Tagged election infrastructure

Election Technology Enigmas Considered Harmful

I have one last comment of CAP’s recent report9 Solutions to Secure America’s Elections” in addition to my previous comments and those of my colleagues here at the OSET Institute. I don’t agree that any 9 steps can “Secure America’s Elections” and especially not CAP’s 9 steps. Their recommendations are fundamentally about gradualism: the belief that what’s in place can be incrementally improved until we are “secure.” Though we can never be completely “secure”, we need more than gradualism to create fundamental changes that can significantly reduce risks to our elections, especially cyber security risks.

Curiously, despite the report’s bold title, I’m not sure the authors actually intended to advocate for only gradual improvements, because of their agreement on 2 key points. What’s missing is the explicit logical conclusion from those 2 points. The brief version is simply this:

  • If you think elections are critical to national security; and
  • If you think that current election technology is way too weak for our adversaries;
  • Then you can’t honestly limit your recommended response to Band-Aids; you have to consider wholesale replacement with solutions built for the challenges of the current threat environment.

But further, it is an enigma to me why this logic isn’t more widely accepted. I have a couple theories, related to my most important point: that wholesale replacement does not require anything like an Election Manhattan Project. In fact, the core tech has already been proven in use in other fields for years.

Agreement: It’s National Security

I’ll start with the two points that I agree with the most. The first point is national security. Elections are indeed a matter of national security, a bedrock part of our sovereignty and our ability to democratically affect the course of governance of our country. That bedrock is broadly understood of course, but only recently has there been broad awareness of how we are at risk. Our elections are in the cross-hairs of our nation-state adversaries, well funded and well equipped for hybrid cyber-operations, information operations, disinformation campaigns, and social media cyber-operations. In 2016 we saw a warm-up exercise by one adversary, but we know that there are several. Some of them have demonstrated capabilities well beyond what the public saw in 2016.

Kudos to CAP authors Danielle Root and Liz Kennedy for coming straight out with the point about national security risks. Not so long ago, a small group of election integrity and technology experts were routinely belittled with nursery-rhyme epithets about crying wolf and skies falling. Along with recent work by the Brennan Center, the EAC, Congressional testimony by DHS, among others, this CAP report helps put to rest a host of baseless optimisms about early 21st century election security. I’m grateful, but I wish I had been more a louder voice in that earlier Cassandra Chorus.

Agreement: It’s Massively Vulnerable and Exploitable

The second point that I agree with the most is the CAP report’s several observations of prior work on two points: demonstrations of the technological vulnerabilities of current voting systems; assessment of the set of broader risks to elections that are enabled by voting technology insecurity. The CAP report provides another important voice for the observation that our current technology for election infrastructure (“EI”) is mismatched for the present and future; it was never designed for or intended to operate in the current threat environment of nation state adversaries with the sophisticated capabilities that I noted above.

I believe that there is certainly room for varying assessments or assumptions about the likelihood of various types of attack, and of the likelihood of detection, and the likely consequences of detection or lack thereof. But the bottom line is that EI technical vulnerabilities are gift to our adversaries, regardless of one’s assessment of how those gifts might be used to our detriment.

Disagreement: Focus on Mitigation and Incremental Improvement

I truly respect the CAP authors’ intent of collating the most important steps that many have identified as essential for mitigation of risk, and incremental improvement of EI. Within the narrow scope of voter records management, I mostly agree with gradualism. And yes, there are some important caveats on a few items of agreement, as noted by my colleague Sergio Valente. And yes, I have some significant disagreements on the way that the CAP report treats stakeholders. But these caveats aside, I fundamentally disagree with the implied statement — which I hope the authors didn’t fully intend — that it’s enough to do gradual in-place mitigation of existing vulnerable EI.

In place mitigation is important, but as band-aids for fundamentally vulnerable EI. Apply the band-aids while getting a replacement prepared, and then jettison the band-aided EI in favor of fundamentally stronger replacement technology. Let me apologize here for the convenient short hand term “band-aid” which is really about extra-ordinary efforts in 1000’s of elections offices to mitigate the potential harm from the fundamental vulnerabilities of existing EI. This existing EI technology, which “gradualists” would have us accept as unavoidable reality, requires these extra efforts, but the efforts could well be on the short end of asymmetric conflict with word-class cyber-warriors. If that sounds fanciful to you, I respect your risk assessment of a low risk, but I ask: “Risk assessment aside, should we really accept the vulnerabilities that create the risk? Especially given the existence of proven technology alternatives?”

“But Captain, That Is Not Logical”

As I said, I understand that everyone has their own views, risk assessments, realpolitik, and numerous other factors that color their conclusions on what to do with EI that is a national security asset. Everyone is entitled to their own opinions, and increasingly to the opinion that they are entitled to their own facts. But nobody is entitled to their own logic; or at least Commander Spock and I hope not. Here is the logic:

  • If you accept the national security CI protection viewpoint that I and the CAP authors and many others espouse (and I know that not everyone does);
  • And if you accept that the CI that is elections infrastructure does have fundamental vulnerabilities (and I know that many have not yet understood this);
  • Then it is illogical to believe that it is sufficient to rely on unfunded labor-intensive mitigations that could well be overcome by our adversaries.

Captain, that is not logical. It is an enigma! The only 2 things that I can thing of that make sense for a blinkered view of this logical conundrum are: market dogma, and unawareness of existing alternatives.

No Manhattan Project Needed

The market dogma is what I sum up as:

“What the for profit market has no ability or incentive to develop and deliver to the government, the government will never have.”

I disagree! At the local level, that’s understandable for all but a handful of county governments who have developed a broader assessment of EI. But at a national strategy level, that assumption’s falsity is demonstrated by the history of ARPAnet, DARPA, NSFnet, e-commerce, the Global Information Grid, and the digital world at your fingertips on your “phone”.

But suppose that you admit that, in general, strategic technological hurdles can be largely overcome with basic R&D, applied R&D, and technology transfer. Admitting that, you could well believe that there is simply no fiscal or political will for an Elections Manhattan Project. Could be — and the good news is that it’s not needed. The basic R&D and applied R&D has already been done on trustworthy computing (especially fault tolerant, high assurance, fixed function, dedicated systems), and applied in practice from satellites to carriers to in-theater ad-hoc mesh networks for C4I. The task at hand is not to invent the base technology for trustworthy computing for a critical infrastructure – including that of elections. That’s already been done. The task is to:

  1. Re-use the existing core technology, applied to critical elements of voting systems;
  2. Layer on top of the core all and only the critical functions of ballot casting and counting, and back-office functions that they depend on;
  3. Do the stakeholder-centered usability engineering to ensure that the technology fits the existing resources and practices for our locally-operated, state-managed elections;
  4. Manage the technology transfer to enable the for-profit market to deliver the fruits of these labors, in a healthy competitive environment of government IT procurement for system integration and IT support services.

That’s not a Manhattan Project. The pessimistic might compare it in logistical complexity to Operation Overlord. But for elections, we did that operation already. It was called HAVA – the Act of Congress; the billions of dollars; and the replacement of punch cards and butterfly ballots and paperless mechanical voting machines. That wasn’t a great success, in part because the result included paperless electronic voting machines. But that experience provided many lessons learned in the elections community. If steps 1, 2, 3 above can be done expeditiously, then step 4 could be done faster, better, and far cheaper, given the experience of HAVA.



Election Infrastructure Recommendations: We Need to Respect Our Election Officials

My thanks to the Center for American Progress (“CAP”) for their recent report “9 Solutions to Secure America’s Elections”. As my colleagues here at OSET Institute have already written, we agree with many of the report’s recommendations at a short term tactical level, but in addition have a longer term strategic view based on principles of national security, homeland security, and critical infrastructure protection. I’m very pleased that CAP has joined the discussions in the election integrity and technology community — especially the discussion about how election officials (“EOs”) can move ahead to better protect the critical election infrastructure (“EI”) that they operate. One of my two contributions to this discussion is not to disagree with CAP’s tactical recommendations, but to suggest that as guidance to EOs, any tactical recommendation is going to be more effective in a framework of greater respect for EOs.

That more respectful framework includes:

  • Acknowledge Election Officials existing activities in EI protection.
  • Acknowledge efforts in the Election Official community to increase that protection.
  • Exercise greater respect for states’ critical role in elections; not just local operation and State oversight, but also Election Infrastructure protection efforts.

I comment below on CAP’s report in each of these areas.

Respecting State’s Roles

While I don’t disagree with most of CAP’s recommendations, I do find several of them to be formulated with a common flaw — lack of acknowledgement of states’ critical roles in U.S. elections. There are several statements that use words like “require” and “mandatory.”

I object to all of these as being likely interpreted as over-riding states’ fundamental independence in matters of elections. The Federal government can’t and shouldn’t try to make any requirements, and no one else should dictate to states either. In the election integrity and technology community, we can suggest to individual states that their state election directors determine how to make new state specific requirements on their localities – for example, for uniform risk-limiting ballot audit processes and creation of public evidence from them. But it is up to states to decide what is appropriate and feasible for their state and its local elections offices.

We can hope that the growth of multi-state information sharing practices will lead to common approaches nation wide, but I don’t think it’s right to say that states need to be dictated to by anyone.

Particularly vexing is the suggestion that new Federal law should mandate vulnerability analysis of EI. Existing voting systems have already seen ample security analysis and discovery of many security vulnerabilities. Such discovery has occurred in every certified voting system product that states have assessed in efforts like TTBR, Everest, and more recent work. Federal legislators or regulators are not equipped to specify exactly what types of analysis are sufficient. Even if they were, a new unfunded Federal mandate to perform analysis would likely have a perverse effect — to shift limited funds away from the mitigation of vulnerabilities that are already well known, to required re-analysis of systems already known to highly vulnerable.

CAP makes a similar suggestion to require updating and securing voter registration (VR) systems. But this assumes that VR systems have inadequate security that isn’t being addressed. In fact, that’s not yet known. Some states have already focused on VR security, others recently sought DHS cyber security assistance, and others have not. Some VR systems might need a major re-design for cyber-security, while others might benefit from operations changes for better cyber “hygiene”. As with other activities that I list in the next section, VR cyber security improvements are ongoing.

Lastly, I find especially inappropriate the recommendation for automatic voter registration (AVR). Each state has a right to regulate its voter rolls as it sees fit, and AVR is not universally viewed as an improvement. Indeed, in some states, AVR would work against the state’s political culture that participation in elections should require a pro-active step on the voter’s part to register. It is certainly the case that adding AVR would require major technology updates to any VR system, but that is no reason to label current systems as antiquated. While some may have a political agenda for nationally uniform automatic registration, that agenda has no place in any recommendations to strengthen cyber security of the state IT systems that manage voter records.

Recommendations Already Being Followed

Of the nine recommendations, four are part of existing Election Official practices. EOs already have done, or are in the process of doing, a significant hardware and system transition. That transition includes efforts to replace aging unreliable machines, replace paperless voting machines, and support post election ballot audits. Similarly, there is an ongoing shift in ballot audit processes to adopt scientific and statistically sound methods for people to cross-check the work of fallible voting technology. (The scientific basis ensures the minimum effort for the maximum assurance that machine malfunction did not change an election result.)  Most recently, Colorado and New Mexico have made notable progress. In recommending these and other activities, we should respect that EOs already understand their importance and are pursuing them. Some EOs certainly could use assistance and encouragement that starts with respect.

Likewise, EOs already perform pre-election testing on voting machines, to the best of their abilities. But those abilities are limited by shortcomings of the voting systems that they have. One limit of particular concern is that most if not all voting machines in use today lack support for EOs to feasibly and accurately validate them. Such validation should consist of means to assess each voting machine to ensure that it remains in the original certified configuration, without modification or tampering. Given that limitation, EOs are already doing all the testing that’s meaningful to detect malfunction and unreliability.

So yes, these recommendations are sensible, but more importantly, let’s commend EOs. Let’s ask them, “What more you need to strengthen existing practices or accelerate in-progress changes?” — not just tell them to do what they are already doing.

EI Sector Formation Already in Progress

Two other CAP recommendations are about information sharing and coordination. Even leaving aside the inappropriate “mandatory” reporting idea, these two recommendations don’t recognize the extent of these and other related activities that are already ongoing: several organizations have started collaborating in the formation of election infrastructure (“EI”) as a new critical infrastructure (“CI”) sub-sector.  CAP provides helpful background to those new to CI: information about ISACs, the role of the intelligence community, the existing MS-ISAC, National Intelligence Priorities Framework, the Cyber Threat Intelligence Integration Center and so forth. And it’s good to note one meeting hosted by EAC and DHS.

However, such meetings are part of an ongoing process in which we need to identify the key stakeholders, not just these Federal organizations and programs. EI sector formation activities already include leading local EOs, state EOs, and their organizations and associations including NASS and NASED. Rather than recommending general goals for activity in the EI sector or the community as a whole, we should be commending. Let’s commend EOs and all the stakeholder organizations for the formation work that they are already doing, and ask them, “What resources could accelerate the process?”

But further yet, we should identify specific aspects of work in progress that can be supported and accelerated by EI sector formation and sector organizations. For example, statewide uniform practices for risk limiting audits might emerge from both: inter-state information sharing that enable some states to learn from the early work of others; intrastate sharing of audit experiences to determine what works in the specific environment of each state. Intrastate sharing and cross-state local learning might also be fortified by more local stakeholder organizations, such as each state’s association of local EOs, and IAOGO.

Similarly, CAP’s “require minimum cyber security standards” for voter registration (“VR”) systems should not be cyber-operations standards imposed by some authority. Rather, effective VR security measures should emerge from on-going EI sector information sharing activities including: survey of existing practices, ongoing security assessment and remediation, and lessons learned by some states that can guide other state’s activity. The need is certainly urgent, given attacks in 2016, but professional assessment and practical remediation are called for, not top-down rules that might interfere with implementing lessons learned form the cross-state sharing activity that’s already in progress.


To close, I want to re-emphasize that most of the CAP recommendations are sound at the core, but would be better with a couple improvements:

  • subtract the “require” and “mandatory” and “Federal,” in favor of respecting states’ primacy in elections;
  • add some acknowledgement of EOs’ existing practices and efforts to improve security.

Our EOs are hardworking public servants who just received a new unfunded (for now) mandate to manage their election assets as critical infrastructure. There’s a lot to learn, and a lot to do. The election integrity and technology community can have a helpful and supportive role, but it needs to start with both gratitude and respect for EOs’ work.