A brief discussion with retired Air Force Brigadier General Greg Touhill, who was the first Federal Chief Information Security Officer of the United States government. He now serves as President of AppGate Federal, he also serves on the faculty of Carnegie Mellon University’s Heinz College.
Why can’t we fully secure digital voting at this time?
There are several obstacles, many of which compete against each other. Principal among these obstacles is that any secure digital voting method requires a secure and unimpeachable means of validating the identity of the voter to ensure that the voter is indeed an authorized registered voter in that district. Such a requirement runs head-on with legitimate privacy concerns and the concept of “secret ballots.” From a technology perspective, my colleagues and I have yet to see an affordable and secure digital voting capability that preserves privacy, civil rights, and civil liberties while adequately protecting against a dedicated cyber operator.
What are digital voting advocates are missing about security (like assuming each voter has access to a secure connection)?
Assuming that everyone has equal access to adequate and secure infrastructure in order to securely cast a digital ballot indeed is faulty. Voting involves people, process, and technology where the tolerance for failure is nil. While we technologists love to focus on technology, we often pay less attention to the critical people and process concerns. For example, not everyone is comfortable with technology and may feel disenfranchised by the implementation of a digital voting program. Senior citizens like my mom are a great example. Ensuring that the electorate has access to the requisite technology, is fully trained and comfortable with the technology, and understands the process is critical. If we can’t make things easy for my mom and keep it secure, it isn’t ready for widespread adoption. From a process stand-point, there are numerous steps involved in the voting process; each requiring a great deal of precision. Examples include registration, identity verification, ballot creation and dissemination, casting your vote, vote tabulation and aggregation, auditing, and publishing the results. That presents a tremendous attack surface for hackers. If my objective is to call into question the legitimacy of an election, I only have to puncture one (or more) of those steps. I also note that many of my fellow technologists believe that they can adequately secure those steps in the digital voting infrastructure. With tens of thousands of voting precincts across the thousands of counties in the states, territories, and tribal area, it is questionable that we have sufficient counter-cyber capabilities and trained personnel to adequately protect that large cyber attack surface against determined foes. Again, if my objective is to call into question the legitimacy of a free and fair election, a hacker doesn’t have to be successful everywhere; they just have to prove they can get in and influence the process somewhere.
Why does a digital election raise privacy concerns?
A “secret ballot” is technically impossible for those seeking to implement digital voting over the Internet. In order to ensure that voters are indeed appropriately registered, digital voters must be issued a means of identification such as a discrete digital token. 32 states and the District of Columbia already offer some form of Internet voting. All but four require you to surrender your right to a “secret ballot” when casting your vote over the Internet. The other four (ID, MS, ND, and WA) don’t even warn voters about ballot secrecy. Digital elections cannot be securely accomplished while maintaining privacy.