Influential cybersecurity expert and Purdue University professor Eugene Spafford recently joined more than three dozen cybersecurity experts in sending letters to several governors and state election officials expressing concern over plans to allow Internet voting for presidential primaries in June and July. Spafford is among numerous security leaders who believe the risks associated with allowing voters to cast ballots online are simply not worth any perceived benefits.
In this Q&A, Spafford, who served as a senior adviser and consultant to two US presidents and worked at the National Security Agency, the FBI, and the Department of Justice, explains the reasons for his concerns and what he thinks it would actually take for Internet voting to become truly secure and trustworthy.
Q: What specifically are your concerns with Internet voting? Why do you believe it could endanger presidential primary results?
A: I want to note that this is a topic that has been studied repeatedly over the last couple of decades. Basically every study that has been done by somebody who isn't marketing something says it's not safe. I am just one of many who have looked at it and said there are problems.
When it was originally looked at, it was the idea of using a workstation either at your home or in your library or somewhere else. Then as cellphones and digital assistants become more prevalent, the idea became, "Why can't we have an app for voting?'
These introduce different risks that we don't adequately know how to manage. For instance, one of the problems is proper authentication of registered voters. We regularly have difficulty with passwords and accounts being stolen and people impersonating others online. There would be a lot of incentive to do the same in a voting scenario. We don't have a good way of protecting against that.
A second issue is one that certainly is familiar to readers of Dark Reading — malicious software. Having something that quietly alters votes on people's workstations or cellphones would be catastrophic. Remember, we are trying for anonymity so when you vote it doesn't tie back to you. So if someone alters 30% of the vote or 20% or 15% and we don't know, that throws the whole thing into doubt. There is also the issue of distributed denial-of-service attacks. There are issues of accessibility.
There are other reasons. One is the whole question about the correctness of software. We have seen even major companies with lots of resources try to build secure, reliable software that doesn't contain flaws and errors, and they just haven't been able to do it. We don't know a way of doing it. This all comes into question after an election.
Really one of the goals of an election should be that whoever loses in an election can look at what happened and acknowledge it was a fair loss. For the general population, if your candidate lost and if a majority of people are able to examine the methodology, they can go, "OK, it was fair. We didn't have the votes." That's really the goal. The winner is always going to say, "Yeah, this is right."
Q: Is it possible to have some kind of a voter verifiable paper-audit trail for votes cast over the Internet, the same way you do with some direct-recording electronic (DRE) voting systems?
A: The issue there is if you are voting independently, there is no way to generate a receipt that both you can see and encompasses what is going on. People claim that blockchain would do this. But that is inefficient — it has not been shown to be completely trustworthy. There have been several solutions put forward [for a paper-verifiable audit trail], but they have proven to be buggy. Going back to that comment I made about having the general person being able to look at the technology and accept it as correct, we have people who work in the field who aren't able to look at blockchain and say it is correct. So we have a real problem here. If you are going to have a centralized audit trail, you are back to having a voting center.
In fact, some of the DRE voting machines that are out there now in some voting centers are also problematic. Those of us who are trying to get better voting technologies in place don't like those at all because they have the same problems. If something goes wrong, there is no good way to audit the results. But they at least are a little bit more localized. We can match against the count of voters, and we can do other kinds of tracing.
Q: What do people who support Internet voting say about the mechanisms in place to protect the vote?
A: So far the majority of people who say it is protected hold out the same assurances that the latest version of Word is protected against all flaws or your latest email cannot be broken into, and you don't have any hard guarantees. There is no formal verification. Their threat model is not real-world. And if you think about, if you are talking about a voting app, they are building it on top of iOS or Android or Windows and Linux, and they can't possibly know how their application will run on all versions, on patch levels on all systems out there. So there's no way they can offer real assurance that is up to the level of what we would expect for a fair election.
One thing that is often held up by the proponents, particularly by people who don't have a background in computing, is there's no evidence of any vote tampering — our systems are strong enough. That falls down on two counts, well, three, really. The first is the fact that [just because] we haven't detected tampering doesn't mean that subtle tampering didn't occur. As we know, anybody is able to get in and, maybe as an insider, attack or interrupt the software. We may not see the results because the evidence is just not there.
A second aspect is just because something didn't happen in the past is not a good predictor for the future, particularly if the technology changes and some of the risk is greater. You and I haven't died yet, but that doesn't mean we won't. So using that argument is unfortunately an incorrect argument when you're talking about something that has a catastrophic potential to it.
And the third is we have evidence of tampering or of mistakes. We have records of elections where voting machines either were blank or all votes were registered for one candidate. The Senate and the FBI both concluded tampering by Russian agents in the last election — to the extent we aren't entirely sure. We don't believe they altered specific votes, but we know they were heavily involved in trying to hack the election and will be in coming elections, and it won't be just the Russians. And so the idea that you'll be able to protect yourself against nation-state hackers intent on throwing the election or sowing discord is invalid.
One of the reasons that a lot of people want to have electronic voting is that way they can quickly get results. Well, we don't need quick results. At the level of the presidential elections, we vote in November and the new president doesn't take office until in January. We have lots of time to tabulate votes. It doesn't have to be instantaneous.
Q: Is there any way, maybe not now but in the next few years, where Internet voting could become feasible?
A: It is possible if you make some assumptions about hardening kernels and everybody having a verified public private key set and biometrics and some other things that you could devise a system that would be as immune to fraud as the best physical systems we have now within an order of magnitude. But we're nowhere close to having that kind of infrastructure in place, nor do we think that the general population would want to go to that level of forcing themselves to be identified and having an ID and keeping track of a public private key or a token and so on.
There may be advances in computing as we go along where we are able to do better than this. There's certainly a lot of research that's going into security, although, personally, my belief is that too much of this is security patching rather than fundamentals, but that's perhaps a different story. So it's possible that in the future we could come up with something that would be better.
Q: Do you currently see a role for the Internet in voting at all? Do you support the idea of ballots being sent over the Net, for instance?
A: What you just mentioned is one of the really valid uses of the Internet. Some in our military and diplomats and workers overseas have used this method, and it works.
There are other important roles for the Internet. For instance, registering to vote, checking whether you're registered to vote, checking where you are allowed to vote, being able to look at candidate statements, or looking at ballot measures to understand what they're about. At polling places, the Internet is often used to provide electronic poll books that show who is allowed to vote. There are a number of things where it does not present a risk.