Microsoft Wades into Election Integrity & Security with New Open Source Software Tools

At Microsoft’s recent developer conference, CEO Satya Nadella announced ElectionGuard, a forthcoming open-source Software Development Kit (SDK) from Microsoft’s Defending Democracy Program, which they detailed in their blog. ElectionGuard, developed with the assistance of computer science company Galois will be freely available starting this summer, including to voting system vendors, who can incorporate the technology into their products. Unlike current voting systems, future systems with ElectionGuard will be able to:

1. Enable end-to-end verification of elections;

2. Open results to third-party organizations for secure validation; and

3. Allow individual voters to confirm their votes were correctly counted.

Those could all be major improvements to current voting systems, which are in the process of getting similar hack-detection and voter confidence boosts by the lower-technology expedience of paper ballots and risk limit audits. With the belts-and-suspenders analogy, those are great current suspenders if used properly by election officials, but a future higher-tech belt would be a great addition.

Top-Line Significance

From my perspective, the primary short-term significance of the Microsoft announcement (similar to the recent DARPA SSITH open source trusted hardware project that Galois is also leading, which I commented on in March) is validation of a major point about election cyber-security that just wasn’t part of the national conversation a couple years ago:

Major technology innovation is required to increase the verifiability, accuracy, and security of elections technology and (at least) U.S. elections.

That’s probably just as important as the prospect that ElectionGuard might be included in future proprietary voting system products, or in open-source election technology offerings from OSET Institute’s TrustTheVote Project or others.

Aside from that top-line significance, there are 5 main things about ElectionGuard that I think should be important to those outside the small pond of election cyber-security technology.

Five Big Thing(s)

1.  A New Tamper Detection Means.  ElectionGuard is cyber-security technology for detecting when voting equipment has been tampered with to change votes and possibly alter election outcomes.  To that, let me make three observations:

1. The end-to-end (E2E) verification techniques to be applied have been around for a while, but given the non-trivial cryptography involved, a toolkit is essential to avoid implementation mistakes.  For this, we thank Microsoft and Josh Benaloh, and Galois Inc.

2. As a “software development toolkit,” its impact depends on voting system vendors willingly taking an open source license to ElectionGuard, and incorporating the software into their otherwise proprietary products.  I suspect this is not an overly burdensome decision, as most already incorporate open source software of one form or another.

3. While a new cryptographic means to verify elections—a highly desirable high technology capability—is an important detection capability, it’s not a substitute for other cyber-security methods to prevent attacks.

ElectionGuard is the basis for a future, additional, and more complex detection method.  Currently, election officials across the country are in a process of learning and routinizing the paper-based post-election audit process, which a recent National Academies report estimated as requiring a 5 to 10 year period, and new funding, to be implemented nationally.

2.  Feasibility of Impact. Impact depends not just on vendors, but also on election officials who acquire future products, and who decide to use the new E2E features. Currently it’s an open issue whether and to what extent Election Officials want to learn how to operate the cryptographic capabilities that ElectionGuard will employ – especially given the effort to conduct paper based audits, which will be needed indefinitely (or until every ballot is cast with E2E technology, including absentee paper ballots). I think it is also an open question whether some vendors would see the value in new tech to automatically detect their product being hacked, when already election officials are doing the heavy lifting of paper ballot audits.

3.  Timing of Impact.  If a voting system vendor does decide to use the SDK, impact on the 2020 election is unlikely given this calendar reality.

• Starting later this year when ElectionGuard is available, a vendor could start a new product development and release cycle, followed by a new product certification cycle (both federal and state);

• With a new product development starting in 2019 and completion in 2020 (with an aggressive schedule), that’s the start of a Federal certification process that takes the better part of a year, followed by state certifications.

• The time frame is further obscured by uncertainty about Federal certification requirements that apply to the type of technology that ElectionGuard is based on. Every current certification has been to Federal guidelines that are 14 years old.

4.  Not a Panacea.  We all need to manage our expectations: ElectionGuard will be a valuable arrow in the quiver, but the actual improvement to cyber-security required is virtually hack-proof voting technology, which even then will still require audit whether by hand, or cryptographic means, or both.  The new ElectionGuard detection method does not solve any of the existing cyber-security vulnerabilities of the current (very) vulnerable voting systems. 

5.  Forward Looking Application.  Looking ahead to 2022 and beyond, the most significant potential for ElectionGuard is application in systems for voting where a paper ballot is infeasible and a paper audit is too difficult, such as in military voting where ballots and ballot boxes need to be digital in form and nature.  And here we need to make an important observation:

While needed for voter verification, ElectionGuard’s detection method does not solve the myriad other cyber-security and privacy problems with digital ballot return that make it easy to hack.

ElectionGuard and the OSET Institute/TrustTheVote Project

Given those 5 points about the significance of ElectionGuard, I also want to put it in the context of the OSET Institute’s broader work on election technology.

1. Our Scope.  We continue to work on cyber-security innovations in all of the 3 key areas of election cyber-security: [1] voter registration and related services; [2] election administration tasks; and [3] the processes of ballot casting and counting. ElectionGuard is a plus for attack and error detection in #3, and we will use it as such.

2. Our Focus.  In that 3rd area, we will remain focused on two (2) key areas: protection and cyber-defense using a system platform that is as near hack-resistant as possible; and election cyber-security via building on that platform the election-specific functions for handling ballots and ballot data.

There is much to do, and the best part of all of this to me, is witnessing the validation of open source and advanced cryptographic techniques finding their way into the center of the conversation about innovating critical democracy technology infrastructure.

Back to work.

EJS