U.S. election technology is increasingly regarded as critical to national interests. In discussions about the national-level importance of election technology, I’ve also increasingly heard the term “national security” used. The idea seems to be that election technology is as important as other national-security-critical systems. That’s fair enough in principle, but at present we are a long way from any critical piece of election technology – such as machines for casting and counting ballots – from being manufactured, operated, and protected like other systems that currently do meet the definition of “national security systems”.
However, there is one element of national security systems (NSSs) that I believe is overlooked or unfamiliar to many observers of election technology as critical infrastructure. NSSs have to address hardware level threats by containing their risk using a set of practices called supply chain risk management (SCRM). Perhaps hardware threats have been overlooked by some national policy makers, because of the policy issue that I’ll close with today.
The Hardware Threat
I’d like to explain why hardware level threats are more feasible to address than many other challenges of re-inventing election technology to meet national security threats. But first I should explain what’s usually meant by hardware level threats, and where supply chains come into it.
Hardware level threats exist because its possible for an adversary to craft malicious hardware components that work just like a regular component, but also have hidden logic to make it misbehave. To take one simplistic example, a malicious optical disk drive might faithfully copy the contents of a DVD-R when requested, except in special circumstances, such as installing a particular operating system. In that special case, it might deliver a malicious modified copy of a critical OS file, effectively compromising the hardware that the system is installed in.
To those not familiar with the concept, it might seem fanciful that a nation-state actor would engage in such activities: target a specific device manufacturer; create malicious hardware components; inject them into the supply chain of the manufacturer so that malicious hardware components become part of its products. But, in fact, such attacks have happened, and on systems that could have a significant impact on defense or intelligence.
That’s why it is one of the basic aspects of national security systems, that their manufacturers take active steps to reduce the risk of such attacks, in part by operating a rigorous SCRM program. Though unfamiliar to many, the concepts and practices have been around for almost a decade.
Since the inception then of the Comprehensive National Cybersecurity Initiative (CNCI), many defense and intelligence related systems have been procured using SCRM methods specifically because of hardware threats. In fact, the DoD likely has the most experience in managing a closed supply chain, and qualifying vendors based on their SCRM programs.
SCRM for Election Technology
What might this mean for the future of election technology that is genuinely treated as a national security asset? It means that in the future, such systems would eventually have to be manufactured like national security systems. Significant efforts to increase voting technology security would almost demand it; those efforts’ value would be significantly undercut by leaving the hardware Achilles heel unaddressed.
What would that look like? One possible future:
- Some government organization operates a closed supply chain program; perhaps piggybacking on existing DoD programs.
- Voting technology manufacturers source their hardware components from the hardware vendors in this program.
- Voting technology manufacturers would operate an SCRM program, with similar types of documentation and compliance requirements.
- Voting technology operators – election officials – would cease their current practice of replacing failing components with parts sourced on the open market.
This would be a big change from the current situation. How would that change come about? Hence the open issue for policy makers …
Policy Issues and Questions
The opportunity for voting system vendors to benefit from a managed closed supply chain might actually be something possible in the short term. But how would that come about? And what would motivate the vendors to take that benefit? And to expend the funds to set up and operate an SCRM program?
To me, this is an example of a public good (reduced risks to our elections being attacked) that doesn’t obviously pencil out as profit where the manufacturer gets a return on the investment (“ROI”) of additional costs for additional manufacturing process and for compliance efforts. So, I suppose that in order for this to work, some external requirement would have to be imposed (just as the DoD and other parts of the Federal government do for their vendors of NSSs) to obligate manufacturers to incur those costs as part of the business of voting technology, and choose how to pass the costs along to, eventually, taxpayers.
However, in this case, the Federal government has no direct role regulating the election technology business. That’s the job of each State, to decide which voting systems are allowed to be used by their localities; and to decide which technology companies to contract with for IT services related to state-operated election technology related to voter registration and election management. But States don’t have existing expertise in SCRM that Federal organizations do.
So, there is plenty of policy analysis to do, before we could have a complete approach to addressing hardware level threats to elections. But there’s one thing that could be done in the near term, without defining a complete solution. Admittedly, iIt’s a bit of a “build and they might show up” approach, based on a possible parallel case.
Parallel to Certification
The best parallel I know of is with voting system certification. Currently, about half the States require that a voting system manufacturer successfully complete an evaluation and certification program run by the Federal government’s Election Assistance Commission (EAC). That’s a prerequisite for the State’s certification. A possible future parallel would be a] for the Federal government to perform supply chain regulation functions, and compliance monitoring of manufacturers, and b] for States to voluntarily choose whether to require participation of manufacturers. The Federal function might be performed by an organization, that already supports supply chain security, which sets up a parallel program for election technology, and offers its use to the manufacturers of election technology of all kinds. If that’s available, perhaps vendors might dip a toe in the waters, or States might begin to decide whether they want to address hardware threats. Even if this approach worked, then there would be the question of how all this might apply to all the critical election technology that isn’t machines for casting and counting ballots. But at least it would be a start.
That’s pretty speculative I admit, but at least it is a start that can be experimented with in the relatively near term – certainly in time for the 2020 elections that will use election systems that are newer than today’s decade-plus-old systems, but inside have the same vulnerabilities as today’s technology. Hardware assurance won’t fix software vulnerabilities, but it would make it much more meaningful to attempt to fix them, with the hardware Achilles heel being on the way to being addressed.