Internet technologies are set to play a critical role in the 2020 Presidential Election.
State election officials face the daunting task of upholding the most essential function of democracy in the midst of a health pandemic that constrains the movement and assembly of people in public spaces.
COVID-19 doesn’t - at this point - present an excuse to postpone the election. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency within DHS told a recent Axios forum that 42 US states have mechanisms in place that allow for alternatives to in-person voting, and the other eight have break glass provisions for doing the same when emergencies require it. A global pandemic would most certainly meet that threshold.
But precisely which voting alternatives will be pursued - and whether they can adequately be secured - is now the US$400m (or perhaps US$4 billion) question.
The US$2.2 trillion Coronavirus Relief bill (CARES Act) passed last week included US$400m of grants the Election Assistance Commission can make to states to help them “prevent, prepare for and respond to Coronavirus.” Earlier versions of the bill stipulated that grants were conditional on states spending on election security - but these were stripped out. States retain the autonomy to make the preparations they each deem necessary.
How each state chooses to conduct the election now shapes as a partisan battleground. House Speaker Nancy Pelosi (D) paints the US$400m as a downpayment on the several billions of dollars required to run a wholly “vote-by-mail” election. There remains a danger President Trump or Senate leader Mitch McConnell might seize this as a political opportunity to promote radical alternatives.
The worst alternative, according to election security experts, would be online voting.
A line in the sand
Last week Risky.Biz spoke to Jennifer Morell, expert advisor to the Cybersecurity and Infrastructure Security Agency for our feature podcast, as well as Defcon Voting Village co-founder Harri Hursti and several top security researchers in the field to ask what trade-offs they’d make to ensure Americans still get to the polls.
None felt that online voting was ready for a General Election, even in the midst of a crisis.
“It doesn’t make sense to rush into remote marking of ballots,” said Dan Guido, CEO of Trail of Bits.
In March, Trail of Bits published a complete white box audit of Voatz - a mobile voting app piloted at small scale in several states including West Virginia, Colorado, Oregon, Utah, and Washington. The jaw-dropping report of that assessment detailed 79 security findings, a third of which were high severity. Voatz was one of several election apps Guido’s team has tested.
“To use a mobile phone to mark a ballot in a high-stakes election, you would need to trust every computer between you and the election official to correctly record your preference,” Guido told Risky.Biz. “There are any number of points at which remote marking of ballots could be interfered with. We haven’t seen an adequate solution to this yet.”
MIT researcher Mike Specter - who independently discovered a number of bugs in the same platform - shares the same concern. “It’s still not clear how to prevent attacks against the host (user) operating system” in a consumer device, Specter said.
Harri Hursti has dedicated 15 years of his career on the security of election systems, made famous in the 2006 documentary Hacking Democracy nd the recently broadcast HBO sequel Kill Chain. He describes online voting as ‘snake oil’ that doesn’t solve any of the pressing problems facing elections.
“The first sign of a crackpot is somebody that says elections are easy,” Hursti told Risky.Biz. “There is nothing easy about elections. Elections are uniquely difficult problems because they require both a secret ballot and auditability.”
COVID-19 presents a very specific problem to the November election, he said, for which online voting isn’t necessarily the right answer. The need is for a mode of voting that doesn’t require hundreds of people to congregate in queues at polling stations. “But that problem is solved already,” Hursti said. “We’ve had early ballots, absentee ballots, mail-in ballots and other methods of voting for 40 or 50 years.”
The Internet is great at distribution, and bad at authenticity
If politics doesn’t get in the way, the best attributes of the internet can be harnessed in the November Election in order to better facilitate these tried and true methods.
The most likely solution will be an electronic distribution of printable ballots that can be handmarked and posted back to the polling station. In some states it will be augmented with earlier and staggered opportunities to vote at the polling place or ‘kerbside’ drive through voting booths.
Election expert Morell confirmed that these options are under active investigation. The bulk of US voters are most likely to receive their ballot digitally and submit it physically. “The point of expanding mail-in voting is only to minimize the number of people you have to serve in-person on election day,” she said.
That’s because most election officials, she said, are as anxious about allowing for online marking of ballots as the cyber security community is.
Security researchers Specter and Guido were both at ease with using the internet for voter registration and distribution of unmarked ballot forms.
“We should use every technology available to use to make the process of delivering ballots more efficient,” Guido said.
Election officials would need to change their threat model to accommodate the change. Voters would face heightened social engineering risks, such as malicious actors using the process for phishbait. Misinformation campaigns will try to convince voters to mail their ballot back to the wrong place.
But these are risks that can be managed, Guido said, especially if information about the voting process is centralised (a difficult prospect in a process every state guards with zeal). An official voting app would quickly achieve primacy in the relevant app stores within the first million downloads, making it much harder for adversaries to trick people into downloading imitations.
Morell agrees that voters will need a trusted place to go for information and a consistent set of messages.
“We saw in recent primaries some examples of voters being told on social media not to bother showing up,” she said. Where right now CISA is focused on “how to operationalise for a huge increase in mail-in ballots”, the agency will focus on voter outreach as November draws closer.
There will likely remain small pockets of the voting population offered mobile options - such as military personnel stationed overseas or disabled voters. Morell predicts a handful of states might also allow for voters to submit a scanned, marked ballot via PDF via a web portal.
It’s also unclear whether election apps in their current form can scale to meet the needs of a general election. The identity verification process in the Voatz app, for example, appears to require manual confirmation of identity data by a human operator - making it no more scalable than processes in the polling place.
Hursti urges policymakers to re-frame their threat model to meet 2020 challenges. He feels it less probable that a candidate would attempt to manipulate the system to win, and more probable that a motivated, well-funded adversary like a nation-state would use the compromise of an election system to seek to sow distrust and undermine a society.
“A peaceful transition of power is only possible when the supporters of the losing party accept that the result is fair and square,” Hursti said.
Morell wants researchers to keep “exploring and pushing for better ways” to improve election systems, and doesn’t want to write off the use of online voting altogether.
“But as for November, we’re not ready.”
Risky.Biz explores what’s required to secure online voting in Part II of this story: Why we can’t yet trust online voting systems. Stay tuned.