Tagged election integrity

Election Technology Enigmas Considered Harmful

I have one last comment of CAP’s recent report9 Solutions to Secure America’s Elections” in addition to my previous comments and those of my colleagues here at the OSET Institute. I don’t agree that any 9 steps can “Secure America’s Elections” and especially not CAP’s 9 steps. Their recommendations are fundamentally about gradualism: the belief that what’s in place can be incrementally improved until we are “secure.” Though we can never be completely “secure”, we need more than gradualism to create fundamental changes that can significantly reduce risks to our elections, especially cyber security risks.

Curiously, despite the report’s bold title, I’m not sure the authors actually intended to advocate for only gradual improvements, because of their agreement on 2 key points. What’s missing is the explicit logical conclusion from those 2 points. The brief version is simply this:

  • If you think elections are critical to national security; and
  • If you think that current election technology is way too weak for our adversaries;
  • Then you can’t honestly limit your recommended response to Band-Aids; you have to consider wholesale replacement with solutions built for the challenges of the current threat environment.

But further, it is an enigma to me why this logic isn’t more widely accepted. I have a couple theories, related to my most important point: that wholesale replacement does not require anything like an Election Manhattan Project. In fact, the core tech has already been proven in use in other fields for years.

Agreement: It’s National Security

I’ll start with the two points that I agree with the most. The first point is national security. Elections are indeed a matter of national security, a bedrock part of our sovereignty and our ability to democratically affect the course of governance of our country. That bedrock is broadly understood of course, but only recently has there been broad awareness of how we are at risk. Our elections are in the cross-hairs of our nation-state adversaries, well funded and well equipped for hybrid cyber-operations, information operations, disinformation campaigns, and social media cyber-operations. In 2016 we saw a warm-up exercise by one adversary, but we know that there are several. Some of them have demonstrated capabilities well beyond what the public saw in 2016.

Kudos to CAP authors Danielle Root and Liz Kennedy for coming straight out with the point about national security risks. Not so long ago, a small group of election integrity and technology experts were routinely belittled with nursery-rhyme epithets about crying wolf and skies falling. Along with recent work by the Brennan Center, the EAC, Congressional testimony by DHS, among others, this CAP report helps put to rest a host of baseless optimisms about early 21st century election security. I’m grateful, but I wish I had been more a louder voice in that earlier Cassandra Chorus.

Agreement: It’s Massively Vulnerable and Exploitable

The second point that I agree with the most is the CAP report’s several observations of prior work on two points: demonstrations of the technological vulnerabilities of current voting systems; assessment of the set of broader risks to elections that are enabled by voting technology insecurity. The CAP report provides another important voice for the observation that our current technology for election infrastructure (“EI”) is mismatched for the present and future; it was never designed for or intended to operate in the current threat environment of nation state adversaries with the sophisticated capabilities that I noted above.

I believe that there is certainly room for varying assessments or assumptions about the likelihood of various types of attack, and of the likelihood of detection, and the likely consequences of detection or lack thereof. But the bottom line is that EI technical vulnerabilities are gift to our adversaries, regardless of one’s assessment of how those gifts might be used to our detriment.

Disagreement: Focus on Mitigation and Incremental Improvement

I truly respect the CAP authors’ intent of collating the most important steps that many have identified as essential for mitigation of risk, and incremental improvement of EI. Within the narrow scope of voter records management, I mostly agree with gradualism. And yes, there are some important caveats on a few items of agreement, as noted by my colleague Sergio Valente. And yes, I have some significant disagreements on the way that the CAP report treats stakeholders. But these caveats aside, I fundamentally disagree with the implied statement — which I hope the authors didn’t fully intend — that it’s enough to do gradual in-place mitigation of existing vulnerable EI.

In place mitigation is important, but as band-aids for fundamentally vulnerable EI. Apply the band-aids while getting a replacement prepared, and then jettison the band-aided EI in favor of fundamentally stronger replacement technology. Let me apologize here for the convenient short hand term “band-aid” which is really about extra-ordinary efforts in 1000’s of elections offices to mitigate the potential harm from the fundamental vulnerabilities of existing EI. This existing EI technology, which “gradualists” would have us accept as unavoidable reality, requires these extra efforts, but the efforts could well be on the short end of asymmetric conflict with word-class cyber-warriors. If that sounds fanciful to you, I respect your risk assessment of a low risk, but I ask: “Risk assessment aside, should we really accept the vulnerabilities that create the risk? Especially given the existence of proven technology alternatives?”

“But Captain, That Is Not Logical”

As I said, I understand that everyone has their own views, risk assessments, realpolitik, and numerous other factors that color their conclusions on what to do with EI that is a national security asset. Everyone is entitled to their own opinions, and increasingly to the opinion that they are entitled to their own facts. But nobody is entitled to their own logic; or at least Commander Spock and I hope not. Here is the logic:

  • If you accept the national security CI protection viewpoint that I and the CAP authors and many others espouse (and I know that not everyone does);
  • And if you accept that the CI that is elections infrastructure does have fundamental vulnerabilities (and I know that many have not yet understood this);
  • Then it is illogical to believe that it is sufficient to rely on unfunded labor-intensive mitigations that could well be overcome by our adversaries.

Captain, that is not logical. It is an enigma! The only 2 things that I can thing of that make sense for a blinkered view of this logical conundrum are: market dogma, and unawareness of existing alternatives.

No Manhattan Project Needed

The market dogma is what I sum up as:

“What the for profit market has no ability or incentive to develop and deliver to the government, the government will never have.”

I disagree! At the local level, that’s understandable for all but a handful of county governments who have developed a broader assessment of EI. But at a national strategy level, that assumption’s falsity is demonstrated by the history of ARPAnet, DARPA, NSFnet, e-commerce, the Global Information Grid, and the digital world at your fingertips on your “phone”.

But suppose that you admit that, in general, strategic technological hurdles can be largely overcome with basic R&D, applied R&D, and technology transfer. Admitting that, you could well believe that there is simply no fiscal or political will for an Elections Manhattan Project. Could be — and the good news is that it’s not needed. The basic R&D and applied R&D has already been done on trustworthy computing (especially fault tolerant, high assurance, fixed function, dedicated systems), and applied in practice from satellites to carriers to in-theater ad-hoc mesh networks for C4I. The task at hand is not to invent the base technology for trustworthy computing for a critical infrastructure – including that of elections. That’s already been done. The task is to:

  1. Re-use the existing core technology, applied to critical elements of voting systems;
  2. Layer on top of the core all and only the critical functions of ballot casting and counting, and back-office functions that they depend on;
  3. Do the stakeholder-centered usability engineering to ensure that the technology fits the existing resources and practices for our locally-operated, state-managed elections;
  4. Manage the technology transfer to enable the for-profit market to deliver the fruits of these labors, in a healthy competitive environment of government IT procurement for system integration and IT support services.

That’s not a Manhattan Project. The pessimistic might compare it in logistical complexity to Operation Overlord. But for elections, we did that operation already. It was called HAVA – the Act of Congress; the billions of dollars; and the replacement of punch cards and butterfly ballots and paperless mechanical voting machines. That wasn’t a great success, in part because the result included paperless electronic voting machines. But that experience provided many lessons learned in the elections community. If steps 1, 2, 3 above can be done expeditiously, then step 4 could be done faster, better, and far cheaper, given the experience of HAVA.



Yet Another Report About Voter Fears & Voting System Integrity

Today, we learned of yet another blog post and a White Paper about voter “concerns” and sentiments regarding the trustworthiness of our existing election infrastructure.  This was led by a bit of a sensational headline:

“Democracy at Risk: More Than 15 Million Voters May Stay Home on Election Day Over Cyber-Security Doubts”

The sum and substance of their article is that the State of PA is the most vulnerable for an election hack.  Or as one respected Media outlet asked of us today, “Would you agree that Pennsylvania — given any number of aspects, incbwp_covercluding non-paper ballots —  is among the most vulnerable states to cyber-focused attacks?
No.  Not so much.  Not even close, actually.
FACT: “PA is no more vulnerable to cyber-focused attacks than any other state relying heavily if not completely on digital voting machinery, namely DREs,” says John Sebes, CTO at the OSET Institute.  Notwithstanding reports such as the CarbonBlack white paper, PA’s voting machines share the same technical security vulnerabilities as in other states, no more and no less.”
Let’s put a fine point on this:  If one believes there are State actors seeking to alter an election result by exploiting voting machine vulnerabilities — despite the fact there are lower-cost higher-impact attack opportunities on U.S. elections in general, including some already underway — then PA might be a more attractive target.  In other words, PA is not more vulnerable but potentially more attractive insofar as attempts on voting machines.  While we’re at it, a few more points worth making:
  • Its really not just about PA.  Actually, FL, and VA, are also among potential swing states that have paperless voting machine vulnerabilities, and have potential Federal election margins that might be narrow enough for an undetected exploit to have a chance of being effective.
  • Although elections are at some risk from State sponsored adversaries, concern over possible “voting machine hacks” should not be the major concern of voters, and certainly not a reason to not vote.
  • The best way to make sure your ballot isn’t counted correctly, is to not cast one in the first place.
  • Voters with concerns over paperless DREs should consider their alternatives for voting on paper ballots in absentee, by-mail, early, and election-day voting.
Honestly, we’re not impressed with the nearly sensational approach Ben Johnson’s  blog post presents.  And while the paper makes some interesting observations (and is a slick presentation to be sure), we don’t believe CarbonBlack is a subject matter expert in elections technology and infrastructure.  But if they are, then they’re not being particularly intellectually honest in their assessment by singling out PA for convenience of making their point.
We take Ben’s point about the potential for people to stay at home; we’ve seen some similar numbers from equally unscientific polls regarding voter sentiment we’ve been involved with, but chose not to publish.  We’re working with some folks deeply experienced at polling, who believe more thorough polling would be required to vet this potential.  However, we agree that there does seem to be a rising sentiment.
This is one of the reasons election integrity professionals are walking a fine line publicly discussing it.
All that observed, the most important value in CarbonBlack’s blog post or any discussion about voter fears should be a wake-up call that more messaging is required to inform voters of the importance to get out and vote (and disregard the hype about rigging, legitimacy, or hacking concerns.)  That is, lest we experience a BREXIT of our own.
We note Mr. Johnson obtained his Masters in CS from Johns Hopkins in 2006, and he has some impressive credentials with some good experience (e.g., computer scientist for certain 3-letter Agencies).  We’d welcome a professional like Ben into the election integrity community.  For starters, our CTO has a professional colleague who is a Professor at Johns Hopkins, and truly one of the top election technology integrity experts in the nation if not globally.  Actually, we’d be surprised if Ben doesn’t know this Professor already.  Maybe we should (re)connect them.  Then perhaps, once embedded in the election integrity community, Ben’s writing will be a bit more conditioned on some internal realities.  For sure, we’d welcome CarbonBlack acquiring the domain expertise to contribute to the integrity and security mandates of this critical democracy infrastructure.  We’re just not sure this blog post or the accompanying White Paper serves the best interest of election integrity goals, where intellectual honesty, a lack of hyperbole, and straight talk are essential.
But then, if media coverage is the goal and publishing bait too delicious for the Media to pass on, then there is one more note of clarity deserving here.  CarbonBlack has just quietly filed for an IPO (Initial Public Offering), so brand awareness raising activity like this White Paper is normal.
Think about it from their PoV: “Let’s leverage all the “FUD” about this year’s election integrity and tie it together with our need for lots of media coverage to support our impending IPO road show.”  Sorry, a bit self-serving IOHO.  Apologies if this reads strongly, but add grains of salt accordingly.
BTW: we offered to chat with CarbonBlack about their paper.  Had that happened, we might have been able to help boost their credibility without this work looking so self-serving.  There response to us on Twitter?  “Sure, send eMail to media@carbonblack.com.”  Really? Directing us to your Media Relations team?  That flagged us to look into CarbonBlack a bit more, and that’s when we discovered the IPO filing news breaking today.
Look, even we are feeling trepidation about recent interviews and demos we’ve put together with NBC Nightly News, due to air soon.  Its such a fine line between scaring off the vote, and yet having a vital conversation about how election integrity can be increased, while costs are decreased, and usability is improved.  To wit, we recently launched this video to start that delicate conversation, striking the right chord.
And no, we don’t single out any jurisdiction, let alone PA, a State doing the best it can (and a good job at that) to be as ready as possible.
Back to work here.