Election 2020: The Most Secure Ever...
…But the Infrastructure Still Needs Help
Recently, we read Eric Tucker’s and Frank Bajak’s article about the assessment that this election was " the most secure" in American history. (The statement is captured here if the current Administration has removed it). However, we must not believe that “the most secure election” means that there is no further need for government funding or innovation in the existing election technology infrastructure, or that we can just let the status quo remain. We cannot.
We agree this election demonstrated the highest degree of apparent resilience to cyber attack to date, although it continued to experience its share of disinformation attacks, including those by our U.S. President. Thus, calling this election the "most secure" is speaking in a relative sense.
Importantly, we cannot express enough how successful CISA partnership with election officials has been in the past four years to make the 2020 election as secure as it was. Thanks to the leadership of Chris Krebs, Bob Kolasky, Matt Masterson, Jeanette Manfra, and others, the mindset of critical infrastructure began to permeate election administration nationwide. However, we need to separate:
The apparent security of an election whose integrity has earned full-throated support from the nation’s state and local election officials; from
The trustworthiness of the deteriorating private proprietary machinery on which America’s ballots are cast and counted – which is a separate issue.
These two observations are two sides of the same coin, because a] the current, reactive software/system security strategy appears to have worked, at a great cost and effort, and b] no spare parts seemed to have infected anything. However, no one can know of other cybersecurity threats that were not (or cannot be) made public. But that's enough for us to clearly state:..
Funding for election technology security and infrastructure innovation must persist (and scale);
It's a matter of re-configuring that funding and rearranging the priorities, and
Rebuilding the infrastructure with a public technology option may not be the 1st priority, but must be at leasy a close 2nd and far ahead of whatever is in 3rd place.
The balance of this article addresses these points.
Focusing solely on cybersecurity readiness, the strengthened security posture in this election was the result of more coordination, better risk assessment, and improved operational protections. Years of diligent, methodical, and nonpartisan work between CISA and the nation’s state election directors was critical in elevating overall readiness. However, those efforts were overlaid on a vulnerable election technology base that was never designed to:
Be critical infrastructure;
Defend against nation state adversaries, or
Avoid the cybersecurity vulnerabilities of typical government computing (which often earns a "D" grade from internal government IT reviews).
In other words, characterizing America’s election technology base as an advanced-stage cancer patient, all of the prescribed medical treatments are being implemented as best as possible, but there is no improvement in the patient’s overall health. That patient remains chronically and incurably ill (in terms of cybersecurity, data security, resilience to attack by nation-states, and its capacity to be verifiable, accurate, secure, and transparent in structure and process). It’s just that (to stretch the analogy), through really good oncology medicine (cybersecurity practices, tools and services) and great doctors (CISA), the patient’s cancer is under control and they are able to basically function—with assistance.
So the proclamation made of the most secure election ever is good for the states and good for the federal agencies principally responsible—DHS and CISA, and even benefits the EAC. However, the results depended on an enormous amount of work by those agencies—and including education that we were involved with—as a cost of using archaic technology incapable of long-term defense for an ever-evolving threat world.
It’s increasingly clear that we must replace this failing infrastructure with new technology designed for critical infrastructure security, to be operated as national security assets, and reduce the costs for the same level of (and arguably better) protection.
So, sure, we probably had the most secure election to date, which is different from asserting the election technology infrastructure was fully secured, and not any evidence that America is finished with proper funding of this critical infrastructure or that (worse) somehow the infrastructure status quo turns out to be "good enough."
And one more observation: the inconvenient truth is that the majority of smaller local elections operations had zero improvement in cybersecurity because they lack the staff and received funding at the level of a one time $100K or less—not enough to have made any demonstrative investment or spends on security improvements.
Let’s address this issue a bit further in the light of this assertion of the “most secure election in American history.”
A Reality Check on the State of Election Technology Infrastructure
To use the incoming administration’s mantra, America needs to “build back better” its election technology infrastructure. Without a significant re-design of the underlying system architecture in the past 15 years, what exists is not merely antique. For a 21st century digital age and its attendant security threats, the architecture is obsolete and requires a redesign as we’ve discussed here and gone into depth in this briefing.
Think about it: There has been no significant redesign of election administration system architecture in 15 years. How many redesigns have smartphones experienced in that same time frame?
On the one hand, DHS and its state/local government counterparts can say that it was the most secure, and they would be correct to the extent we’ve explained; on the other hand, the fact is Congress has tried to send more money to patch (not rebuild, nor build from scratch) existing technology infrastructure and what money that has been sent has not been sufficient for a serious remedy or solution. Relatedly, we’ve written extensively on the challenges of injecting innovation into this backwater of government I.T.
By analogy, a bank is robbed a few times, so $100K is spent on a consultant that produces a report, but nothing fundamental is changed and barely incrementally improved. Why might that be? In the context of this bank example, insurance and government bailouts provide the safety net. In the context of elections the backstop remains election contest litigation. And this is an important point: recent behavior by the donor class suggests that if given a choice between:
A. Eradicating the status quo of election technology infrastructure with something far more verifiable, accurate, secure, and transparent; or
B. Sustaining the status quo of failing election technology infrastructure and fighting election results in courts…
They will choose the latter and fund litigation on a theory that this affords them more control over the outcomes.
That said, it is important to remember one improvement that has come from government funding (not from the “donor class”): the restoration of the durable paper ballot of record. Since 2016, there has been money invested on phasing out paperless voting systems. In 2016, only about 80% of the nation’s voting systems included a paper trail; in 2020, the number is now upward of 90%. And two of the most noteworthy and contentious states – Georgia and Pennsylvania were using paperless systems in 2016. So, we acknowledge that’s an important and significant change.
Its also important to note that from our perspective, while the durable paper ballot of record is essential to any next generation election technology infrastructure, absent a fundamental redesign (as we’ve discussed here and here) the restoration of paper ballots is effectively a “patch” on an existing inadequate architecture—akin to providing some much needed medication for the chronically ill patient to marginally improve their health only to stave off the inevitable.
The Future of Election Infrastructure Funding
Some will ask, “If this election was the most secure ever then why so much Congressional fuss over funding election security?” Part of the answer is that the dollars that were invested had the intended effect; they allowed the nation to avoid a true election meltdown. However, the funding that was allocated failed to address the systemic structural issues that remain. Second, while this election overall appeared secure because nothing reportedly happened, there is no way to assert with any intellectual honesty that the election technology infrastructure itself is therefore “secure.”
Thus, it’s unreasonable to conclude that no new funding is required. For one thing, security is an on-going effort with annual operational expenses in addition to periodic capital investment. Second, for the reasons stated here, the infrastructure itself continues to slip from antiquity to obsolescence, and certainly is no match for today’s threat vectors—again, in our professional opinion, this election merely “dodged a bullet,” that for whatever reason, to the best of our public knowledge, may not have even been fired. For example, subversion attacks may not have been necessary at all—disinformation attacks appear to have done more than enough damage alone.
Let’s return to the issue at hand—the on-going security of election technology infrastructure and the deterioration of what is in service; coupled with little more than an innovation arc that amounts to guarantees of spare parts from insecure overseas supply chains for a fundamentally insecure system architecture.
Here is an alternative analogy building on the bank example above.
Let’s consider the protection of votes as analogous to protecting money. Assume a small bank with a fairly easily breached vault. Suppose it’s discovered that international thieves are targeting that bank. The bank could simply hire security guards to protect the vault. The bank now has the most secure operation in its history; however, it still has an old vulnerable vault. And the bank is now spending largely for the operational expenses of the security guards. That is a short term operational “triage” but cannot solve for the structural deficiency of the old vault, and over time it’s not financially sustainable. The wiser “spend” would be the investment in a better, more modern vault, and a more capable digital surveillance system. However, that may appear more expensive (in the short run) so the bank is likely to continue expending operational dollars because they are unable or unwilling to make the capital investment to upgrade and systemically solve the vulnerable vault problem.
Similarly (and arguably nearly identical) to the example bank’s situation, America’s election administration technology infrastructure is weak and inherently vulnerable due to fundamental design flaws. To date, rather than make the one-time capital investment in reinventing that infrastructure with more verifiable, accurate, secure, and transparent technology, for whatever reason, government continues to spend money on operational triage in the form of cybersecurity efforts to protect the existing systems, and money to repair and replace with newer versions of the same inherently vulnerable systems designs.
A Public Technology Option
America needs to make the capital commitment rather than legislating continued spending bills for operational costs that amount to ensuring spare parts availability for an inherently insecure and vulnerable technology infrastructure.
We believe the only way to inject the necessary security-centric engineering and innovation into our critical election technology infrastructure is to make that available as a public technology option—equally and freely available to all who build, deliver, and service finished systems. Public technology will ensure the necessary level of transparency. Transparency builds trust. It also helps to remove the mystique of proprietary technology and the unavoidable reliance on a “patch-and-pray” update cycle for cybersecurity.
TL;DR Side Bar: I acknowledge that sometimes geeky phrases and terms can be lost in translation when used in different spaces. We all realize that the typical polling place is being dragged into the digital age and stood up essentially as a mobile data and I.T. center. And along with it comes terms, phrases, and the like. So, I take a moment here to note that the tech centric light-hearted (but sometimes dead serious) phrase of “patch and pray” has an important application in the on-going technical support of election administration systems. The phrase has nothing to do with the herculean efforts of election administrators, but has everything to do with the Sisyphean cycle of software updates and administering monitoring equipment add-ons that they have no control over. Absent the imperative transparency of the technology, election officials are at the mercy of commercial vendors to ensure their software—from the operating system through the application layer is up-to-date and correct. However, in the ever-escalating cyber arms race, they’re forced to add-on more layers of monitoring, surveillance, and tripwire technology to vigilantly protect border and interior security. They must rely on (and preferably trust) the efficacy of updates—like the update we witnessed this year in Georgia and the ever increasingly costly layers of cybersecurity. It truly amounts to a process of installing updates and services or equipment, and literally hoping (or praying) they all work. To be sure, what makes the Election Officials’ work so challenging and yet rewarding is that they need not rely on hopes and prayers. They apply resilience planning, testing and more testing, mock elections, and other best practices. These are imperative ingredients to reduce, and ideally eliminate the need to hope the manufacturer’s goods and service do what they are supposed to without the user having to be a computer scientist.
Yet, I find all of this abominable (especially a patch-and-pray mindset) for public technology this critical to the defense of democracy. And my friends, that has to change.
I recently published a short essay in New America’s Commons arguing for a “public technology option” on the grounds that election technology is the consummate public interest technology. We have also produced a theory of change essay that describes this problem in some more detail and makes the case that by investing public (philanthropic) dollars—whether by small dollar donors or larger gifts—a new breakthrough public election technology platform can be produced. Doing so, we reason, will both vastly help increase confidence in elections and their outcomes, and catalyze a rejuvenation and modernization of the industry to commercially deliver certified systems based on that enabling technology. That’s because the public technology will be freely available to adopt, adapt and deploy by commercial vendors working as system integrators building on slightly modified off-the-shelf commodity hardware (and FedRAMP compliant GovCloud services where appropriate), thereby producing more secure, lower cost, and easier to use election administration and voting systems.
Here is the interesting part: the status quo approach will continue to require several hundreds of millions of dollars per year, while the public technology approach requires about $9 million for the development itself (that’s our budget for finishing ElectOS) and perhaps another ten million dollars to ensure the technology’s certification, availability and adoption. $20 million to redesign, develop, certify and make widely available the underlying enabling election technology infrastructure is about 5.2% of the last major round of election funding. Adaptation, delivery, deployment, service and support will be the opportunity of a resulting rejuvenated commercial market and a more competitive industry.
Above all, the enabling technology will be a public asset, readily available for peer-review, on-going assessment, and deep digital forensic audit. And it should be. After all, it is nothing less than critical democracy infrastructure.
