February 10, 2020 · Security Technology Hacking

Election Security: We Aren't Ready

Iowa was, to be sure, a mess but it only hints at the chaos that is certain to come. The technical security challenges present in our voting systems are well documented but we face other layers of risk. On top of those we'll have to deal with issues related to perception and the intentional distortion of issues that will only make matters worse, as Simon Handler points out at Lawfare:

The lesson to be learned from this disaster is not merely one about the  perils of smartphones in voting. It’s a vivid illustration of how public reaction to a mishap can be worse than the mishap itself.

But we can't take this to mean that things aren't as bad as they seem. In this case it doesn't work that way. It means that things are bad, more bad things will happen, and the distortion of those things will make the situation far, far worse. And I'm not even touching on the attempts to manufacture disinformation and undermine trust in our process. That is its own vertical.

EFF has a very clear stance on the use of technology in this arena and it's one that every technical person I know generally agrees with:

Voting is the cornerstone of our democracy. The mechanics of how we vote, and how those votes are counted, are critical to ensuring our votes are meaningful. EFF supports paper records for every vote, and automatic,  risk limiting audits for every election. We'll oppose legislation that doesn't include those two critical measures. EFF opposes online voting.

Sure it's possible to design and deploy secure systems but it is far from trivial, has to be done universally to make any sense, and has a number of process, behavioural, educational, and privacy implications that would have to be considered if it is going to be done well. You can't half-ass something like this. The gap between software that is theoretically bulletproof and software that is actually (almost) bulletproof is massive. You can't sprinkle blockchain and encryption dust on this and call it a day.

Unfortunately, the responsibility for securing our elections ultimately lies with state and local governments. Frankly, that pretty much tells you everything you need to know about the state of election security.

Miles Parks at NPR highlights one very simple step that could help - but hasn't been taken:

Local governments across the United States could perform a simple upgrade to strengthen voters' confidence that they are what they say they are: use websites that end in .gov.
Federal officials  control the keys to the ".gov" top-level domain, making it less likely that somebody could get one fraudulently and use it to fool people.
Domains  that end in .com or .org, meanwhile, could be set up by attackers to try to intercept users seeking information from real sources.

And if all of this isn't frightening enough, Zach Wittaker, and the GAO, are here to remind us all that the government still isn't quite ready:

Homeland Security’s cybersecurity advisory  unit “has not yet completed” its plans to secure the 2020 presidential  election, a government watchdog has said.
The report, published on Thursday by the Government Accountability Office, said the unit, CISA, is “not well-positioned to execute a nationwide strategy  for securing election infrastructure prior to the start of the 2020 election cycle.”

Not all blame lays with CISA, given the disconnectedness of it all, and I wholeheartedly agree with them on this critical point:

CISA works closely with the intelligence community, law enforcement officials, private sector partners, and others across the Federal Government to ensure we are doing everything possible to defend our electoral systems. But this needs to be a whole of nation effort.

Unfortunately, greater insecurity seems like a more likely outcome.


Previous Post: Staying Sane in an Insane World
Next Post: A New Counterintelligence Strategy