Following our previous post about the recount process in general, and in particular what it normally would mean in Georgia, this article is an “explainer” on the effort begun recently to “audit” the Georgia election per a directive that Georgia Secretary of State Brad Raffensperger announced this week…
A cornerstone to trustworthy elections is a recount process to ensure accurate outcomes. Likewise, trust in the recount process is essential. Recounts are a game of margins, which for this election is especially true. So, I offer an explanation of how recounts are conducted in just the states of most potential consequence in the coming weeks…
During the coming weeks, America’s election infrastructure will be tested as perhaps never before, especially due to changes caused by the COVID-19 pandemic. In that context, we present “Swing Dance,” our assessment of the process and technology risks that exist in the 14 most competitive states for the 2020 election…
We’ve posted our 2019 Annual Review. We hope you agree that this summary of key accomplishments and developments shows the impactful importance of our work to defend democracy.
Wow, what a year, right? Tonight on the eve of 2019, we post our Annual Review. We hope you agree that the key accomplishments and developments this year demonstrate the impactful importance of our work to defend democracy. Most of all, we thank you for your continued support!
“Democracy at Risk: More Than 15 Million Voters May Stay Home on Election Day Over Cyber-Security Doubts”
cluding non-paper ballots — is among the most vulnerable states to cyber-focused attacks?“
Its amazing what can happen when you bring in real talent. Last year we brought in a new team member in social media, who proved her capabilities so fast that we promoted her to Director of Citizen Outreach. We’ve known for over a year that the time was drawing near to figure out how to tell the TrustTheVote Project story to the public. Specifically, sharing our mission with those other than elections professionals and government. Meegan Gregg did it. And it appears (to use a baseball term) to be a “Walk-off Home Run” or maybe a “drop the mic” result.
Today we’re launching our story, in a 2-minute video developed by a team led by Meegan. It involved an enormously generous grant from XPLANE, the visual story-telling firm, and implemented by the talented production work of several supporting firms including, PingPongPop and Marmoset for voice-over and music; TalkBack for sound & video integration, and RoboToro for web engineering.
Candidly, we need to engage the public’s interest and support for our Project. Our operation needs the support of the people, because the TrustTheVote Project is by the people and for the people. We’re building a 21st century “democracy operating system,” ElectOS to increase integrity, lower cost, improve voter experience, and maybe help turn-out.
The video is the best way to tell a story of a complex Silicon Valley project underway by some of the same folks who helped bring you products from Apple and the web browser from Netscape. It connects citizens to a real and pressing problem that is consuming lots of media attention right now in this election cycle: our crumbling voting systems infrastructure.
Now, there is no need to panic: what’s in production now will make it through this election—despite one candidate suggesting there will be “rigging.” But 43 States have to replace their machinery by 2020, which will be here before we know it. And their choice is to replace their existing stuff with more of the same. And that stuff is mostly built on 90’s personal computers.
But the time to address this problem and engage the public is now because this election cycle is upon us, and while we’ll make it through (although we fear there will be challenges and recounts), we the people can improve our own voting experience, increase confidence in elections and their outcomes, and trust the vote. Our civic duty and civil right to free and fair elections is the single most important liberty we have as American citizens. This video explains how we, the people can with your support ensure that liberty is preserved in a time where election technology has become an under-funded disregarded backwater of government I.T.
So please have a look at our new story and tell us what you think!
Below is a letter prepared by co-founders Gregory Miller and John Sebes sent to Tim Starks and Cory Bennett of POLITICO, who cover cyber-security issues. A formatted version is here. The signal-to-noise ratio on this subject is rapidly decreasing. There seems to be some fundamental misunderstandings of the challenges local election officials (LEOs) face; the process by which the equipment is qualified for deployment (albeit decrepit archaic technology by today’s standards); what the vulnerabilities are (and are not); and why a designation of “critical infrastructure” is an important consideration. We attempt to address some of those points in this response to Tim’s otherwise really good coverage.
Tim Starks
[email protected]
Morning Cybersecurity Column
POLITICO
1000 Wilson Blvd, 8th Floor,
Arlington, VA, 22209
RE: 11.August Article on Whether to Designate Election Infrastructure as Critical Infrastructure
Greetings Tim–
I am a co-founder of the OSET Foundation, a 501.c.3 nonprofit election technology research institute in the Silicon Valley. I’m writing in response to your article this week in Morning Cybersecurity:
ANOTHER VIEW ON ELECTIONS AS “CRITICAL INFRASTRUCTURE” –
Maybe classifying the election system as part of the nation’s “critical infrastructure” isn’t so wise.
We’ve been on a public benefit mission to innovate electoral technology since 2006. We’re a group of tech-sector social entrepreneurs bringing years of experience from our former employers like Apple, Facebook, Mozilla, Netscape, and elsewhere to bear on innovating America’s “critical democracy infrastructure” —a term we coined nearly a decade ago.
We’re working with elections officials across the country to develop a publicly owned democracy operating system called ElectOS™ in order to update and upgrade America’s voting systems with innovations that will increase integrity and improve participation for 1/3rd the cost of today’s aging systems. ElectOS will innovate voting machinery the way Android® has innovated smart phones and mobile devices. Both are freely available (or “open source”), and like Android, we believe ElectOS will one day enjoy a flourishing commercial market to sustain its continued innovation, deployment, and support.
We’ve been studying the challenges of election administration infrastructure for a decade. So, we read with great interest your article regarding another viewpoint about making a critical infrastructure designation for our nation’s deteriorating, obsolete, and vulnerable voting infrastructure. There are elements of your article we agree with (and more specifically comments of Cris Thomas), and there are points that we disagree with because they reveal some misunderstanding of the realities of election administration and the processes of managing the machinery today. Thus, we were compelled to write you and share these clarifications.
We hope our comments are helpful going forward as you continue to cover this important topic, especially in light of the current election season and the delicate issues being raised by at least one candidate and other media. Good on you for covering this. Below please find our (hopefully helpful) contributions to your effort. Relevant portions of your article appear indented in blue.
In recent days, a growing chorus of experts and policy makers have backed a proposal to give elections the same level of federal security protections that the government already grants other so-called critical infrastructure, such as the power grid or financial industry.
First, we believe it’s important to be very clear on what elections infrastructure are we talking about? We should be discussing voting technology operated by Local Election Officials (“LEOs”), and not web sites and eMail servers run by political NGOs.
Sure, the recent attacks on NGOs are a wake-up call for a variety of potential attacks on real Election Infrastructure (“EI”) and peripheral targets. But the Critical Infrastructure (“CI”) designation should be for core EI; that is, voting machines and the election administration software and systems that manage voting machinery.
But an old school hacker who was part of the L0pht collective says such a change might do more harm than good. “Classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level,” Cris Thomas, aka “Space Rogue,” tells MC [MC = “POLITICO Morning Cybersecurity”].
Critical Election Infrastructure (“CEI”) is not very different than other locally managed CI. Not all CI is big corporate IT like financial transaction processing systems, or government-operated systems like the ATC, or quasi-public technology like the power grid operated by a variety organizations, but subject to many government regulations. By contrast, we already have CI that is local, including local government operated. For example, there are small local water utilities and municipal water treatment organizations. Local first responders’ infrastructure is CI as well. So, there is plenty of precedent for giving a CI designation to locally managed assets.
Because elections, even national elections, have been historically treated as a local event; having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years.
CEI designation will not cause a fundamental change in the current situation where U.S. elections are a local matter. Mr. Thomas is mistaken on this one point. Local election organizations will have the same responsibilities, plus some new ones for managing CI. But a county election administrator will still manage elections the day after or even the year after a critical infrastructure designation. That cannot, should not, and will not change.
Thomas, now a strategist at Tenable Network Security, says the idea misses the point: We need to remain focused on the security concerns of the current system, which fall into two areas. First, many manufacturers are not testing the systems well enough before selling them to municipalities, often using off-the-shelf hardware and software with minimal security and using things like default, hard-coded passwords.
Of course, the existing voting machines have technical security issues—and at the risk of reading like we’re overly defending vendors, what computing system has none? And of course, it’s also true that a CI designation won’t change these products’ default security posture.
…at the same time, the local government certification agencies seldom have the time, resources and knowledge to properly test these computers for vulnerabilities, …
The same is true regarding certification process, although Mr. Thomas is mistaken about that process itself. There are not “local certification agencies,” but rather Federal and State organizations that certify the systems local (county) election jurisdictions are authorized to use. Nevertheless a CI designation will not increase the rigor of the certification process, and it won’t increase the capability of LEOs to do technical scrutiny of their own.
…and often just accept a manufacturer’s claims of security.
We must also take exception on Mr. Thomas’s last comment. The idea of certification sometimes amounts to “just accepting vendor security claims” —cannot be, and is not the case. Although the current certification process isn’t as strong as we’d like, and though nearly all stakeholders want improvement, there are already clear requirements for vendors to demonstrate compliance with security related requirements. On the other hand, misleading vendor claims about security can sway LEOs when selecting a certified system (and the choices are down to three vendors).
…[T]he result is a system that our entire democracy depends on, which is run with minimal, easily bypassed security.
Sure, but its a mistake to focus solely on technical security problems of voting machines, particularly since these systems are not going to be replaced with better technology immediately upon a CI designation. In the near term, the impact of CEI will be more on people and process, and less on technology itself. LEOs will need help to build organizational capacity and expertise to manage physical assets as critical infrastructure, with physical security, personnel security, increased operational security processes, and the ability to demonstrate that a variety of kinds of people and process controls are actually being followed rather than merely mandated.
So, improvements in the human aspects and processes are the immediate value of a Critical Election Infrastructure designation. Such a designation would need to clearly state that our local election officials (LEOs) are custodians of not just critical infrastructure, but infrastructure that is critical to our national security.
That’s never been a responsibility for LEOs, and many LEOs will be dismayed that they will be called upon to operate in ways that they never imagined would be important. It will require long-term capacity building. In the short term, there are many improvements in people and process that are possible, although unlikely unless there is a high sense of urgency and importance. The designation of election infrastructure and critical infrastructure, however, can help create and maintain that urgency.
A better approach, Thomas says, is to increase funding for the National Voluntary Laboratory Accreditation Program run by NIST and the U.S. Election Assistance Commission.
We agree in principle, but this is not mutually exclusive with Critical Infrastructure. Clearly, there is room for improvement, and NIST and EAC have important roles. With Critical Election Infrastructure, their roles would need to enlarge, but reasonably so.
We also agree that more funding for these organizations’ election integrity efforts are necessary, but doing so is not an either / or decision in consideration of other aspects of CEI. If Election Infrastructure is truly “critical” then several things must occur, including, but not limited to the additional support for NIST and EAC that Mr. Thomas is encouraging.
Here are three examples of improvement that a Critical Election Infrastructure designation would enable —though additional funding and expertise would be required.
We hope this is helpful. We’re glad to discuss issues of election integrity, security, and innovation whenever you want. The co-founders have been in the technology sector for three decades. Both have worked on critical infrastructure initiatives for the government. The OSET CTO, John Sebes has been in digital security for over 30-years and is deeply experienced with the policy, protocols, and tools of systems and facilities security. Our Advisory Board includes former US CTO Aneesh Chopra, digital security expert and CSO of Salesforce.com, Dr. Taher Elgamal, global expert on elections systems integrity, Dr. Joe Kiniry, DHS Cyber-Security Directorate Dr. Douglas Maughan, and several former state election officials.
Respectfully,
Gregory A. Miller
Co-Founder & Chief Development Officer
(This is a x-post from Ms. Voting Matters’ announcement on the OSET Institute’s corporate site.)
We are totally excited about an amazing opportunity tomorrow, Tuesday July 26th, to appear at an event as part of the Democrat National Convention.
The only thing that would make this truly complete is if the Republican National Convention had also invited us (we asked, and although we’re pleased to be working with several in the RNC infrastructure, making something happen was not possible.)
But the New Democrat Network (NDN) and the New Policy Institute did reach out to us and invited us to their premier Strategy Forum now being held at its 4th Democrat National Convention. So, we’re focused on presenting to an audience estimated to exceed 1,000 per latest projections based on RSVPs as of yesterday (over 900). This is truly an amazing opportunity for us to spread the story of our work and we’re deeply appreciative of the NDN’s invitation.
The event, “Looking Ahead: Talks on the Future of America and American Politics” is bringing together a collection of amazing thought-leaders on the future and innovation of democracy including experts such as Ari Berman, Alec Ross, Joel Gamble, Jose Antonio Vargas, and others.
The title of our presentation is: “Modernizing Our Election Technology Can Make Our Democracy Better.”
This will not be telecast, although we’re still waiting word about a webcast, video stream, or recording of the sessions. We’ll update this as soon as we know.
However, part of our presentation will be the launch of a new 2 minute video vignette about the looming problem of obsolete voting machinery and our approach to help bring about innovation which will increase integrity, lower costs, improve participation, and rejuvenate a flagging industry with new technology to innovate the business of delivering finished voting systems. That video will be available on YouTube tomorrow afternoon, and we will add a comment to this post and update it accordingly.
OSET’s Director Citizen Outreach, Meegan Gregg, and the Foundation’s Co-Founder, Gregory Miller will deliver this “Ted-Talk” -like presentation at 12:20pm EDT at the Convention Center in Philadelphia. It should be a great time and a huge (oops) opportunity.
Recently, we were asked about a concept authored by a former technology executive at Citrix (yes, those folks) back in 2012 regarding a potential end to end secure voting system. But that was actually part of a larger question: whether and to what extent digital security must now live beneath the operating system software layer rather than on top of it. The author’s ideas for an online voting system are laudable and his credentials are credible. His follow-on article last year (2015) is interesting, and more to the point of hardware-level security alluded to in the first article. I offer a couple of comments below including some points by our CTO on this approach because it is something baked into ElectOS.
First, we agree that a hardware root of trust is an essential ingredient for any trustworthy computing device running mission critical software. The author, Ahmed Sallam (now CEO at DeepSAFE Technology) rightly points that out, but we doubt that Citrix has an existing product that can safely run an Internet Voting client. We’d love to be proven wrong on that, but it does not change the fact that the core problem is one of successfully combining many ingredients. This is one of the well known ingredients.
There is, from my perspective a well-developed and detailed technical white paper providing a worked example of a hardware root of trust from Apple for its iOS mobile operating system. This hardware rooted security layer has allowed Apple to develop Apple Pay and their biometric authentication management system (you can see a very good overview video here (may require Safari Browser to watch) of how it works). For those wishing to dive deeper, here is the NIST Draft Guidelines for Hardware Rooted Security in Mobile Devices.
At a deeper level of detail, our CTO (John Sebes) agrees with the technical architecture for the server side, but he believes that for the client side, Ahmed’s approach is a bit of overkill. As John observes, “If I understand it right, the Sallam model seeks to allow trusted and un-trusted code to run on a device, with a full operating system and all.”
So, the client architecture that John and the TrustTheVote Project have been advocating from the beginning, starts with a consumer device that has a hardware root of trust and a hypervisor that can validate a boot image as coming from a trustworthy source. John reports that we nearly have that today. And it has to have the ability to do both:
One such “something else” will probably be a banking App, but the one we’re interested in is a Voting (ballot casting) App — with a single purpose: it runs only that one App and the SW stack under it, immune to malware, etc. That’s not even that hard, but there are interesting PKI (Public Key Infrastructure) issues for ensuring that a given voting App is the real {authentic | authorized} voting App, and performing strong authentication of the user-voter, etc.
Now for the “But…” part of this. Fundamentally, we agree with Ahmed’s vision and concept; however, Citrix will be a potential player in the iVoting technology arena if and only if it is a major player in the mobile computing technology computing ecosystem. From what we can tell, Citrix is moving in that direction.
So to summarize, at the end of the day,