‘Kill Chain’: HBO’s Election Security Doc Stresses Urgency

Credit to Author: Lily Hay Newman| Date: Mon, 16 Mar 2020 13:00:00 +0000

In spite of documented Russian election meddling in the 2016 United States presidential election, and years of warnings from security researchers about insecure voting infrastructure, the US has moved slowly to improve its election defenses. Now a new documentary, Kill Chain, is attempting to lay out the urgency of taking action before it's too late.

Many of the problems and insecurities in voting systems across the United States are straightforward, yet it's not easy to get voters—or lawmakers—to understand the risk or the path forward. That represents both a challenge and opportunity for Kill Chain, which like Netflix's Cambridge Analytica documentary The Great Hack, tries to make an assortment of sometimes esoteric technical issues tangible and compelling.

"It’s difficult material, which is why so many people don’t approach it and don’t cover it and don’t understand it," filmmaker Sarah Teale tells WIRED. "That was definitely the hardest thing was to find the language of the film that made it make sense and made it some sort of a story."

The film, which will air on HBO and its streaming services on March 26 at 9pm ET, focuses primarily on the life and work of Harri Hursti, a Finnish security researcher who demonstrated in 2005 that Diebold voting machines were hackable. Hursti has been a prominent voting security advocate ever since, and has lived in the US for more than a decade. The film looks at Hursti's past efforts to call attention to voting machine insecurity—including confrontations with manufacturers—but also maps his efforts since the 2016 US presidential election. In 2017, for example he cofounded the Voting Village at the Defcon security conference, which lets attendees analyze and attempt to hack multiple models of real, currently used voting machines. The endeavor has since brought multiple alarming flaws to light every year.

Kill Chain makes the case that voting insecurity in the US can and should be drastically improved. It focuses on the core issues, like voting machines that don't produce any type of paper record that can be used to verify an election's results. Or how the paper records some of the machines do produce contain a barcode or other machine-readable output that voters can't parse. Precincts need voter-verified paper backups in order to perform stringent post-election audits, like the gold standard known as risk-limiting audits. And even precincts and states that have the records to perform audits often don't have policies in place to actually carry them out. On top of all of this, election bureaus around the country still struggle to deploy strong defenses on their digital systems like online voter information databases, informational websites, and even infrastructure for reporting vote totals.

In addition to laying all of this out, Kill Chain delves into real and recent examples of irregularities that could have been the result of vote tampering. One example is a breach of Alaska's public elections website on election day in 2016 by the hacktivist known as CyberZeist. In an anonymized on-camera interview, CyberZeist himself says that he gained deep access to Alaska's vote tallying system and could have altered votes to influence the outcome of the election. The fact that one hacker could gain this access indicates that problematic vulnerabilities exist for any motivated attacker to find.

For Hursti, the challenge is striking a balance between sounding the alarm about these dangerous and destabilizing flaws so they can be fixed without the movement undermining voter confidence. Erosion of trust threatens and destabilizes the system in a whole other way.

"The problem is that voter confidence is down, you have to start by restoring that," Hursti says. "But without transparency you cannot really restore the voter confidence."

https://www.wired.com/category/security/feed/

Leave a Reply