No “Security By Obscurity” for Voting, Please
John Sebes
I have to confess to being appalled by the number of times recently that I have heard people talk about potential benefits of "security by obscurity" for voting systems. It’s one of those bad old ideas that just won’t die: if you hide the inner workings (source code) of a complex device (a voting system), that makes it harder for an adversary to break (hack, steal elections). With regard to voting systems, of course, the issue gets all muddled up with vendors’ fears of compelled source code disclosure, but setting that aside, the proposition is simply this: a voting system is "more secure" (whatever that means) if the source code is not public. Or as one election official said to me recently, "We’ve been schooled to think that making the code public would give up the keys to the system" (my paraphrase) and ensure that a voting system could be hacked to steal elections (my inference).
Wow. It’s quite the fallacy, but staying power of the "Security by Obscurity" idea is impressive; despite being completely discredited among digital security professionals, the idea just won’t stay dead. But please, don’t take my word for it. Despite a couple decades in the security biz, I’m also an open source advocate. Instead, take a look at what security experts (the real ones, not the folks that call themselves "security experts") have to say about it. You can find several good thought pieces on the blog of applied cryptographer and author Bruce Schneier. You can find a range of pieces on the topic in the Risks Forum moderated by the highly respected Peter Neumann. For brief and general summary of the topic (including open source), Peter’s IEEE Science and Policy piece "Robust Nonproprietary Software" provides a pithy and balanced viewpoint. For an entertaining bit of myth-debunking, try "Security by Insecurity" . And for specificity to voting, try Peter’s testimony to the State of California invited by CA’s Secretary of State, Debra Bowen.
But I can’t resist a couple closing thoughts. First is my little theory that closed systems are actually easier to crack. Consider the Windows OS, unsurpassed for widespread adoption, proprietary software, and history of security vulnerabilities. I am not MS-bashing here! My point is that where there is an attractive target (and Windows is #1), the bad guys have all the needed grist for the mill, without the source code!. They have the running software itself; they have some information about the software’s interfaces; and they have many years of experience to guide efforts to find weak points. They have a cookbook! They don’t need an electron microscope to examine the atoms and reverse engineer the target. In fact, if the source code were available, then it might actually be more work to wade through it to find security vulnerabilities.
Lastly, I want to get back to election technology generally, and voting systems in specific. I do not believe that current voting systems benefit from security by obscurity. I also do not believe that disclosure of the source code would be beneficial. Independent reviewers have found many reasons for security concerns, and the vendors underline those concerns by fear-mongering around the issue of security vs. openness. Where vendors admit security problems, and yet do not display willingness to fix known problems, disclosure doesn’t help because new knowledge about problems and fixes is irrelevant if the fixes don’t get done. But just as disclosure wouldn’t help, it also would not hurt – despite the fear mongering. Plenty enough is already known about vulnerabilities of these systems, and the bad guys have plenty of info – including the ability to buy voting machines on E-bay and reverse engineer to heart’s content.
So basically, disclosure of current systems is a matter of indifference to me in terms of security benefit or detriment – there is neither. But it really bothers me when people are misled into thinking that secret computing equals secure computing. It’s not so, and especially not for election technology, which should be open and transparent, not for security, but for trust and public confidence in the results — that is, the selection of those public servants who govern our public life.
— EJS