It's forgivable if it has slipped the national mind during the coronavirus pandemic, but a national election is still scheduled for Tuesday, November 3, 2020. And there are still people who focus their attention on making sure that the election process is secure — people who are not entirely confident that "secure" and "election" are going to be the peanut butter and chocolate of autumn.
"Frankly, I think as an outsider I don't think anyone can tell you whether we're going to have a secure election. In some areas it happens by mail, some use voting machines from private organizations, and some use a combination. The problem is in our ability to audit the systems, not just the electronic, but the paper systems," says Sam Small, CSO at ZeroFOX.
The issues come, say experts, not just in trying to secure the results of an election but in trying to secure many different processes run by thousands of different individuals, using many different technologies — and doing it in a way that voters find both relatively convenient and trustworthy.
The question many jurisdictions are asking themselves is: Which set of risks are they (and voters) willing to tolerate? Whether it be the potential risk of vulnerable systems or potential health risk of visiting polling places in person, either may impact results.
"I think there's a big challenge for government to encourage people to vote and to feel safe doing it," says Small. "A lot of people who aren't versed in the [cybersecurity] risk are going to push for voting by app or voting by Web, and I think we need to exercise great restraint in choosing convenience over security."
Security of Layers
The American election process' security difficulties aren't for lack of trying.
"Secure voting and election security have been studied for more than 30 years. Some of the greatest minds in security have devoted years to the issue," says Small. "If you talk with any reputable security expert, they would tell you that this is one of the gnarliest problems in computer security. I think you'd be hard-pressed to find an expert who would tell you that you can host a secure election online. Even paper has problems."
In some ways, the difficulties are compounded by the fact that November 3 will not see an election — it will see hundreds, if not thousands, of elections. "There's the presidential election layer and there are other forms of election," says Israel Barak, CSO at Cybereason. Barak's different layers refer to the presidential election, congressional elections, state, and even local elections all taking place via the same ballot mechanisms.
"There are multiple layers at which an adversary could have an impact on a democratic process," he says. "Can these other layers be more easily manipulated than the presidential election?" Barak points out that these other races can easily have an impact on public policy and faith in government that is at least as great as the presidential election.
The layers can also refer to different factors that can have an impact on voting. "On the presidential side, we've been very focused on protecting the election infrastructure: the election machines, the voter roles, and the election count process," Barak says. "[However], we haven't paid as much attention to the second-degree systems. These could have an impact on how people get to the voting centers — keeping people at home rather than going out to vote."
The factors can also start long before voters head to the polls.
"I think it goes back to the security of our processes around the voter rolls. How legitimate are the voter rolls? How many people on those roles are deceased? How many actually have US citizenship and have the right to vote in US [federal] elections?" asks Bob Maley, CSO at NormShield. (Note: Only US citizens are permitted to vote in federal elections, though some jurisdictions allow noncitizens to vote in local elections.) "So I think those are election security issues that are higher in my concern than the other ones because, to be honest, with the people they can be easily influenced."
An Election Exercise
Cybereason has run a number of election simulation "table games" for US election and law enforcement officials, the most recent of which was in February. Dubbed "Operation Blackout 2020," the game pitted experienced security professionals against one another on red and blue teams.
One of the parameters of the game was that the red team efforts weren't confined to the vote-casting process — they included influencing the results of the election by manipulating new organizations, social media, and even traffic control systems with an impact on how voters in the fictional city of Adversaria might reach polling places.
In the exercise, the bad news is that the red team was able to create chaos. The good news is that the blue team was able to respond in a way that rendered the damage short-term. So what was learned that could help in an upcoming election?
(continued on page 2 of 2)
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio