Below is a letter sent to Tim Starks and Cory Bennett of POLITICO, who cover cyber-security issues. A formatted version is here. The signal-to-noise ratio on this subject is rapidly decreasing. There seems to be some fundamental misunderstandings of the challenges local election officials (LEOs) face; the process by which the equipment is qualified for deployment (albeit decrepit archaic technology by today's standards); what the vulnerabilities are (and are not); and why a designation of "critical infrastructure" is an important consideration. We attempt to address some of those points in this response to Tim's otherwise really good coverage.
Morning Cybersecurity Column
1000 Wilson Blvd, 8th Floor,
Arlington, VA, 22209
RE: 11.August Article on Whether to Designate Election Infrastructure as Critical Infrastructure
I am a co-founder of the OSET Foundation, a 501.c.3 nonprofit election technology research institute in the Silicon Valley. I’m writing in response to your article this week in Morning Cybersecurity:
ANOTHER VIEW ON ELECTIONS AS "CRITICAL INFRASTRUCTURE" –
Maybe classifying the election system as part of the nation's "critical infrastructure" isn't so wise.
We’ve been on a public benefit mission to innovate electoral technology since 2006. We’re a group of tech-sector social entrepreneurs bringing years of experience from our former employers like Apple, Facebook, Mozilla, Netscape, and elsewhere to bear on innovating America’s “critical democracy infrastructure” —a term we coined nearly a decade ago.
We’re working with elections officials across the country to develop a publicly owned democracy operating system called ElectOS™ in order to update and upgrade America’s voting systems with innovations that will increase integrity and improve participation for 1/3rd the cost of today’s aging systems. ElectOS will innovate voting machinery the way Android® has innovated smart phones and mobile devices. Both are freely available (or “open source”), and like Android, we believe ElectOS will one day enjoy a flourishing commercial market to sustain its continued innovation, deployment, and support.
We’ve been studying the challenges of election administration infrastructure for a decade. So, we read with great interest your article regarding another viewpoint about making a critical infrastructure designation for our nation’s deteriorating, obsolete, and vulnerable voting infrastructure. There are elements of your article we agree with (and more specifically comments of Cris Thomas), and there are points that we disagree with because they reveal some misunderstanding of the realities of election administration and the processes of managing the machinery today. Thus, we were compelled to write you and share these clarifications.
We hope our comments are helpful going forward as you continue to cover this important topic, especially in light of the current election season and the delicate issues being raised by at least one candidate and other media. Good on you for covering this. Below please find our (hopefully helpful) contributions to your effort. Relevant portions of your article appear in blue (indented italics in this blog posting).
In recent days, a growing chorus of experts and policy makers have backed a proposal to give elections the same level of federal security protections that the government already grants other so-called critical infrastructure, such as the power grid or financial industry.
First, we believe it’s important to be very clear on what elections infrastructure are we talking about? We should be discussing voting technology operated by Local Election Officials (“LEOs”), and not web sites and eMail servers run by political NGOs.
Sure, the recent attacks on NGOs are a wake-up call for a variety of potential attacks on real Election Infrastructure (“EI”) and peripheral targets. But the Critical Infrastructure (“CI”) designation should be for core EI; that is, voting machines and the election administration software and systems that manage voting machinery.
But an old school hacker who was part of the L0pht collective says such a change might do more harm than good. "Classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level," Cris Thomas, aka "Space Rogue," tells MC [MC = "POLITICO Morning Cybersecurity"].
Critical Election Infrastructure (“CEI”) is not very different than other locally managed CI. Not all CI is big corporate IT like financial transaction processing systems, or government-operated systems like the ATC, or quasi-public technology like the power grid operated by a variety organizations, but subject to many government regulations. By contrast, we already have CI that is local, including local government operated. For example, there are small local water utilities and municipal water treatment organizations. Local first responders' infrastructure is CI as well. So, there is plenty of precedent for giving a CI designation to locally managed assets.
"Because elections, even national elections, have been historically treated as a local event; having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years."
CEI designation will not cause a fundamental change in the current situation where U.S. elections are a local matter. Mr. Thomas is mistaken on this one point. Local election organizations will have the same responsibilities, plus some new ones for managing CI. But a county election administrator will still manage elections the day after or even the year after a critical infrastructure designation. That cannot, should not, and will not change.
Thomas, now a strategist at Tenable Network Security, says the idea misses the point: "We need to remain focused on the security concerns of the current system, which fall into two areas. First, many manufacturers are not testing the systems well enough before selling them to municipalities, often using off-the-shelf hardware and software with minimal security and using things like default, hard-coded passwords.”
Of course, the existing voting machines have technical security issues—and at the risk of reading like we’re overly defending vendors, what computing system has none? And of course, it’s also true that a CI designation won't change these products' default security posture.
“...at the same time, the local government certification agencies seldom have the time, resources and knowledge to properly test these computers for vulnerabilities, …”
The same is true regarding certification process, although Mr. Thomas is mistaken about that process itself. There are not “local certification agencies,” but rather Federal and State organizations that certify the systems local (county) election jurisdictions are authorized to use. Nevertheless a CI designation will not increase the rigor of the certification process, and it won't increase the capability of LEOs to do technical scrutiny of their own.
“…and often just accept a manufacturer's claims of security.”
We must also take exception on Mr. Thomas’s last comment. The idea of certification sometimes amounts to “just accepting vendor security claims” —cannot be, and is not the case. Although the current certification process isn't as strong as we’d like, and though nearly all stakeholders want improvement, there are already clear requirements for vendors to demonstrate compliance with security related requirements. On the other hand, misleading vendor claims about security can sway LEOs when selecting a certified system (and the choices are down to three vendors).
“…[T]he result is a system that our entire democracy depends on, which is run with minimal, easily bypassed security."
Sure, but its a mistake to focus solely on technical security problems of voting machines, particularly since these systems are not going to be replaced with better technology immediately upon a CI designation. In the near term, the impact of CEI will be more on people and process, and less on technology itself. LEOs will need help to build organizational capacity and expertise to manage physical assets as critical infrastructure, with physical security, personnel security, increased operational security processes, and the ability to demonstrate that a variety of kinds of people and process controls are actually being followed rather than merely mandated.
So, improvements in the human aspects and processes are the immediate value of a Critical Election Infrastructure designation. Such a designation would need to clearly state that our local election officials (LEOs) are custodians of not just critical infrastructure, but infrastructure that is critical to our national security.
That's never been a responsibility for LEOs, and many LEOs will be dismayed that they will be called upon to operate in ways that they never imagined would be important. It will require long-term capacity building. In the short term, there are many improvements in people and process that are possible, although unlikely unless there is a high sense of urgency and importance. The designation of election infrastructure and critical infrastructure, however, can help create and maintain that urgency.
A better approach, Thomas says, is to increase funding for the National Voluntary Laboratory Accreditation Program run by NIST and the U.S. Election Assistance Commission.
We agree in principle, but this is not mutually exclusive with Critical Infrastructure. Clearly, there is room for improvement, and NIST and EAC have important roles. With Critical Election Infrastructure, their roles would need to enlarge, but reasonably so.
We also agree that more funding for these organizations’ election integrity efforts are necessary, but doing so is not an either / or decision in consideration of other aspects of CEI. If Election Infrastructure is truly “critical” then several things must occur, including, but not limited to the additional support for NIST and EAC that Mr. Thomas is encouraging.
Here are three examples of improvement that a Critical Election Infrastructure designation would enable —though additional funding and expertise would be required.
1. Do not connect anything relating to ballots, counting, voter check-in, etc. to the Internet, ever—and in many cases no local wireless networking should be allowed. With CEI, using an Internet connection is no longer a convenience or shortcut in the grey area of safety—it's a possible vulnerability with national security implications.
2. Physically secure the election back-office systems. The typical election management system (EMS) is a nearly decade old Microsoft Windows based application running on Personal Computers no longer manufactured, that are as easy to break into (“black hack”) as any ordinary PC. Yet, they are the brains of the voting system, and "program" the voting machines for each election. So put them in locked rooms, with physical access controls to ensure that only authorized people every touch them, and never one person alone.
3. Perform physical chain of custody really well (i.e., for machines, paper ballots, poll books, precinct operations logs, —everything), with measurable compliance, and transparency on those measurements. It's just not reasonable to expect LEO Operations to do excellent physical chain of custody routinely everywhere, if these physical assets are not classed as CI. They're not funded or trained to operate physical security at a CI level. So, there is plenty of room for improvement here, including new responsibility, resources, training, and accountability. All of this may be low hanging fruit for improvement (not perfection) in the near term, but only if the mandate of CEI is made.
We hope this is helpful. We’re glad to discuss issues of election integrity, security, and innovation whenever you want. The co-founders have been in the technology sector for three decades. Both have worked on critical infrastructure initiatives for the government. The OSET CTO, John Sebes has been in digital security for over 30-years and is deeply experienced with the policy, protocols, and tools of systems and facilities security. Our Advisory Board includes former US CTO Aneesh Chopra, digital security expert and CSO of Salesforce.com, Dr. Taher Elgamal, global expert on elections systems integrity, Dr. Joe Kiniry, DHS Cyber-Security Directorate Dr. Douglas Maughan, and several former state election officials.
Gregory A. Miller
Co-Founder & Chief Development Officer