08Sep18_VotingReportCover.jpg

The National Academies of Sciences, Engineering, and Medicine (NASEM) new Report on election security [Securing The Vote: Protecting American Democracy (http://www.nap.edu/25120)] released last Thursday is critical to cap off what is now a settled consensus contained in Recommendation 5.8 [1] of the report: a shift to all-paper-ballot elections coupled with Risk Limiting Audits (RLAs).  

RLAs use well-settled statistical methods to sample enough ballots to detect if a computer malfunction (accidental, malicious, or otherwise) caused an incorrect identification of the winner in an electoral contest.

While the report makes several sound proposals, it has a significant blind spot.

Recommendation 5.8 will leave the U.S. vulnerable to nation-state actors for a decade or more.

Yes, you read that right. The Report proposes that the standardized RLA practices be implemented over the course of a decade.  That’s over a ten (10) year period of time. 

Such a milestone means only the ability to detect a malicious anomaly in vote counts, not to prevent the event.  If a malicious anomaly were detected, that public information would be a significant “win” for adversaries seeking to use technical means (together with weaponized propaganda) to disrupt and discredit elections.

Why recommend a 10-year time frame

Such is (so far) an unfunded mandate. Neither State nor local election officials have the immediate financial or logistical capability to:

  • Define the necessary standards for RLAs; 

  • Reduce those standards to actionable requirements;

  • Develop documentation and training; 

  • Perform the required training; and

  • Implement rigorous scrutiny of the local RLA processes to ensure correctness—for every single election.  

Just ask Colorado, now the well-settled poster child for how to do it right—they’ll tell you what it takes: all of that and then some, but nothing without funding.  Without adequate state and local funding, it will make for a very slow roll out through that trajectory.

The federal government must accelerate that timing, with appropriations that are modest at first.  For instance, to get started, fund state grant requests for a survey project to:

  • Determine how an RLA should work uniformly in the state; and

  • Estimate the costs up-front to implement the RLA program and operate that program in each Federal election.  

After that, each State would be in a better position to determine the cost to put this settled consensus in place, and within a far more reasonable time frame.

Without the rapid acceleration of implementing RLAs, we will not know if a Federal election was undermined by technology anomalies of any kind, including malicious attacks.  We will still be vulnerable to propaganda attacks that claim the technology was hacked and elections were stolen.  There will be no evidence available to prove the hacking claim was propaganda. The fact that RLAs corrected the results of the attack will not be the top news of the day, and will do little to increase public confidence.

Risk Limiting Audits have been around for years, designed to detect and to recover data from malfunctioning voting systems that could lose votes.  RLAs will continue to be required, but it is not a cyber-defense of the election technology by itself. 

In addition, an equally imperative requirement is for paper-ballot-based voting technology that is completely refactored for security and redesigned for the current threat environment.  That kind of technology will be far more resistant to attack, unlike the present systems. 

Based on public technology development occurring right now in Silicon Valley, it will take 24 months (likely less) to finish production of a new generation of election technology designed for active cyber-defense—we’re talking about a componentized software framework for application-specific, purpose-built devices together with the required security rigor to ensure hardware-level attestation.

That would be much quicker, and far more efficient, than a 10-year path to uniform RLAs.  At the same time, the U.S can fund a mandate to implement RLAs nationwide.

Then the nation would have both a robust cyber-defense and the RLA ability to ensure that our election results are correct no matter what.

The recommendation will take careful execution, adequate funding, and dynamic leadership to make it happen. 

Indeed, the Report is correct in calling for RLA as a nationwide standard. But again, a paper ballot of record with a risk-limiting audit is merely an attack detection mechanism, not a cybersecurity means.  And 10-years to make it happen means the status quo of what we have today—where elections are becoming a gamble—for another 2+ Presidential cycles.

[1] Recommendation 5.8: “States should mandate risk-limiting audits prior to the certification of election results. With current technology, this requires the use of paper ballots. States and local jurisdictions should implement risk-limiting audits within a decade. They should begin with pilot programs and work toward full implementation. Risk-limiting audits should be conducted for all federal and state election contests, and for local contests where feasible.”

1 Comment