on a computer connected to another computer that's hooked up to the Internet? Basically, that gives me an opportunity, simply, to reassert that the security of these elections that use computers begins long before Election Day and that the computers that hold that voter registration data should be nailed down in terms of their security, just as you would secure an electronic voting machine on Election Day. ... You dont want it hooked up to the public Internet in terms of, you know, voter registration data if youre concerned about securing those names."
Other than that, our years of reporting on the many concerns of e-voting here at The BRAD BLOG have been little more than the wacko, kooky, sour-grapes, fringe conspiracy theory ravings of a sore loser (even though we didn't vote for John Kerry in 2004).
CORRECTION 3/28/09: We originally referred to the EAC meeting in Orlando as a "field hearing", as McClatchy's piece did as well, and to Stigall's presentation as "testimony". In fact, though Stigall answered questions from election officials at the EAC meeting, at the end of his Powerpoint presentation, he was not under oath, nor cross-examined, and so, as an attendee at the meeting pointed out to us, it's inaccurate to refer to it as "testimony". We've corrected the article above to more accurately reflect the setting for Stigall's remarks to the EAC-convened panel.