Our commentary in the last segment on the Brennan Election Security Report might seem nit-picky, but the OSET Institute believes that in order to properly design a solution for a specific problem you need to be able to identify it precisely.  For our work in the TrustTheVote Project, we apply a user-centric design approach, with a security-centric engineering process.  Regardless of approach, clear definition of the thing to be solved for is imperative.

We’re going to make a bold assertion: Many of the solutions in the Brennan Report, while undoubtedly helpful, fail to do enough to increase the security of our elections. The recommendations fall short of properly addressing the problem as we described it in Part 1. These solutions are actually incremental steps that try to improve a system that needs to be fundamentally re-invented

The first set of Brennan recommendations are common sense approaches to reliability and are largely mitigations. Replacing outdated and crumbling voting machines with newer, more reliable, versions is certainly good policy. We even think it might be easier than the report suggests. Old machines are difficult and costly to repair as manufactures no longer support them; switching to more modern equipment may save money in the long run. Yet it doesn’t help make our elections more secure because it fails to address some critical fundamental problems with the election technology. Actually, these recommendations only marginally improve the reliability of current election machinery.

The root problem is that basing our electoral infrastructure on current PC technology is a fundamentally insecure architecture. Updated and improved versions (of the same underlying architecture) do not change the security foundation of these systems: they remain vulnerable to attack. These systems have a particular defect that must be removed to render them more secure. Like all other PCs and common computing devices, our current election systems contain software that is modifiable and thus can be tampered. This makes perfect sense for a common purpose machine, but is a serious defect for an election system—especially if everyone is finally reaching the same (and obvious) conclusion: that election infrastructure is a matter of national security.

In fact, there is a proven way to design and build un-modifiable (and fault-tolerant) systems, and such an approach has been implemented in other areas, providing worked examples.  For Instance: Fixed function embedded systems, which are created once and then left un-modifiable, have been used in the fields of aerospace, intelligence, and defense for decades. Many, if not all, satellite and weapons systems rely on them. Given the national security implications, it is only reasonable that the same common-sense precautions taken by the DOD should also be applied to election technology. This is far from revolutionary.  In fact, one of the EAC’s certification requirements for voting machines is that they cannot be modified after certification; this is impossible to achieve with existing voting machines. And in a shameless plug for our non-profit work in this area, ElectOS takes this precise approach.

Speaking of certifications, the Brennan Report also points to continued support of the U.S. Elections Assistance Commission (“EAC”) as an important remedy. The report writes that “the EAC can guide the development of the next generation of voting machines, continue publishing information about problems with existing machines, and help local election officials with their plans to purchase new equipment.” We absolutely agree that the EAC plays an important, if not vital role in election security and integrity, particularly the EACs certification process. Yet, despite these certifications we now know that foreign state actors, with unlimited resources, can compromise certified machinery (and could have in the past—we will never know for absolute certain). 

This is a clear indication that the certification process is inadequate for the current threat environment. But to be fair, it was designed well over a decade ago with heavy input from the industry lobby—input which appears to have been intended to serve the market interests of the vendors first, and the certainty of integrity second. The EAC is currently working to revamp its certification program, but at the current rate of progress this could take years—a time frame woefully too long for the challenges we face today.  That noted, the Brennan report properly points to the importance of the EAC and we are convinced that a re-invented certification process is critical to election security and integrity going forward.

The Brennan Center’s final recommendation for voting machine security innovation is for Congress to create a grant program that would fund threat analysis, security, and contingency plans, among other things (an idea we've been discussing for two-years now as several in Congress can attest).  Anyone working in the sector of election technology recognizes that a 2nd HAVA-style funding in the current political climate would be nothing short of a miracle. And we’re not convinced that’s what is needed. But if we’re going to suspend our disbelief and pretend that Congress will take an interest in allocating funding for elections integrity, then why do so little with it?

As discussed in Part 1 of this 3-part series, the Brennan report alludes to three (3) distinct areas of vulnerability: direct-result-manipulation, de-legitimization, and diminishing turnout. If there is to be any Federal funding to improve election security it must provide for research and development to address all three of these, not just direct-result-manipulation. And if we’re going to talk about funding security innovation in our election infrastructure then why not call for, and support research and development to move towards a technology that is more suitable for, and better addresses the current threat environment?

We close Part 2 here by observing that in the current market climate, there is little to no business incentive for the commercial industry to invest in such research and development on its own.  The business model doesn’t “pencil out” for them because there is too much risk that buyers could not afford to pay sellers to recoup their R&D investment. Thus, the status quo of inherently vulnerable PC-based voting system architecture threatens to remain.

At the end of the day, while we tend to be judicious about government intervention and spending, we’re in favor of a government funded research and development effort.  Consider this. Such an approach was taken to originally develop the foundations (software, protocols, etc.) of the Internet itself. And government has the programs and processes to provide for fundamental research and development that is in the best public interest, including but not limited to initiatives of defense and national security. Two such organizations spring to mind DARPA (Defense Advanced Research Projects Agency) and NSF (National Science Foundation.)

Next time, a look at another vulnerable aspect of election infrastructure: online voter registration systems.  Your comments are encouraged as always

Sergio
Election Infrastructure Analyst
Office of the CTO

Comment