Elections: Securing What You Can’t See (And Can’t Be Told About)

The surface story is bad enough. Election hacking was a problem in 2016, but many states governments were not told about it on a timely basis, even though the federal government knew the details. In the case of Florida, for example, it took three years for the state to learn that its voting systems had been hacked by Russian intelligence operations in 2016. The midterm elections came and went during this period of silence.

Then, as Rep. Stephanie Murphy (D-Fla.) explained in a Washington Post editorial, once she was briefed on the matter by DHS, she was not permitted to share what she had learned. It was classified. In other states, election hacking revelations unfolded in a farcical manner, with federal agencies telling state election officials that they’d been backed, but the feds were not at liberty to say how, given laws about intelligence secrecy and so forth.

Going deeper into election technology, the problem looks even worse. As Jeff Williams, Co-Founder & Chief Technology Officer of Contrast Security, explained, the emphasis on voting machines is misplaced. “Elections comprise a system of systems,” he said. “There’s the voting machine, which accepts and tallies votes for that particular machine. But, to have an election, you also need a system to set up and administer the election and a mechanism for counting and reporting the complete results.” Prior to joining Contrast, Williams was a founder and major contributor to OWASP, the Open Web Application Security Project.

These elements of an election system may all present themselves in a unified solution, but there are at least three pieces of software working interdependently. Each application is vulnerable to hackers. The further difficulty has to do with the imbalance of knowledge between buyer and sellers of election systems. As Williams observed, the state government usually has to accept the vendor’s assessment of the system’s security. The vendor knows, at least in theory, more about the vulnerabilities in their systems.

Elections comprise a system of systems

This is not to suggest that the vendor is acting in bad faith. It’s just a reality of software and humanity that code gets shipped with security flaws in it, if not outright malware embedded in the final product. However, the vendor knows what went into the code, e.g. open source libraries and so forth. To address this difficulty, Williams offered two suggestions. One is to work with an application security tool to build more secure software for elections. In the case of Contrast Security’s solution, the security agent is embedded in the code itself. It infuses vulnerability assessment capabilities into the application that automatically identifies security flaws.

This architecture removes much of the cumbersome testing that slows down development. “Election hacking is fundamentally a problem of application security,” Williams said. “Access controls and data security are important, too, but if the actual vote counting software is compromised, it may be impossible to detect election interference without a paper ballot audit, assuming you even have such ballots.”

“When you buy food or drugs, you can see the ingredients right on the label,” Williams noted. “It should be the same with software. The buyer should be able to see which code elements went into the app and how secure they are, based on an agreed-upon security assessment scale.”

Williams’ other suggestion is broader in nature. He believes it would benefit buyers of election software to have more transparency in the security assessment process. “When you buy food or drugs, you can see the ingredients right on the label,” Williams noted. “It should be the same with software. The buyer should be able to see which code elements went into the app and how secure they are, based on an agreed-upon security assessment scale.”

This “read the label” approach will address the asymmetry of knowledge between buyer and seller. “If you’re a state election official and you can see that one of the elements of a prospective system has received a low score on penetration tests, you’re that much better informed about the choice you’re making.” The score-keeping and transparent labelling can also be applied to other software categories, where a similar asymmetry of knowledge exists between buyers and sellers of software.

Photo Credit: seaotter22 Flickr via Compfight cc