During the coming weeks, America’s election infrastructure will be tested as perhaps never before, especially due to changes caused by the COVID-19 pandemic. In that context, we present “Swing Dance,” our assessment of the process and technology risks that exist in the 14 most competitive states for the 2020 election…
We’ve posted our 2019 Annual Review. We hope you agree that this summary of key accomplishments and developments shows the impactful importance of our work to defend democracy.
Wow, what a year, right? Tonight on the eve of 2019, we post our Annual Review. We hope you agree that the key accomplishments and developments this year demonstrate the impactful importance of our work to defend democracy. Most of all, we thank you for your continued support!
“Democracy at Risk: More Than 15 Million Voters May Stay Home on Election Day Over Cyber-Security Doubts”
cluding non-paper ballots — is among the most vulnerable states to cyber-focused attacks?“
Its amazing what can happen when you bring in real talent. Last year we brought in a new team member in social media, who proved her capabilities so fast that we promoted her to Director of Citizen Outreach. We’ve known for over a year that the time was drawing near to figure out how to tell the TrustTheVote Project story to the public. Specifically, sharing our mission with those other than elections professionals and government. Meegan Gregg did it. And it appears (to use a baseball term) to be a “Walk-off Home Run” or maybe a “drop the mic” result.
Today we’re launching our story, in a 2-minute video developed by a team led by Meegan. It involved an enormously generous grant from XPLANE, the visual story-telling firm, and implemented by the talented production work of several supporting firms including, PingPongPop and Marmoset for voice-over and music; TalkBack for sound & video integration, and RoboToro for web engineering.
Candidly, we need to engage the public’s interest and support for our Project. Our operation needs the support of the people, because the TrustTheVote Project is by the people and for the people. We’re building a 21st century “democracy operating system,” ElectOS to increase integrity, lower cost, improve voter experience, and maybe help turn-out.
The video is the best way to tell a story of a complex Silicon Valley project underway by some of the same folks who helped bring you products from Apple and the web browser from Netscape. It connects citizens to a real and pressing problem that is consuming lots of media attention right now in this election cycle: our crumbling voting systems infrastructure.
Now, there is no need to panic: what’s in production now will make it through this election—despite one candidate suggesting there will be “rigging.” But 43 States have to replace their machinery by 2020, which will be here before we know it. And their choice is to replace their existing stuff with more of the same. And that stuff is mostly built on 90’s personal computers.
But the time to address this problem and engage the public is now because this election cycle is upon us, and while we’ll make it through (although we fear there will be challenges and recounts), we the people can improve our own voting experience, increase confidence in elections and their outcomes, and trust the vote. Our civic duty and civil right to free and fair elections is the single most important liberty we have as American citizens. This video explains how we, the people can with your support ensure that liberty is preserved in a time where election technology has become an under-funded disregarded backwater of government I.T.
So please have a look at our new story and tell us what you think!
Below is a letter prepared by co-founders Gregory Miller and John Sebes sent to Tim Starks and Cory Bennett of POLITICO, who cover cyber-security issues. A formatted version is here. The signal-to-noise ratio on this subject is rapidly decreasing. There seems to be some fundamental misunderstandings of the challenges local election officials (LEOs) face; the process by which the equipment is qualified for deployment (albeit decrepit archaic technology by today’s standards); what the vulnerabilities are (and are not); and why a designation of “critical infrastructure” is an important consideration. We attempt to address some of those points in this response to Tim’s otherwise really good coverage.
Tim Starks
[email protected]
Morning Cybersecurity Column
POLITICO
1000 Wilson Blvd, 8th Floor,
Arlington, VA, 22209
RE: 11.August Article on Whether to Designate Election Infrastructure as Critical Infrastructure
Greetings Tim–
I am a co-founder of the OSET Foundation, a 501.c.3 nonprofit election technology research institute in the Silicon Valley. I’m writing in response to your article this week in Morning Cybersecurity:
ANOTHER VIEW ON ELECTIONS AS “CRITICAL INFRASTRUCTURE” –
Maybe classifying the election system as part of the nation’s “critical infrastructure” isn’t so wise.
We’ve been on a public benefit mission to innovate electoral technology since 2006. We’re a group of tech-sector social entrepreneurs bringing years of experience from our former employers like Apple, Facebook, Mozilla, Netscape, and elsewhere to bear on innovating America’s “critical democracy infrastructure” —a term we coined nearly a decade ago.
We’re working with elections officials across the country to develop a publicly owned democracy operating system called ElectOS™ in order to update and upgrade America’s voting systems with innovations that will increase integrity and improve participation for 1/3rd the cost of today’s aging systems. ElectOS will innovate voting machinery the way Android® has innovated smart phones and mobile devices. Both are freely available (or “open source”), and like Android, we believe ElectOS will one day enjoy a flourishing commercial market to sustain its continued innovation, deployment, and support.
We’ve been studying the challenges of election administration infrastructure for a decade. So, we read with great interest your article regarding another viewpoint about making a critical infrastructure designation for our nation’s deteriorating, obsolete, and vulnerable voting infrastructure. There are elements of your article we agree with (and more specifically comments of Cris Thomas), and there are points that we disagree with because they reveal some misunderstanding of the realities of election administration and the processes of managing the machinery today. Thus, we were compelled to write you and share these clarifications.
We hope our comments are helpful going forward as you continue to cover this important topic, especially in light of the current election season and the delicate issues being raised by at least one candidate and other media. Good on you for covering this. Below please find our (hopefully helpful) contributions to your effort. Relevant portions of your article appear indented in blue.
In recent days, a growing chorus of experts and policy makers have backed a proposal to give elections the same level of federal security protections that the government already grants other so-called critical infrastructure, such as the power grid or financial industry.
First, we believe it’s important to be very clear on what elections infrastructure are we talking about? We should be discussing voting technology operated by Local Election Officials (“LEOs”), and not web sites and eMail servers run by political NGOs.
Sure, the recent attacks on NGOs are a wake-up call for a variety of potential attacks on real Election Infrastructure (“EI”) and peripheral targets. But the Critical Infrastructure (“CI”) designation should be for core EI; that is, voting machines and the election administration software and systems that manage voting machinery.
But an old school hacker who was part of the L0pht collective says such a change might do more harm than good. “Classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level,” Cris Thomas, aka “Space Rogue,” tells MC [MC = “POLITICO Morning Cybersecurity”].
Critical Election Infrastructure (“CEI”) is not very different than other locally managed CI. Not all CI is big corporate IT like financial transaction processing systems, or government-operated systems like the ATC, or quasi-public technology like the power grid operated by a variety organizations, but subject to many government regulations. By contrast, we already have CI that is local, including local government operated. For example, there are small local water utilities and municipal water treatment organizations. Local first responders’ infrastructure is CI as well. So, there is plenty of precedent for giving a CI designation to locally managed assets.
Because elections, even national elections, have been historically treated as a local event; having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years.
CEI designation will not cause a fundamental change in the current situation where U.S. elections are a local matter. Mr. Thomas is mistaken on this one point. Local election organizations will have the same responsibilities, plus some new ones for managing CI. But a county election administrator will still manage elections the day after or even the year after a critical infrastructure designation. That cannot, should not, and will not change.
Thomas, now a strategist at Tenable Network Security, says the idea misses the point: We need to remain focused on the security concerns of the current system, which fall into two areas. First, many manufacturers are not testing the systems well enough before selling them to municipalities, often using off-the-shelf hardware and software with minimal security and using things like default, hard-coded passwords.
Of course, the existing voting machines have technical security issues—and at the risk of reading like we’re overly defending vendors, what computing system has none? And of course, it’s also true that a CI designation won’t change these products’ default security posture.
…at the same time, the local government certification agencies seldom have the time, resources and knowledge to properly test these computers for vulnerabilities, …
The same is true regarding certification process, although Mr. Thomas is mistaken about that process itself. There are not “local certification agencies,” but rather Federal and State organizations that certify the systems local (county) election jurisdictions are authorized to use. Nevertheless a CI designation will not increase the rigor of the certification process, and it won’t increase the capability of LEOs to do technical scrutiny of their own.
…and often just accept a manufacturer’s claims of security.
We must also take exception on Mr. Thomas’s last comment. The idea of certification sometimes amounts to “just accepting vendor security claims” —cannot be, and is not the case. Although the current certification process isn’t as strong as we’d like, and though nearly all stakeholders want improvement, there are already clear requirements for vendors to demonstrate compliance with security related requirements. On the other hand, misleading vendor claims about security can sway LEOs when selecting a certified system (and the choices are down to three vendors).
…[T]he result is a system that our entire democracy depends on, which is run with minimal, easily bypassed security.
Sure, but its a mistake to focus solely on technical security problems of voting machines, particularly since these systems are not going to be replaced with better technology immediately upon a CI designation. In the near term, the impact of CEI will be more on people and process, and less on technology itself. LEOs will need help to build organizational capacity and expertise to manage physical assets as critical infrastructure, with physical security, personnel security, increased operational security processes, and the ability to demonstrate that a variety of kinds of people and process controls are actually being followed rather than merely mandated.
So, improvements in the human aspects and processes are the immediate value of a Critical Election Infrastructure designation. Such a designation would need to clearly state that our local election officials (LEOs) are custodians of not just critical infrastructure, but infrastructure that is critical to our national security.
That’s never been a responsibility for LEOs, and many LEOs will be dismayed that they will be called upon to operate in ways that they never imagined would be important. It will require long-term capacity building. In the short term, there are many improvements in people and process that are possible, although unlikely unless there is a high sense of urgency and importance. The designation of election infrastructure and critical infrastructure, however, can help create and maintain that urgency.
A better approach, Thomas says, is to increase funding for the National Voluntary Laboratory Accreditation Program run by NIST and the U.S. Election Assistance Commission.
We agree in principle, but this is not mutually exclusive with Critical Infrastructure. Clearly, there is room for improvement, and NIST and EAC have important roles. With Critical Election Infrastructure, their roles would need to enlarge, but reasonably so.
We also agree that more funding for these organizations’ election integrity efforts are necessary, but doing so is not an either / or decision in consideration of other aspects of CEI. If Election Infrastructure is truly “critical” then several things must occur, including, but not limited to the additional support for NIST and EAC that Mr. Thomas is encouraging.
Here are three examples of improvement that a Critical Election Infrastructure designation would enable —though additional funding and expertise would be required.
We hope this is helpful. We’re glad to discuss issues of election integrity, security, and innovation whenever you want. The co-founders have been in the technology sector for three decades. Both have worked on critical infrastructure initiatives for the government. The OSET CTO, John Sebes has been in digital security for over 30-years and is deeply experienced with the policy, protocols, and tools of systems and facilities security. Our Advisory Board includes former US CTO Aneesh Chopra, digital security expert and CSO of Salesforce.com, Dr. Taher Elgamal, global expert on elections systems integrity, Dr. Joe Kiniry, DHS Cyber-Security Directorate Dr. Douglas Maughan, and several former state election officials.
Respectfully,
Gregory A. Miller
Co-Founder & Chief Development Officer
(This is a x-post from Ms. Voting Matters’ announcement on the OSET Institute’s corporate site.)
We are totally excited about an amazing opportunity tomorrow, Tuesday July 26th, to appear at an event as part of the Democrat National Convention.
The only thing that would make this truly complete is if the Republican National Convention had also invited us (we asked, and although we’re pleased to be working with several in the RNC infrastructure, making something happen was not possible.)
But the New Democrat Network (NDN) and the New Policy Institute did reach out to us and invited us to their premier Strategy Forum now being held at its 4th Democrat National Convention. So, we’re focused on presenting to an audience estimated to exceed 1,000 per latest projections based on RSVPs as of yesterday (over 900). This is truly an amazing opportunity for us to spread the story of our work and we’re deeply appreciative of the NDN’s invitation.
The event, “Looking Ahead: Talks on the Future of America and American Politics” is bringing together a collection of amazing thought-leaders on the future and innovation of democracy including experts such as Ari Berman, Alec Ross, Joel Gamble, Jose Antonio Vargas, and others.
The title of our presentation is: “Modernizing Our Election Technology Can Make Our Democracy Better.”
This will not be telecast, although we’re still waiting word about a webcast, video stream, or recording of the sessions. We’ll update this as soon as we know.
However, part of our presentation will be the launch of a new 2 minute video vignette about the looming problem of obsolete voting machinery and our approach to help bring about innovation which will increase integrity, lower costs, improve participation, and rejuvenate a flagging industry with new technology to innovate the business of delivering finished voting systems. That video will be available on YouTube tomorrow afternoon, and we will add a comment to this post and update it accordingly.
OSET’s Director Citizen Outreach, Meegan Gregg, and the Foundation’s Co-Founder, Gregory Miller will deliver this “Ted-Talk” -like presentation at 12:20pm EDT at the Convention Center in Philadelphia. It should be a great time and a huge (oops) opportunity.
Recently, we were asked about a concept authored by a former technology executive at Citrix (yes, those folks) back in 2012 regarding a potential end to end secure voting system. But that was actually part of a larger question: whether and to what extent digital security must now live beneath the operating system software layer rather than on top of it. The author’s ideas for an online voting system are laudable and his credentials are credible. His follow-on article last year (2015) is interesting, and more to the point of hardware-level security alluded to in the first article. I offer a couple of comments below including some points by our CTO on this approach because it is something baked into ElectOS.
First, we agree that a hardware root of trust is an essential ingredient for any trustworthy computing device running mission critical software. The author, Ahmed Sallam (now CEO at DeepSAFE Technology) rightly points that out, but we doubt that Citrix has an existing product that can safely run an Internet Voting client. We’d love to be proven wrong on that, but it does not change the fact that the core problem is one of successfully combining many ingredients. This is one of the well known ingredients.
There is, from my perspective a well-developed and detailed technical white paper providing a worked example of a hardware root of trust from Apple for its iOS mobile operating system. This hardware rooted security layer has allowed Apple to develop Apple Pay and their biometric authentication management system (you can see a very good overview video here (may require Safari Browser to watch) of how it works). For those wishing to dive deeper, here is the NIST Draft Guidelines for Hardware Rooted Security in Mobile Devices.
At a deeper level of detail, our CTO (John Sebes) agrees with the technical architecture for the server side, but he believes that for the client side, Ahmed’s approach is a bit of overkill. As John observes, “If I understand it right, the Sallam model seeks to allow trusted and un-trusted code to run on a device, with a full operating system and all.”
So, the client architecture that John and the TrustTheVote Project have been advocating from the beginning, starts with a consumer device that has a hardware root of trust and a hypervisor that can validate a boot image as coming from a trustworthy source. John reports that we nearly have that today. And it has to have the ability to do both:
One such “something else” will probably be a banking App, but the one we’re interested in is a Voting (ballot casting) App — with a single purpose: it runs only that one App and the SW stack under it, immune to malware, etc. That’s not even that hard, but there are interesting PKI (Public Key Infrastructure) issues for ensuring that a given voting App is the real {authentic | authorized} voting App, and performing strong authentication of the user-voter, etc.
Now for the “But…” part of this. Fundamentally, we agree with Ahmed’s vision and concept; however, Citrix will be a potential player in the iVoting technology arena if and only if it is a major player in the mobile computing technology computing ecosystem. From what we can tell, Citrix is moving in that direction.
So to summarize, at the end of the day,
Over the past three years we have used this space to document our efforts to create a truly open source, standards based election reporting solution: VoteStream. At each step we have been guided by the needs of election professional and the ideals of the OSET Foundation: that a critical democracy infrastructure should be verifiable, accurate, secure, and transparent (in process).
Today we are excited to take the next step in that process. In partnership with the Knight Foundation, the TrustTheVote project is launching a round of beta testing for the next version of VoteStream. This round will continue to focus on the requirements of local election officials and solicit feedback from academics, journalists, and other stakeholders.
In past tests we demonstrated the ability of VoteStream to publish election results in an easily accessible format. This round will demonstrate the process of converting raw election data to the standard format published by the National Institute of Standards and Technology.
The beta round will be lead by Iain Padley, our new Director of Election Professional Stakeholder Engagement. Iain comes to OSET with experience in community and political organizing with a special emphasis on education issues. He has spent much of the past three years working with local and state election officials to leverage public data to drive increased civic engagement among educators.
If you would like to apply for a spot in this beta round please fill out an application form or email Iain directly at [email protected]
In those continuing efforts to route around the abysmal state of voting in America, we’re starting to hear an increasing drumbeat about Bitcoin as a basis for reinventing elections. We’ve been watching this discussion or evangelism unfold in the past few weeks. We even fielded questions from politicos in the Beltway last week about it (seriously).
As technocrats at heart around here, how can we not have our tails in a slow wag over the potential of Bitcoin technology (specifically the Block Chain)? Well, a slow wag maybe; getting our tails in a twist over it for voting? Not so much. And here’s why.
I’m going to use one particular article that dropped this week as a vehicle for discussion. Not because we’re picking on this author or his publication by any stretch (besides, publishing technicality, it was only a “contributed piece”). But rather, this article provides a typical, and as good as any, evangelistic essay on the topic.
To start with, the author makes a fundamental assumption that is wholly inappropriate for U.S. elections administration. Then, several other observations on his part unfortunately reveal a complete lack of understanding of U.S. election law and practices (not that we think he should be an expert in such things, but he probably should have some basic understanding before assuming how Bitcoin might or might not innovate the process of elections). Author Odell leads with:
The primary problem with the antiquated methods come down to a single fundamental issue, centralization.
Well, actually, that centralization is necessary and it isn’t central, but local — the machinery of U.S. elections are required to be in the control of U.S. local election officials. It’s a feature not a bug. His next assertion:
Current voting methods require a large amount of human involvement, from poll workers, to vote counters, to the companies and engineers that design the voting machines.
Yes, yes they do. And the effort is worth it, for the proper operation of critical democracy infrastructure. You see, the integrity of the process depends on local control of ballots, transparency of the local operations, and a critical dual approach to counting ballots that prevents both sole reliance on people and sole reliance on technology. Both people and software have fundamental limits in trustworthiness, so it is important to use both, in order to solely trust neither. Odell continues:
Then you have the oversight groups who employ individuals to oversee the election workers.
Actually, that’s a feature, not a bug. Election workers’ work should be transparent, but the accountability benefits of transparency only accrue if members of the public and good-government groups are actually watching. Then the author continues with some assertions that I’ll take list-wise in response.
“Current voting methods are …
Odell continues…
Bitcoin technology can provide us with a new and improved voting system built from the ground up, a decentralized and secure alternative.
“Decentralized” in this context would mean non-localized. But that would mean local elections officials relying on a trust management system that they cannot and do not control. That doesn’t fit current election law and regulations in the vast majority of the jurisdictions in this country. “Secure” in this context means “local elections officials should trust this decentralized system because its proponents say it is trustworthy.” At the risk of thinking too practically: that’s just not likely to happen anytime soon.
Odell adds…
Bitcoin is a decentralized and robust ledger secured by computers around the world that run the Bitcoin software.
Indeed it is. We’re not disputing that characterization, but no local election official in this country is going to swallow a story of, “This crypto is so good it will never break and you can trust it so much that you can outsource to a nebulous global network all the responsibility you have for demonstrating the accuracy of election results.” Not going to happen, not any time soon. I’ll pass on even attempting to address “robust” in the author’s assertion about the ledger, as it would apply to voting in America.
Then consider that there is an entire generation of post-Snowden voters coming up who are crypto-luddites, and who believe that any system’s fundamental reliance on crypto is an invitation for central governments’ national security establishments to sneak in. The most recent example is the Tor Network, which supposedly protects the anonymity of people using the web. In fact, about 80% of its infrastructure has been compromised, and if someone is unlucky enough to use that 80% while being targeted by national security apparatus, their anonymity will be breached. Unfortunately perhaps, there’s no reason to suppose that the foreseeable future of Bitcoin is any brighter, and not just because Mark Cuban says so.
I’ll toss in one final thought about the near-term practicality of Bitcoin being the pathway to secure and fraud-free elections. Bitcoin usage requires at least a basic appreciation of the concept of public-key encryption (“PKI”); specifically the use of public and private keys (as straight forward as some may believe it to be). We learned long ago from our prior ventures that the public was nowhere near ready (and still not today) for widespread use of technology like digital signatures or public key cryptography. While Bitcoin transactions are simple enough and do not require a computer scientist to mine bitcoins or make purchases, in order to use Bitcoin technology as a basis for casting and counting ballots, one would need considerably more Bitcoin knowledge.
I’ll leave this critique by observing that at least for the article I chose, the title did state, “How Bitcoin Could Make Voter Fraud and Stolen Elections Impossible.” The operative word there is “Could.” And if we simply want to consider the potential of a technology (verses its practicality) then the potential of Bitcoin to provide for a more secure means of voting is acknowledged. However, I remain convinced it is impractical for American elections as they are conducted and regulated today, and skeptical about the term “Impossible” for anything related to voting security.
How Bitcoin Fits Into Our Innovation Envelope
Now, let me shift from a critique of the current Bitcoin evangelists to a comparison with our charge. We have had some people complain that as a non-profit election technology R&D organization, we should be spending more time looking over the horizon at everything from the block chain to smartphone Internet-based voting. We are spending all of our time looking at innovations, with one major important difference: we are an “applied research” organization and not a “basic research” organization.
What that means is we are funded to have an emphasis on discovering, determining, and developing innovations that are likely to find their way into adoption, adaptation and deployment in the foreseeable future, in order to begin shifting elections administration and voting into the 21st century, while respecting laws and regulations as they stand, and process and politics as they exist.
So, where does this leave us with regard to Odell’s (and others’) vision of the Bitcoin blockchain serving as the basis for reinventing how (at least) America votes? Let’s put it this way:
The bottom line here is that we didn’t say that there is no room for Bitcoin blockchain technology in future innovations, only that it doesn’t even remotely fit into something that local elections officials can use in the foreseeable future.