The University of Pennsylvania's Matt Blaze (previously) is a legendary figure in cryptography and security circles; most recently he convened Defcon's Vote Hacking Village where security experts with no particular knowledge of voting machines repeatedly, fatally hacked surplus voting machines of the sort routinely used in US elections.
Last month, Blaze made a statement to the House of Representatives' Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on Intergovernmental Affairs Hearing on Cybersecurity, in which he comprehensively laid out the problems with today's voting technology and how this state of affairs came to be, and what the US must do, urgently, to correct a terrifying vulnerability in a foundational democratic process.
In particular, Blaze points out that the threat model for voting machines is a dirty candidate who tries to tip the scales in their favor; but that in the real-world, nation-states attack each other by discrediting the results of elections, by sowing enough doubt about the accuracy of the vote count to delegitimize the winner.
Blaze makes three principal recommendation: first, adopt precinct-counted optical scan ballots, which can be machine-tabulated but can be recounted by hand if the software is suspect or corrupt; second, conduct random "risk limiting audits" at every election to spot systemic problems as they emerge and to deny adversaries the opportunity to use small elections as testbeds for larger, more ambitious attacks; and finally, to increase the funding and resources to train local election officials "to help them more effectively defend their systems against increasingly sophisticated adversaries."
Electronic voting systems
must resist not only fraud from corrupt
candidates and supporters, but also election
disruption
from hostile nation-state adversaries. This is a much more formidable threat, and one that
current systems, especially those using DRE technology, are even less
equipped to resist.
The most obvious difference between traditional fraud from corrupt
candidates and disruption by hostile state actors is the expected resources
and capabilities available to the attacker. The intelligence services of even
relatively
small nations can marshal
far greater financial, technical, and
operational resources than even the most sophisticated corrupt domestic
criminal attacker. For example, intelligence services can be expected to
conduct espionage operations against the voting
system
supply chain. In
such operations, the aim might be to obtain confidential source code or to
secure surreptitious access to equipment before it is even shipped to county
officials. Hostile intelligence services can exploit information and other
assets developed broadly over extended periods of time, often starting well
before any specific operation or attack has been planned.
House of Representatives Committee on Oversight and Government Reform Subcommittee on Information Technology and Subcommittee on
Intergovernmental Affairs Hearing on Cybersecurity of Voting Machines November 29, 2017 [Matt Blaze/University of Pennsylvania Computer and Information Science]
(via Bruce Schneier)