Plain Talk Series on Election Security #7: Three Kinds of Election Security That You Really Need to Know
This is the 7th and final installment of a 7-part series of election security vignettes intentionally kept as brief as possible to stick to the main point of the title above. Its intended to acquaint relatively new-comers to election integrity and security, and that includes anyone and everyone from concerned citizens, to journalists, to policy makers.
In Part 6 I provided some plain talk on election security in order to separate out 3 kinds of threats to undermining democracy, loosely speaking: 1] propaganda, 2] cyber-attack on campaigns/candidates/etc., and 3] attacks on election infrastructure. It’s in the latter area where I believe the term “election security” applies best, but in three very different ways.
I think it is really important to understand these 3 different kinds of “election security.”
1. Paper Ballots and Audits are the most widely discussed idea in election security, but it really does very little for cybersecurity. Humans can use paper ballots to do an audit that will detect – and correct – vote-counting equipment problems that otherwise would have the worst possible effect: a “winner” that did not actually get the most votes.
But cybersecurity is barely involved. Audits provide the means to respond to voting tech problems of many kinds: hardware faults, software bugs, software mis-configuration, errors in configuration data, administrator/operator error, physical mishaps, and yes, Russian cyber-attacks on the easily hackable software and systems of ballot counting machines. But it doesn’t matter who or which one of these attacks might be involved. Regardless, effective audits will catch the result regardless of the cause.
And audits don’t make any of the computer systems any better in cybersecurity. Nor do audits result in the hardware being more reliable, or the humans less prone to human error, or any other factor. There might be more assurance in the overall process, but none of the moving parts are really any more secure.
2. Tamper Resistance and Cybersecurity are on the opposite end of the spectrum. Audits are great, but even with them, it is not good enough to continue using easily hackable computers and software for counting ballots. Un-hackable special-purpose systems are the ideal alternative, or more specifically, systems with cybersecurity baked in at all levels by design, that are resistant to tampering that could cause them to malfunction. The technology is “in the lab” in several places (including the DARPA program called SSITH) and while it is not quite “just around the corner,” it should be feasible to build small special purpose “hack proof” commercial systems in perhaps a couple years.
Ballot-counting devices and control systems in power generation are my top two favorite “small special purpose systems” that should benefit from this forthcoming SSITH technology – if adopted by the market. Besides voting machines, the other critical target is voter registration systems. A brand-new designed-for-cybersecurity voter registration system would also be a favorite, but as much more complex systems that stores data and are used every day, they would need other cybersecurity innovations as well, including >responsible use of blockchain technology.
3. Operational Security a.k.a. “Band-Aids” comprise the third kind of election security techniques. You need a lot of this “ASAP” if you have very hackable systems like voting machines and voter-registration databases built years ago before cybersecurity was even a main concern in government computing, much less nation state adversaries. You can’t make the crown jewels’ jewelry box any stronger, but you can make the castle walls bigger, the checkpoints more numerous, train the guards for hyper-vigilance, add some watchers to watch the watchers, and test the heck out of the whole setup very frequently.
But when it is technology, not castles and crowns, it’s a lot of different kinds of work: security awareness training and periodic testing for everybody; periodic cybersecurity assessments from outside experts; new projects to put in place new or improved protections as indicated by the assessments; new cyber-defense tools and systems; new staff of experienced cyber-defenders to use the tools and manage the systems, and experienced cyber-security operations managers; participation in cybersecurity information sharing groups and activities.
It’s expensive, and the expense is ongoing. I think it’s probably tractable at the State level, to improve cybersecurity (and operational IT practices, and physical security, and personnel security) around State-managed voter registration systems. Though there is a lot to do, in most cases it would be in the context of an existing reasonably mature IT organization, that has some cyber-security awareness and maybe in a few cases a real security pro.
And this improvement, and ongoing budget to fund it every year, would only have to happen in 50+ places. It could happen, though Federal funding would be required each and every year to help states pay for it.
When I think of the same kind of transformation happening in 7,000+ local election jurisdictions, then I really wonder if it is possible at all. In any case, for the foreseeable future, States have plenty of work to do with band-aiding that they have funds for, and localities have plenty of work to do to get to one-voter-one-paper-ballot and audits that do the job right.
Next: Well, we’re done here for this series, but we really hope you’ll leave comments and questions.
To read more, here are all of the articles in this Election Security Plain Talk Series.