Recent News

Dewey Defeats Truman

Combatting the Reality Distortion Field

An important conversation took place this morning between the Election Assistance Commission (EAC) and several key stakeholder groups and federal agencies. The call was convened to discuss the security of election processes ahead of this year’s presidential election. The conversation comes at a critical time for our nation as we take stock of the growing list of challenges faced by our Local Election Officials (LEOs.)

The EAC should be commended for its leadership in this space and for the work that they do in partnership with both LEOs and state officials. Conducting elections in the United States is truly a team effort and this type of engagement is critical to the health of our democracy. We agree with the EAC’s statement that:

Secretaries of State and state and local election officials are doing everything in their power to be prepared for possible security threats and that they take that responsibility extremely seriously.

This statement speaks to a reality of the American system of elections: Any effort to secure our critical democratic infrastructure must run through, and not around, local election offices. To ensure success we must support our LEOs in what has become a critical, yet often thankless job.

The threat to our election infrastructure will not be of the kind that sees thousands of machines and polling places taken out of service across the country. To put it bluntly, that’s not how it works. In fact, we’ve used this space before to note that the diversity of our election systems can be viewed as an advantage in securing our current infrastructure.

A widespread attack is not the primary threat to our system, but a targeted attack in even a single precinct of a swing state could have a devastating impact on the public’s confidence in the political process. This type of attack is much more likely.

During this election cycle we have seen an unprecedented rejection of democratic norms by the nominee of a major political party who asserted that

The only way we can lose in my opinion — I really mean this, Pennsylvania — is if cheating goes on…

This type of rhetoric is a paradigm shift for LEOs and we must help them prepare for the road ahead. We know that no election is perfect and mistakes will be made, but in this new reality even minor missteps will we viewed as evidence of systemic corruption.

A Secretary of State once told our team that our job was to keep him off the front page of the local newspaper. If all goes to plan, then the conversation will be about the results and not the process. Unfortunately, that option is not available to LEOs this year.

Let’s be realistic. There is a reality distortion field that covers this election. Speculation is rampant and it’s difficult for the public to know who to believe. We must prepare LEOs for both real threats to their systems and the public relations challenges they will face before, during, and after election day. This is a part of – not in addition to – the task of securing our elections.

We believe that the integrity of the election process will be secured by ensuring the competency of election systems AND the confidence of the voters who use them.

A Response to POLITICO: Election Infrastructure as Critical Infrastructure

Below is a letter prepared by co-founders Gregory Miller and John Sebes sent to Tim Starks and Cory Bennett of POLITICO, who cover cyber-security issues.  A formatted version is here.  The signal-to-noise ratio on this subject is rapidly decreasing.  There seems to be some fundamental misunderstandings of the challenges local election officials (LEOs) face; the process by which the equipment is qualified for deployment (albeit decrepit archaic technology by today’s standards); what the vulnerabilities are (and are not); and why a designation of “critical infrastructure” is an important consideration.  We attempt to address some of those points in this response to Tim’s otherwise really good coverage.

Tim Starks
tstarks@politico.com
Morning Cybersecurity Column
POLITICO
1000 Wilson Blvd, 8th Floor,
Arlington, VA, 22209

RE:      11.August Article on Whether to Designate Election Infrastructure as Critical Infrastructure

Greetings Tim

I am a co-founder of the OSET Foundation, a 501.c.3 nonprofit election technology research institute in the Silicon Valley.  I’m writing in response to your article this week in Morning Cybersecurity:

ANOTHER VIEW ON ELECTIONS AS “CRITICAL INFRASTRUCTURE” –
Maybe classifying the election system as part of the nation’s “critical infrastructure” isn’t so wise.

We’ve been on a public benefit mission to innovate electoral technology since 2006.  We’re a group of tech-sector social entrepreneurs bringing years of experience from our former employers like Apple, Facebook, Mozilla, Netscape, and elsewhere to bear on innovating America’s “critical democracy infrastructure” —a term we coined nearly a decade ago.

We’re working with elections officials across the country to develop a publicly owned democracy operating system called ElectOS™ in order to update and upgrade America’s voting systems with innovations that will increase integrity and improve participation for 1/3rd the cost of today’s aging systems.  ElectOS will innovate voting machinery the way Android® has innovated smart phones and mobile devices.  Both are freely available (oropen source”), and like Android, we believe ElectOS will one day enjoy a flourishing commercial market to sustain its continued innovation, deployment, and support.

We’ve been studying the challenges of election administration infrastructure for a decade.  So, we read with great interest your article regarding another viewpoint about making a critical infrastructure designation for our nation’s deteriorating, obsolete, and vulnerable voting infrastructure.  There are elements of your article we agree with (and more specifically comments of Cris Thomas), and there are points that we disagree with because they reveal some misunderstanding of the realities of election administration and the processes of managing the machinery today.  Thus, we were compelled to write you and share these clarifications.

We hope our comments are helpful going forward as you continue to cover this important topic, especially in light of the current election season and the delicate issues being raised by at least one candidate and other media.  Good on you for covering this. Below please find our (hopefully helpful) contributions to your effort.  Relevant portions of your article appear indented in blue.

In recent days, a growing chorus of experts and policy makers have backed a proposal to give elections the same level of federal security protections that the government already grants other so-called critical infrastructure, such as the power grid or financial industry.

First, we believe it’s important to be very clear on what elections infrastructure are we talking about?  We should be discussing voting technology operated by Local Election Officials (“LEOs”), and not web sites and eMail servers run by political NGOs.

Sure, the recent attacks on NGOs are a wake-up call for a variety of potential attacks on real Election Infrastructure (“EI”) and peripheral targets.  But the Critical Infrastructure (“CI”) designation should be for core EI; that is, voting machines and the election administration software and systems that manage voting machinery.

But an old school hacker who was part of the L0pht collective says such a change might do more harm than good.  “Classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level,” Cris Thomas, aka “Space Rogue,” tells MC [MC = “POLITICO Morning Cybersecurity”].

Critical Election Infrastructure (“CEI”) is not very different than other locally managed CI.  Not all CI is big corporate IT like financial transaction processing systems, or government-operated systems like the ATC, or quasi-public technology like the power grid operated by a variety organizations, but subject to many government regulations.  By contrast, we already have CI that is local, including local government operated.  For example, there are small local water utilities and municipal water treatment organizations.  Local first responders’ infrastructure is CI as well.  So, there is plenty of precedent for giving a CI designation to locally managed assets.

Because elections, even national elections, have been historically treated as a local event; having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years.

CEI designation will not cause a fundamental change in the current situation where U.S. elections are a local matter.  Mr. Thomas is mistaken on this one point.  Local election organizations will have the same responsibilities, plus some new ones for managing CI.  But a county election administrator will still manage elections the day after or even the year after a critical infrastructure designation.  That cannot, should not, and will not change.

Thomas, now a strategist at Tenable Network Security, says the idea misses the point: We need to remain focused on the security concerns of the current system, which fall into two areas. First, many manufacturers are not testing the systems well enough before selling them to municipalities, often using off-the-shelf hardware and software with minimal security and using things like default, hard-coded passwords.

Of course, the existing voting machines have technical security issues—and at the risk of reading like we’re overly defending vendors, what computing system has none?  And of course, it’s also true that a CI designation won’t change these products’ default security posture.

at the same time, the local government certification agencies seldom have the time, resources and knowledge to properly test these computers for vulnerabilities, …

The same is true regarding certification process, although Mr. Thomas is mistaken about that process itself.  There are notlocal certification agencies,” but rather Federal and State organizations that certify the systems local (county) election jurisdictions are authorized to use. Nevertheless a CI designation will not increase the rigor of the certification process, and it won’t increase the capability of LEOs to do technical scrutiny of their own.

and often just accept a manufacturer’s claims of security.

We must also take exception on Mr. Thomas’s last comment.  The idea of certification sometimes amounts to “just accepting vendor security claims” —cannot be, and is not the case.  Although the current certification process isn’t as strong as we’d like, and though nearly all stakeholders want improvement, there are already clear requirements for vendors to demonstrate compliance with security related requirements.  On the other hand, misleading vendor claims about security can sway LEOs when selecting a certified system (and the choices are down to three vendors).

[T]he result is a system that our entire democracy depends on, which is run with minimal, easily bypassed security.

Sure, but its a mistake to focus solely on technical security problems of voting machines, particularly since these systems are not going to be replaced with better technology immediately upon a CI designation.  In the near term, the impact of CEI will be more on people and process, and less on technology itself.  LEOs will need help to build organizational capacity and expertise to manage physical assets as critical infrastructure, with physical security, personnel security, increased operational security processes, and the ability to demonstrate that a variety of kinds of people and process controls are actually being followed rather than merely mandated.

So, improvements in the human aspects and processes are the immediate value of a Critical Election Infrastructure designation.  Such a designation would need to clearly state that our local election officials (LEOs) are custodians of not just critical infrastructure, but infrastructure that is critical to our national security.

That’s never been a responsibility for LEOs, and many LEOs will be dismayed that they will be called upon to operate in ways that they never imagined would be important.  It will require long-term capacity building.  In the short term, there are many improvements in people and process that are possible, although unlikely unless there is a high sense of urgency and importance.  The designation of election infrastructure and critical infrastructure, however, can help create and maintain that urgency.

A better approach, Thomas says, is to increase funding for the National Voluntary Laboratory Accreditation Program run by NIST and the U.S. Election Assistance Commission.

We agree in principle, but this is not mutually exclusive with Critical Infrastructure.  Clearly, there is room for improvement, and NIST and EAC have important roles.  With Critical Election Infrastructure, their roles would need to enlarge, but reasonably so.

We also agree that more funding for these organizations’ election integrity efforts are necessary, but doing so is not an either / or decision in consideration of other aspects of CEI.  If Election Infrastructure is truly “critical” then several things must occur, including, but not limited to the additional support for NIST and EAC that Mr. Thomas is encouraging.

Here are three examples of improvement that a Critical Election Infrastructure designation would enable —though additional funding and expertise would be required.

  1. Do not connect anything relating to ballots, counting, voter check-in, etc. to the Internet, ever—and in many cases no local wireless networking should be allowed.  With CEI, using an Internet connection is no longer a convenience or shortcut in the grey area of safety—it’s a possible vulnerability with national security implications.
  2. Physically secure the election back-office systems.  The typical election management system (EMS) is a nearly decade old Microsoft Windows based application running on Personal Computers no longer manufactured, that are as easy to break into (“black hack”) as any ordinary PC.  Yet, they are the brains of the voting system, and “program” the voting machines for each election.  So put them in locked rooms, with physical access controls to ensure that only authorized people every touch them, and never one person alone.
  3. Perform physical chain of custody really well (i.e., for machines, paper ballots, poll books, precinct operations logs, —everything), with measurable compliance, and transparency on those measurements.  It’s just not reasonable to expect LEO Operations to do excellent physical chain of custody routinely everywhere, if these physical assets are not classed as CI.  They’re not funded or trained to operate physical security at a CI level.  So, there is plenty of room for improvement here, including new responsibility, resources, training, and accountability.  All of this may be low hanging fruit for improvement (not perfection) in the near term, but only if the mandate of CEI is made.

We hope this is helpful.  We’re glad to discuss issues of election integrity, security, and innovation whenever you want.  The co-founders have been in the technology sector for three decades.  Both have worked on critical infrastructure initiatives for the government.  The OSET CTO, John Sebes has been in digital security for over 30-years and is deeply experienced with the policy, protocols, and tools of systems and facilities security.  Our Advisory Board includes former US CTO Aneesh Chopra, digital security expert and CSO of Salesforce.com, Dr. Taher Elgamal, global expert on elections systems integrity, Dr. Joe Kiniry, DHS Cyber-Security Directorate Dr. Douglas Maughan, and several former state election officials.

Respectfully,

Gregory A. Miller
Co-Founder & Chief Development Officer

The Quest for a Boring Election

This week has been a sort of public reintroduction to the awesome challenges faced by our Local Election Officials. For many Americans the terms “hanging chad” and “butterfly ballot” have long slipped from daily use, but the threats to our democratic institutions remain.  In fact, these threats have only grown in complexity since our last popular encounter in 2000.

The reality that we are even having a national discussion about voting infrastructure in a time of extreme political  intrigue is one indicator of the severity of the problem.  Elections should be exciting, but we hope the systems by which they are conducted are competent to the point of being, well, boring.  At the very least we hope they would not be a primary topic of discussion.  Unfortunately, we have a long way to go.

Local Election Officials (LEOs) work on the front lines of a critical and highly visible function of our democracy.  Their work facilitates the mandate by which our public officials govern and even small mistakes are seen as unacceptable.  Despite the challenges it entails, we expect our LEOs to do their jobs with a level of precision and accuracy that is almost unheard of in other sectors of society.

If we expect this level of performance from our public servants, then we must provide them with the support and resources they require to succeed.  As we’ve discussed before on this blog, The Obama Administration has taken an important first step by signaling forthcoming guidance for LEOs on protecting the nations voting infrastructure.

This guidance is significant as the current configuration of our infrastructure is so varied that a single solution is well out reach for the November elections.  The White House rightfully recognized this as a natural protection against widespread attack as it reduces the potential for a single threat to metastasize across the country.

You might also say that that varied infrastructure and those different systems also pose a pretty difficult challenge to potential hackers.  So it’s difficult to identify a common vulnerability throughout the system.

-Josh Ernst, White House Press Secretary

This is, of course, still little consolation for an individual LEO who faces a significant attack or system failure on election day.

Doug Chapin of Election Academy addresses this reality by making a strong argument for the personal responsibility of each election office to protect their systems:

Regardless of the response, it is vital for election officials in jurisdictions of every size and at every level to develop an awareness of cybersecurity issues – and, where possible to harden their systems against such attacks

Elections have never been simple, but there is a growing consensus that the game has changed.  Gone are the days when election technology was seen as a back water of government IT. LEOs are being asked to take on more risk and we must rise to the challenge of supporting them in this work.