Tag: ElectionGuard

Last year, we announced ElectionGuard, our free and open-source technology to make elections more secure and, for the first time, to enable people to verify their votes were counted and not altered. Since then, we’ve achieved several important milestones including the release of the ElectionGuard software on GitHub, the announcement of our bug bounty program, and a successful pilot of ElectionGuard in a real election in Wisconsin earlier this year. We believe ElectionGuard has the potential to give people greater confidence in the security, reliability and results of future elections, and we expect to soon have more updates to share about ElectionGuard’s use in traditional voting systems. Today, I’d like to share an update on some projects where ElectionGuard is already being used in a variety of innovative ways.

Risk-limiting audits

We recently worked with VotingWorks, our nonprofit partner in the Wisconsin pilot, to incorporate ElectionGuard into Arlo, VotingWorks’ open-source auditing software. Arlo was used to conduct a risk-limiting audit in Inyo County, California, following the recent 2020 U.S. general election. A risk-limiting audit is a process election officials can use in paper ballot elections to efficiently confirm that, if a full hand count were performed, the same winner would be declared. By using ElectionGuard’s encryption in the audit process, VotingWorks was able to show a direct link between the election results and the audit results without compromising voter privacy.

House Democratic Caucus leadership elections

We were pleased to work with Markup – a technology provider that serves U.S. lawmakers – on a mobile app to facilitate remote voting for leadership of the House Democratic Caucus, chaired by Hakeem Jeffries (D-NY). Using the app, members of the Caucus successfully voted for their Caucus and committee leadership remotely through secret ballots. Votes cast using the app were encrypted with ElectionGuard’s homomorphic encryption, and Caucus officials were able to confirm that votes were correctly tallied. This was a great example of how ElectionGuard can be used in innovative ways to ensure a secure and verifiable voting process.

How did the app work? Caucus members used iPhones – which were issued to them and managed by the House IT staff – on which the app was installed. No personal devices could be used. Members were notified when it was time to vote, and the app took them through the choices one by one. At any time before submitting their vote, members could discard their ballots and start over.

Supporting the security of global elections

We designed ElectionGuard so that it can help provide enhanced security and verifiability across a range of voting solutions. For example, ElectionGuard supports voting systems that use paper ballots as the primary way to vote, as a backup or not at all. It is up to the voting officials responsible for the safety and security of their elections to determine the right voting solution for their jurisdiction and situation.  Special circumstances, like the Covid-19 pandemic, create unique challenges for voting officials, and we believe ElectionGuard can support a range of innovative solutions that can address both long-term voter confidence in democratic elections and short-term innovative solutions that enable trustworthy voting – even in the midst of a global health crisis.

It is more challenging to secure systems that enable general-purpose voting entirely over the internet. The use of ElectionGuard in a system like this can help address some, but by no means all, of the security issues presented. There are, however, many issues a jurisdiction may choose to consider in adopting an election solution, and some democratic governments might conclude that internet voting is preferred because, for example, it enables a much greater percentage of the population to vote.

Neuvote, a Canadian company, has developed a hybrid mobile voting system in which voters connect to a remote ballot-marking device that enables them to cast and confirm a paper ballot from a smartphone or tablet while watching the process on their device. Each paper ballot cast is accompanied by an electronic vote record that Neuvote secured with ElectionGuard. Their system is designed so that the paper ballot can be tracked, audited and matched with the electronic tally. It was user tested at the recent “Future of Elections” conference in Brazil on November 15. At this event, Brazilian voters tested and provided feedback on online voting options that could potentially be deployed in future elections. How the voters and the Brazilian government react to these tests will be interesting to watch.

To note, InfernoRed has been an important partner on ElectionGuard projects, and has worked with Microsoft to support the work we’ve done with Markup and Neuvote.

The security and end-to-end verifiability of ElectionGuard presents an opportunity to provide voters with new confidence in the trustworthiness of all elections. ElectionGuard uses strong encryption to secure people’s votes and allows voters to confirm their votes were counted correctly. It also enables third parties like news organizations, political parties and third-party watchdogs to run verifiers to confirm results were accurately tabulated – all without revealing any individual’s vote. We look forward to announcing, soon, additional ways in which the voters in the US and other democracies will be provided with the voting confidence that ElectionGuard can ensure.

Tags: 2020 elections, Defending Democracy Program, ElectionGuard, VotingWorks

Today we took action to disrupt a botnet called Trickbot, one of the world’s most infamous botnets and prolific distributors of ransomware.

As the United States government and independent experts have warned, ransomware is one of the largest threats to the upcoming elections. Adversaries can use ransomware to infect a computer system used to maintain voter rolls or report on election-night results, seizing those systems at a prescribed hour optimized to sow chaos and distrust.

We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

In addition to protecting election infrastructure from ransomware attacks, today’s action will protect a wide range of organizations including financial services institutions, government agencies, healthcare facilities, businesses and universities from the various malware infections Trickbot enabled.

The Trickbot botnet

Trickbot has infected over a million computing devices around the world since late 2016. While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives.

In the course of Microsoft’s investigation into Trickbot, we analyzed approximately 61,000 samples of Trickbot malware. What makes it so dangerous is that it has modular capabilities that constantly evolve, infecting victims for the operators’ purposes through a “malware-as-a-service” model. Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.

In addition to maintaining modular capabilities for a variety of end purposes, the operators have proven adept at changing techniques based on developments in society. Trickbot’s spam and spear phishing campaigns used to distribute malware have included topics such as Black Lives Matter and COVID-19, enticing people to click on malicious documents or links. Based on the data we see through Microsoft Office 365 Advanced Threat Detection, Trickbot has been the most prolific malware operation using COVID-19 themed lures.

Disruption components and new legal strategy

We took today’s action after the United States District Court for the Eastern District of Virginia granted our request for a court order to halt Trickbot’s operations.

During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

To execute this action, Microsoft formed an international group of industry and telecommunications providers. Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world.

This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.

We fully anticipate Trickbot’s operators will make efforts to revive their operations, and we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.

Impact to additional sectors

In addition to its threat to elections, Trickbot is known for using malware to reach online banking websites and steal funds from people and financial institutions. Financial institutions ranging from global banks and payments processors to regional credit unions have been targeted by Trickbot. For this reason, the Financial Services Information Sharing and Analysis Center (FS-ISAC) has been a critical partner and a co-plaintiff in our legal action.

When someone using a Trickbot-infected computer attempts to log onto a financial institutions website, Trickbot executes a series of activities to secretly hijack the user’s web browser, capture the person’s online financial login credentials and other personal information, and send that information to the criminal operators. People are unaware of Trickbot’s activity as the operators have designed it to hide itself. After Trickbot captures login credentials and personal information, operators use that information to access people’s bank accounts. People experience a normal login process and are typically unaware of the underlying surveillance and theft.

Trickbot is also known to deliver the Ryuk crypto-ransomware that has been used in attacks against a wide range of public and private institutions. Ransomware can have devastating effects. Most recently, it crippled the IT network of a German hospital resulting in the death of a woman seeking emergency treatment. Ryuk is a sophisticated crypto-ransomware because it identifies and encrypts network files and disables Windows System Restore to prevent people from being able to recover from the attack without external backups. Ryuk has been attacking organizations, including municipal governments, state courts, hospitals, nursing homes, enterprises and large universities. For example, Ryuk has been attributed to attacks targeting a contractor for the Department of Defense, the North Carolina city of Durham, an IT provider for 110 nursing homes, and a number of hospitals during the COVID-19 pandemic.

Election security and guarding against malware

As we shared last month in the Microsoft Digital Defense Report, ransomware is on the rise. For organizations involved in the elections wanting protection from ransomware and other threats, we offer the threat notification service AccountGuard at no cost which now protects more than two million email accounts around the world. We’ve completed more than 1,500 AccountGuard nation-state attack notifications to AccountGuard enrollees to date. We also offer Microsoft 365 for Campaigns, an easy-to-set-up version of Microsoft 365 that comes with intelligent and secure default settings at an affordable price. Finally, Election Security Advisors provide proactive resiliency services and reactive incident response for campaigns and election officials, also at an affordable price.

Our Digital Crimes Unit will also continue to engage in operations to protect organizations involved in the democratic process and our entire customer base. Since 2010, Microsoft, through the Digital Crimes Unit, has collaborated with law enforcement and other partners on 23 malware and nation-state domain disruptions, resulting in over 500 million devices rescued from cybercriminals. With this civil action, we have leveraged a new legal strategy that allows us to enforce copyright law to prevent Microsoft infrastructure, in this case our software code, from being used to commit crime. As copyright law is more common than computer crime law, this new approach helps us pursue bad actors in more jurisdictions around the world.

To make sure your computer is free of malware, visit support.microsoft.com/botnets.

Tags: cybersecurity, Defending Democracy Program, ElectionGuard, ransomware, trickbot

Near the end of last year, I met Josh Benaloh, a senior cryptographer at Microsoft, in a conference room in Building 99 on the company’s sprawling campus, in Redmond, Washington, to talk about a fundamental problem with American elections. When we vote, we take it on faith that our ballots have been recorded—and recorded correctly. This is not always the case. In 2015, in Shelby County, Tennessee, hundreds of votes that were cast in predominantly African-American precincts disappeared somewhere between the polling place and the final tally. Where they had gone, and why, remains a mystery, because the ballots were cast on a touch-screen voting machine that did not provide a paper record. In 2018, three thousand votes went missing during a Florida recount. The next year, eight hundred uncounted ballots were found in a storage closet in Midland, Texas, after a hotly contested school-bond vote. To prevent these types of errors, Benaloh said, “You could, in theory, sign your name on your ballot and watch it go through the system.” In actual elections, however, that is precisely what is not supposed to happen. Our ballots are secret; after we drop them in the ballot box, they are, literally, out of our hands.

We don’t publish everyone’s name next to their candidate selections because, Benaloh said, “if we do that, we’ll also be opening up everyone to coercion and vote selling.” Both were features of American democracy well into the late nineteenth century, as voters revealed their choices in public—polling often took place during carnivals and festivals—either by voice or by dropping color-coded tickets, printed by each party, into a ballot box. By 1888, corruption had become so widespread that states began to abandon the spectacle. Voters in Massachusetts, following the examples of Australia and Britain, were the first in the U.S. to register their choices in a private space, on uniform ballots printed at public expense.

Since 2018, as part of a program called Defending Democracy, Benaloh has been working on voting software that attempts to solve the problem of trust in secret-ballot elections. At Microsoft, he is both a researcher and an internal consultant, using what he learns in his theoretical investigations to help the company develop secure products. His election software is based on a mathematical process that he invented called homomorphic encryption. Standard encryption obscures information behind unintelligible strings of letters and numbers; homomorphic encryption enables those unintelligible strings to be added together while still remaining behind the veil. Applied to elections, this technology could allow ballots to be aggregated, tallied, and verified without the individual votes having to be decrypted. If it worked, voters could check that their choices had been accurately counted, without anyone else ever seeing them.

At sixty years old, Benaloh is still boyish, with a stubbly beard and curly hair that is just beginning to gray. When he began thinking about how encryption might improve voting, as an undergraduate at the Massachusetts Institute of Technology, he had no sense that anything was wrong with the electoral system. “I didn’t really know a lot about elections,” Benaloh said. “I was a geeky kid growing up in New York who loved numbers, and elections were the time when everyone else was looking at numbers all day.” This was back when his surname was Cohen, before he married his wife, Laurie Blake, who was then a math teacher, and they scrambled the letters of their last names together. (“ ‘Ben’ sort of from the Latin prefix ‘benefactor,’ ” he told me, “and ‘aloh’ for the Hawaiian greeting ‘aloha.’ ”) While taking a class on cryptography, he started to see voting as a powerful way to show that the mathematical tools he was developing could be used to create a ballot that was transparent and private, and that the accuracy of elections could be verified from start to finish.

In 1987, after successfully defending his doctoral dissertation, titled “Verifiable Secret-Ballot Elections,” at Yale, Benaloh moved to Toronto, for a three-year postdoc appointment, and then to upstate New York, to teach computer science at Clarkson University. He continued to refine the math for end-to-end verifiable elections. This included an effort to figure out how to apply his research to voting by mail, which he is still attempting to do, but with more urgency, in the face of the COVID-19 pandemic. (“I’m getting close,” he told me recently.) He also settled on a method that would give voters a simple way to test the integrity of the process: they could “spoil” ballots. Unlike cast ballots, spoiled ballots would be decrypted, and anyone could check whether the choices they had made on those ballots were the ones revealed by the decryption. In 2012, Benaloh put his ideas into practice, as one of seven researchers tapped by the clerk of Travis County, Texas, to create an actual voting system from the ground up. “We were trying to design something that achieved the mathematical needs of end-to-end verifiability in a way that their voters could interact with,” he said. But STAR-Vote, as the system was called, never made it off the page and into the polling place.

In 2016, after it became clear that Russian intelligence was probing state election systems, Benaloh took part in an extensive investigation conducted by the National Academies of Sciences, Engineering, and Medicine to determine the best ways to enhance the integrity of American elections. Its September, 2018, report, “Securing the Vote: Protecting American Democracy,” offered forty-one suggestions for making voting more secure, including adding end-to-end verifiability. By then, Microsoft had witnessed attacks on the electoral system firsthand. The company had provided cybersecurity services for both parties’ conventions in the previous election cycle; in July, 2016, during the Democratic National Convention, Microsoft’s threat-intelligence team noticed that a nation-state actor, later traced to Russian intelligence, was registering fake Microsoft domain names. Not long afterward, the team saw the same thing happening during the French and European Union elections. Fake domains are often the bait for phishing expeditions, and Russian hackers were initially targeting academics and consultants likely to be involved in key issues of a campaign. “If you’ve infiltrated an academic who is going to be an adviser to the Presidential campaign, now it’s easier to hack into the Presidential campaign,” Tom Burt, the company’s vice-president for customer security and trust, told me. “That person sends an e-mail saying ‘look at this really cool document,’ and they click on it and they’re infected.”

In 2018, Microsoft created the Defending Democracy program, which offered political campaigns a service called AccountGuard. The company trained campaign staff on basic cyber hygiene and monitored their accounts for malicious activity. (AccountGuard is now offered to nonprofits, academics, and political consultants in twenty-nine countries.) The program reached out to Benaloh to ask about the possibility of using the kinds of mathematical tools he’d been developing to create a verifiable voting system. “Josh had been thinking about this for a long time, but nobody had made the investment to do it,” Burt told me. “It was going to be expensive, but it was something we could invest in, and I was willing to take a risk.” (Burt, a rugged, silver-haired veteran of corporate law, would only tell me that the cost was “in the seven-figure range.”)

Benaloh began to conceive what an end-to-end encrypted ballot-system toolkit would look like. It would be a piece of software—an add-on to voting machines or scanners, not the hardware itself. It would also be system-agnostic, able to work alongside most kinds of voting apparatuses, whether digital or analog. As Benaloh told Congress last June, with an end-to-end verifiable election system, “voters will have the ability to use their unique tracking codes to look up their encrypted votes and confirm that they are unaltered and correctly counted.” Election officials, meanwhile, he said, “will be able to publish C.V.R.S.”—cast-vote records—“without releasing sensitive raw election data that can be abused by malicious actors.”

Tomorrow I’ll be in Fulton, Wisconsin, with a team of people from Microsoft taking one of many steps needed to prepare our ElectionGuard technology for broad adoption. Together with election officials from the state of Wisconsin and the election technology company VotingWorks, we will be piloting ElectionGuard in an actual election for the first time.

As voters in Fulton go to their polling place tomorrow to cast ballots in a primary election for Wisconsin Supreme Court candidates, the official count will be tallied using paper ballots as usual. However, ElectionGuard will also provide an encrypted digital tally of the vote that will enable voters to confirm their votes have been counted and not altered. Tomorrow’s pilot is one step in a deliberate and careful process to get ElectionGuard right before it’s used more broadly across the country.

Preparing technology for wide adoption is accomplished through incremental steps that enable iteration and improvement. We first demonstrated an implementation of ElectionGuard to cybersecurity experts and others at the annual Aspen Security Forum last summer. Then, in September, we shared the code for ElectionGuard as an open source project on GitHub so voting machine manufacturers, security researchers and others could begin testing it. We announced a bug bounty program, offering up to $15,000 to people who report security vulnerabilities with ElectionGuard so they can be fixed. The code was also tested for security vulnerabilities by NCC Group. Tomorrow’s pilot gives us the first chance to see ElectionGuard in action in a real election, to assess its performance and observe voter reaction. We hope to learn from this so we can continue to work with election officials in Wisconsin and other states – and with technology partners such as VotingWorks – to improve ElectionGuard. This is by no means the last step in our preparation; we anticipate many more pilots of ElectionGuard technology as we get it ready for prime time.

To be clear, the biggest credit for tomorrow’s pilot goes to the Wisconsin Election Commission and its Administrator Meagan Wolfe, as well as Rock County Clerk Lisa Tollefson for making the decision to try ElectionGuard so they can evaluate it for future use, and to VotingWorks, which designed and built much of the physical voting experience used in Fulton tomorrow. We’ve worked closely with the Commission and VotingWorks in recent months to test the system and voting machines for pilot use tomorrow, to conduct a public test of the machines even before the pilot, and to train polling place workers. We are also grateful to Connie Zimmerman, the Fulton Town Clerk, for enabling and supporting this pilot in the polling place she’s run for years, and to the Fulton Town Board, which voted to approve the pilot.

Tomorrow’s voting experience includes a three-step process. First, a voter will select candidates on a touchscreen and verify their choices. Second, the voter will print and review for accuracy a paper ballot and simultaneously receive a separate tracking code. Third, the voter will deposit their ballot into a ballot box for counting.

Behind the scenes, we will be able to tally the vote electronically, and compare the result to the official count. We will be able to test voter reaction to the great voting experience that VotingWorks has enabled using ElectionGuard. And we will be able to test, with the voters of Fulton, the verifiability of votes using ElectionGuard – which should enable voters to individually confirm that their vote was counted.

ElectionGuard, which we announced in May 2019, is open source software that will make elections more secure and end-to-end verifiable, enabling people to confirm their votes were counted and not altered and allowing news organizations or non-profits to build verifiers to confirm that election results were properly tabulated. ElectionGuard was built with the flexibility to be used in systems where paper ballots provide the primary vote count or where paper ballots are used as a backup. Additionally, ElectionGuard has been built to help ensure voting is accessible for people with disabilities and to give everyone a modern, fast and efficient voting experience.

Tomorrow’s pilot will occur at the Fulton Town office where we expect a few hundred votes to be cast. Both Microsoft and VotingWorks will have technical staff on site, and the town of Fulton has certified backup machines used in previous elections on hand should they be needed.

Tags: Defending Democracy Program, ElectionGuard, VotingWorks, Wisconsin

In May, Microsoft CEO Satya Nadella announced ElectionGuard, a free open-source software development kit (SDK) from our Defending Democracy Program. ElectionGuard is accessible by design and will make voting more secure, verifiable and efficient anywhere it’s used in the United States or in democratic nations around the world. Today we’re announcing that ElectionGuard is now available on GitHub so that major election technology suppliers can begin integrating ElectionGuard into their voting systems.

The ElectionGuard resources available on GitHub today extend across four GitHub repositories, or storage spaces, each described below.

ElectionGuard specification. The ElectionGuard specification includes both “informal” and “formal” road maps for how ElectionGuard works. The informal spec is authored by Dr. Josh Benaloh of Microsoft Research and provides the conceptual and mathematical basis for end-to-end verifiable elections with ElectionGuard. The formal spec contains detailed guidance manufacturers will need to incorporate ElectionGuard into their systems, including a full description of the API – which is the way voting systems communicate with the ElectionGuard software – and the stages of an end-to-end verifiable election.

Software code. This repository contains the actual source code vendors will use to build their ElectionGuard implementations. It is written in C, a standard language commonly used by open-source software developers and includes a buildable version of the API. This documentation is also viewable here. This code was built together with our development partner Galois.

Reference verifier and specification. As we announced in May, ElectionGuard enables government entities, news organizations, human rights organizations, or anyone else to build additional verifiers that independently can certify election results have been accurately counted and have not been altered. The resources available on GitHub today include a working verifier as well as the specifications necessary to build your own independent verifier.

Ballot marking device reference implementation. Voting system manufacturers will be free to build ElectionGuard into their systems in a variety of ways. At the Aspen Security Forum in July, we demonstrated a sample voting system, built with the help of industrial designer Tucker Viemeister, that we believe showcased a great way the features enabled by ElectionGuard can be used in voting systems. The ballot marking device we demonstrated included accessibility features built under the guidance of the Center for Civic Design, authors of the original “Anywhere Ballot,” and incorporated the Xbox Adaptive Controller as an optional device to mark ballots. The ballot marking device open source repository released today includes a variety of tools and visuals necessary to build or augment real-world election systems using the best of ElectionGuard.

These are exciting steps that enable individual voters to confirm their vote was properly counted, and assures those voters using an ElectionGuard system of the most secure and trustworthy vote in the history of the U.S. As we’ve previously announced, all major manufacturers of voting systems in the United States are working with us to explore ways to incorporate ElectionGuard into their systems including Clear Ballot, Democracy Live, Election Systems & Software, Dominion Voting Systems, Hart InterCivic, BPro, MicroVote, Smartmatic and VotingWorks. We’ve worked deeply with many of these companies over the summer to prepare them for today’s SDK release.

Finally, we’ve continued progress toward pilot programs, including work with Columbia University’s Columbia World Projects, that will put voting systems running ElectionGuard in the hands of voters for the 2020 elections or sooner. We look forward to sharing more on these pilots shortly.

Tags: ElectionGuard, elections