Dismantling Federal Assistance to US Elections — The Freeze/Thaw Cycle
We now have voting systems that have been vetted with standards and processes that are almost as Jurassic as the pre-Internet era.
This time I need to support my previous claims by explaining the freeze/thaw cycle in more detail, and connecting it to the outcome of voting systems that are not up to today’s job, as we now understand it, post-2016.
The First Try
EAC’s first try at voting system quality started after the year 2000 election hanging chad debacle, and after the Help America Vote Act (HAVA) designed to fix it. During the period of 2004 to 2006, the EAC was pretty busy defining standards and requirements (technically “guidelines” because states are not obligated to adopt them) for the then-next-gen of voting systems, and setting up processes for testing, review, and certification.
That first try was “good enough” for getting started on a way out of the hanging chad morass, but was woefully inadequate in hindsight. A beginning of a second try resulted in the 2007 recommendations to significantly revise the standards, because the hindsight then showed that the first try had some assumptions that weren’t so good in practice. My summary of those assumptions:
- Electronic Voting Machines (EVMs) were inherently better than paper-based voting, not just for accessibility (which is a true and important point) but also for reliability, accuracy, and many other factors.
- It’s OK if EVMs are completely paperless, because we can assume that the hardware and software will always make an accurate and permanent digital record of every voter’s choice.
- The then current PC technology was good enough for both EVMs and back-office systems, because that PC tech was good enough desktop computing.
- Security and quality are important, and can be “legislated” into existence by written standards and requirements, and a test process for evaluating whether a voting system meets those requirements.
Even in 2007, and certainly even more since then, we’ve seen that what these assumptions actually got us was not what we really wanted. My summary of what we got:
- Voting machines lacking any means for people to cross-check the work of the black-box hardware and software, to detect malfunctions or tampering.
- Voting machines and back-office systems that election officials can only assume are unmodified, un-tampered copies of the certified systems, but can’t actually validate.
- Voting machines and back-office systems based on decades old PC technology, with all the security and reliability limitations thereof, including the ready ability of any software to modify the system.
- Voting system software that passed testing, but when opened up for independent review in California and in Ohio, was found to be rife with security and quality problems.
Taken together, that meant that election tech broadly was physically unreliable, and very vulnerable, both to technological mischance and to intentional meddling. A decade ago, we had much less experience than today with the mischances that early PC tech is prone to. At the time, we also had much less sensitivity to the threats and risks of intentional meddling.
Freeze and Thaw
And that’s where the freeze set in. The 2007 recommendations have been gathering dust since then. A few years later, the freeze set in on EAC as well, which spent several years operating without a quorum of congressionally approved commissioners, and not able to change much – including certification standards and requirements.
That changed a couple years ago. One of the most important things that the new commissioners have done is to re-vitalize the process for modernizing the standards, requirements, and processes for new voting system. And that re-vitalization is not a moment too soon, just as most of the nation’s states and localities have been replacing decaying voting machines with “new” voting systems thatare not substantially different from what I’ve described above.
That’s where the huge irony lies – after over a decade of inactivity, the EAC has finally gotten its act together to try to become an effective voting system certification body for the future — and it is getting dismantled.
It is not just EAC that’s making progress. EAC works with NIST, and a Technical Guidelines Working Group (TGWC), and many volunteers from many organizations (including ours) that working in several groups focused on help the TGWC. We’ve dusted off the 2007 recommendations, which address how to fix at least some of those consequences I listed above. We’re writing detailed standards for interoperability, so that election officials have more choice about how to acquire and operate voting tech. I could go on about the range of activity and potential benefits, but the point is, there is lot that is currently a-building that is poised to be frozen again.
A Way Forward?
I believe that it is vitally important, indeed a matter of national security, that our election tech makes a quantum leap forward to address the substantial issues of our current threat environment, and the economic and administrative environment that our hardworking election officials face today.
If that’s to happen, then we need a way to not get frozen again, even if the EAC is dismantled. A look at various possible ways forward will be the coda for this series.
Kudos to EAC for Exploring Critical Nature of Election Infrastructure
Kudos to EAC for this week’s public Hearing on election infrastructure as critical infrastructure! After the 2016 election cycle, I think that there is very little disagreement that election infrastructure (EI) is critical, in the sense of: vital, super-important, a matter of national security, etc. But this hearing is a bit of a turning point. I’ll explain why in terms of: discussion before the hearing, then the aftermath, and then I will make my one most important point about action going forward. I’ll close with specific recommend steps forward.
Prior to this hearing, I heard and read a lot of negativity about the idea that EI is “critical infrastructure” (CI) in the specific sense of homeland security policy. Yes, late last year, DHS did designate EI as CI, specifically as a sub-sector of the existing CI sector for government systems. And that caused alarm and the negativity I referred to, ranging from honest policy disagreement (what are the public policy ramifications of designation) to par-for-the-course political rhetoric (unprecedented Federal takeover of elections as states’ rights, etc.), and just plain “fake news” (DHS hackers breaking Federal laws to infiltrate state-managed election systems).
The fracas has been painful to me especially, as someone with years of experience in the disparate areas of cyber-security technology (since the ‘80s), critical infrastructure policy and practice (since before 9/11), DHS cyber-security research (nearly since its inception), and election technology (merely the last decade or so).
Turning Point in Dialog
That’s why the dialogue, during the EAC hearing, and the reflections in online discussion since, have been so encouraging. I hear less competing monologues and more dialogue about what EI=CI means, what official designation actually does, and how it can or can’t help us as a community respond to the threat environment. The response includes a truly essential and fundamental shift to creating, delivering, and operating EI as critical national assets like the power grid, local water and other public utilities, air traffic control, financial transaction networks, and so on. Being so uplifted by the change in tenor, I’ll drop a little concept here to blow-up some of this new dialogue:
Official CI designation is irrelevant to the way forward.
The way forward has essential steps that were possible before the official designation, and that remain possible if the designation is rescinded. These steps are urgent. Fussing over official designation is a distraction from the work at hand, and it needs to stop. EAC’s hearing was a good first step. My blog today is my little contribution to dialog about next steps.
Outlining the Way Forward
To those who haven’t been marinating in cyber CI for years, it may be odd to say that this official announcement of criticality is actually a no-op, especially given its news coverage. But thanks to changes in cyber-security law and policy over the years, the essential first steps no longer require official designation. There may be benefits over the longer term, but the immediate tasks can and should be done now, without concern for Federal policy wonkery.
Here is a short and incomplete list of essential tasks, each of which I admit deserves loads more unpacking and explaining to non-CI-dweeb people, than I can possibly do in a blog. But regardless of DHS policy, and definitely in light of the 2016 election disruption experience, the EI community can and should:
- Start the formation of one or more of the information-sharing communities (like ISAOs or similar) that are bread-and-butter of other CI sectors.
- If needed, take voluntary action to get DoJ and DHS assistance in the legal side of such formation.
- Use the information sharing organizations to privately share and discuss what really happened in 2016 to prepare, detect, and respond to attacks on EI.
- Likewise use the organizations to jointly consider available assistance, and to assess:
- the range of types of CI related assistance that are available to election officials – both cyber and otherwise;
- the costs and benefits of using them; and
- for those participants who have already done or choose to voluntarily use that assistance (from DHS or elsewhere) to, inform all EI/CI operators who choose to participate.
- Begin to form sector-specific CI guidelines specifically about changes required to operate EI assets as CI.
And all that is just to get started, to enable several further steps, including: informing the election tech market of what needs to respond to; helping the 1000s of local election offices to begin to learn how their responsibilities evolve during the transformation of EI to truly part of CI in practice.
The Freeze Factor – Dismantling Federal Assistance to U.S. Elections
“Frozen” is my key word for what happens to the voting system certification process after EAC is dismantled. And in this case, frozen can be really harmful. Indeed, as I will explain, we’ve already seen how harmful.
- Certification is the standards, requirements, testing, and seal-of-approval process by which local election officials gain access to new election tech.
- The testing is more important than ever, because of the lessons learned in 2016:
1. The next gen of election technology needs to be not only safe and effective, but also …
2. … must be robust against whole new categories of national security threats, which the voting public only became broadly aware of in late 2016.
Today it’s time to explain just how ugly it could get if the EAC’s certification function gets derailed. Frozen is that starting point, because frozen is exactly where EAC certification has been for over a decade, and as a result, voting system certification is simply not working. That sounds harsh, so let me first explain the critical distinction between standards and process, and then give credit where credit is due for the hardworking EAC folks doing the certification process.
- Standards comprise the critical part of the voting system certification program. Standards define what a voting system is required to do. They define a test lab’s job for determining whether a voting system meets these requirements.
- Process the other part of the voting system certification program, composed of the set of activities that the players – mainly a voting system vendor, a test lab, and the EAC – must collectively step through to get to the Federal “seal of approval” that is the starting point for state election officials to make their decisions about voting system to allow in their state.
Years worth of EAC efforts have improved the process a great deal. But by contrast, the standards and requirements have been frozen for over a decade. During that time, here is what we got in the voting systems that passed the then-current and still-current certification program:
Black-box systems that election officials can’t validate, for voting that voters can’t verify, with software that despite passing testing, later turned out to have major security and reliability problems.
That’s what I mean by a certification program that didn’t work, based solely on today’s outcome – election tech that isn’t up to today’s job, as we now understand the job to be, post-2016. We are still stuck with the standards and requirements of the process that did not and does not work. While today’s voting systems vary a bit in terms of verifiability and insecurity, what’s described above is the least common denominator that the current certification program has allowed to get to market.
Wow! Maybe that actually is a good reason to dismantle the EAC – it was supposed to foster voting technology quality, and it didn’t work. Strange as it may sound, that assessment is actually backwards. The root problem is that as a Federal agency, the EAC had been frozen itself. It got thawed relatively recently, and has been taking steps to modernize the voting systems standards and certification. In other words, just when the EAC has thawed out and is starting to re-vitalize voting system standards and certification, it is getting dismantled – that at a time when we just recently understood how vulnerable our election systems are.
To understand the significance of what I am claiming here, I will have be much more specific in my next segment, about the characteristics of the certification that didn’t work, how the fix started over a decade ago, got frozen, and has been thawing. When we understand the transformational value of the thaw, we can better understand what we need in terms of a quality program for voting systems, and how we might get to such a quality program if the EAC is dismantled.