Written by Brett Winterford Apr 8, 2020 | CYBERSCOOP
Internet technologies are set to play a critical role in the 2020 presidential election, but precisely which voting alternatives will be pursued and whether they can adequately be secured is now a $400 million question.
COVID-19 doesnt at this point present an excuse to postpone the general election in November. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency told a recent Axios forum that 42 U.S. states have mechanisms in place that allow for alternatives to in-person voting, and the other eight have break-glass provisions for doing the same when emergencies require it. A global pandemic would most certainly meet that threshold.
The $2.2 trillion coronavirus relief bill (CARES Act) signed into law last week included $400 million of grants the Election Assistance Commission can give to states to help them prevent, prepare for and respond to Coronavirus. Earlier versions of the bill stipulated that the grants were conditional on states spending it on election security, but these provisions were later stripped out. States retain the autonomy to make the preparations they each deem necessary, as officials face the daunting task of upholding the most essential function of democracy in the midst of a health pandemic that constrains the movement and assembly of people in public spaces.
How each state chooses to conduct the election now shapes as a partisan battleground. House Speaker Rep. Nancy Pelosi, D-Calif., paints the $400 million as a down payment on the several billions of dollars required to run a wholly vote-by-mail election. There remains a danger that President Donald Trump or Senate Majority Leader Mitch McConnell, R-Ky., might seize this as a political opportunity to promote radical alternatives.
The worst alternative, according to election security experts, would be online voting.
Last week, Risky Business spoke to Jennifer Morrell, expert adviser to the Cybersecurity and Infrastructure Security Agency for our feature podcast, as well as DEF CON Voting Village co-founder Harri Hursti and several top security researchers in the field to ask what trade-offs theyd make to ensure Americans still get to the polls.
None felt that online voting was ready for a general election, even in the midst of a crisis.
It doesnt make sense to rush into remote marking of ballots, said Dan Guido, CEO of Trail of Bits.
In March, Trail of Bits published a complete white-box audit of Voatz, a mobile voting app piloted at small scale in several states including West Virginia, Colorado, Oregon, Utah, and Washington. The jaw-dropping report of that assessment detailed 79 security findings, a third of which were high severity. Voatz was one of several election apps Guidos team has tested.
To use a mobile phone to mark a ballot in a high-stakes election, you would need to trust every computer between you and the election official to correctly record your preference, Guido told Risky Business. There are any number of points at which remote marking of ballots could be interfered with. We havent seen an adequate solution to this yet.
MIT researcher Mike Specter who independently discovered a number of bugs in the same platform shares the same concern. Its still not clear how to prevent attacks against the host (user) operating system in a consumer device, Specter said.
Harri Hursti has dedicated 15 years of his career on the security of election systems, made famous in the 2006 documentary Hacking Democracy and the recent HBO sequel Kill Chain. He describes online voting as snake oil that doesnt solve any of the pressing problems facing elections.
The first sign of a crackpot is somebody that says elections are easy, Hursti told Risky Business. There is nothing easy about elections. Elections are uniquely difficult problems because they require both a secret ballotand auditability.
COVID-19 presents a very specific problem to the November election, he said, for which online voting isnt necessarily the right answer. The need is for a mode of voting that doesnt require hundreds of people to congregate in queues at polling stations. But that problem is solved already, Hursti said. Weve had early ballots, absentee ballots, mail-in ballots and other methods of voting for 40 or 50 years.
If politics doesnt get in the way, the internets best attributes can be harnessed in the November election in order to better facilitate these tried-and-true methods.
The most likely solution will be an electronic distribution of printable ballots that can be hand marked and posted back to the polling station. In some states, it will be augmented with earlier and staggered opportunities to vote at the polling place or curbside drive-thru voting booths.
Morrell confirmed that these options are under active investigation. The bulk of U.S. voters are most likely to receive their ballot digitally and submit it physically. The point of expanding mail-in voting is only to minimize the number of people you have to serve in-person on election day, she said.
Thats because most election officials, she said, are as anxious as the cybersecurity community about ballots being marked online.
Guido was at ease with using the internet for voter registration and distribution of unmarked ballot forms.
We should use every technology available to use to make the process of delivering ballots more efficient, Guido said.
Election officials would need to adjust their threat model to accommodate the change. Voters would face heightened social engineering risks, such as malicious actors using the process for phishing. Misinformation campaigns will try to convince voters to mail their ballot back to the wrong place.
But these are risks that can be managed, Guido said, especially if information about the voting process is centralized a difficult prospect in a process every state guards with zeal. An official voting app would quickly achieve primacy in the relevant app stores within the first million downloads, making it much harder for adversaries to trick people into downloading imitations.
Morell agrees that voters will need a trusted place to go for information and a consistent set of messages.
We saw in recent primaries some examples of voters being told on social media not to bother showing up, she said. Currently, CISA is focused on how to operationalize for a huge increase in mail-in ballots, and the agency will focus on voter outreach as November draws closer.
There will likely remain small pockets of the voting population offered mobile options , such as military personnel stationed overseas or disabled voters. Morell predicts a handful of states might also allow for voters to submit a scanned, marked ballot via PDF via a web portal.
Its also unclear whether current election apps can scale to meet the needs of a general election. The identity verification process in Voatz, for example, appears to require manual confirmation of identity data by a human operator making it no more scalable than the processes used by polling places.
Hursti urges policymakers to re-frame their threat model in order to meet the challenges for this election cycle. He feels that its less probable that a candidate would attempt to manipulate the system to win, and more probable that a motivated, well-funded adversary like a nation-state would use the compromise of an election system to seek to sow distrust and undermine a society.
A peaceful transition of power is only possible when the supporters of the losing party accept that the result is fair and square, Hursti said.
Morell wants researchers to keep exploring and pushing for better ways to improve election systems, and doesnt want to write off the use of online voting altogether.
But as for November, were not ready.
Brett Winterford is an editor with Risky Business. This post was reported by and originally appeared on Risky.Biz, and was produced with support from the William and Flora Hewlett Foundation.
- IT spending on Internet connectivity, security to rise in India: Report - Business Insider India - July 6th, 2020
- VPNs are the need-of-the-hour for safe and fast connections as we work-from-home - The Hindu - July 6th, 2020
- What is network security in the cloud computing era? - TechRadar - July 6th, 2020
- Revealed: How home router manufacturers dropped the ball on security - TechHive - July 6th, 2020
- Malaysia Internet of Things (IoT) Security Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Akamai Is an Overlooked Web Infrastructure Play. Its a Buy, Analyst Says. - Barron's - July 6th, 2020
- According to Latest Report on Internet of Things (IoT) Security Market to Grow with an Impressive CAGR - 3rd Watch News - July 6th, 2020
- Enterprise Firewall Market Overview and Regional Outlook with Research Study 2019 2026 - 3rd Watch News - July 6th, 2020
- How Have I Been Pwned became the keeper of the internets biggest data breaches - TechCrunch - July 6th, 2020
- Global Internet of Things (IoT) Security Market Trends, Opportunities, Key Players, Growth, Analysis, Outlook & Forecasts To 2026 - Daily Research... - July 6th, 2020
- WISeKey develops WIShelter Covid-19 secured smartphone app, using digital IDs and blockchain protocols, to certify users that are not infected with... - July 6th, 2020
- Cryptocurrencies Adding to the Safety and Security in the UK Gambling Industry - London Post - July 6th, 2020
- Voice recordings from domestic violence alerting app exposed on the internet - Security Boulevard - June 30th, 2020
- The lack of women in cybersecurity puts us all at greater risk - The Next Web - June 30th, 2020
- Cascading Security Through the Internet of Things Supply Chain - Lawfare - June 30th, 2020
- How to Build the Right Security Assessment - Security Boulevard - June 30th, 2020
- Apple may have just changed a key part of how the internet works - TechRadar - June 30th, 2020
- Indians most concerned about identity theft - Fortune India - June 30th, 2020
- Deeper Connect Mini: Decentralized, Private and Secure Internet for the People, launching June 30th on Indiegogo. - Yahoo Finance - June 30th, 2020
- Internet of Things (IoT) Security: Technologies and Global Markets - Yahoo Finance - June 30th, 2020
- Could Donald Trump claim a national security threat to shut down the internet? - Brookings Institution - June 30th, 2020
- Internet of Things Security Market Strategic Insights 2020 with analysis of Leading players: Check Point Security Software Technologies, Cisco... - June 30th, 2020
- Global IT Security Market is accounted for xx USD million in 2019 and is expected to reach xx USD million by 2025 growing at a CAGR of xx% : Blue... - June 30th, 2020
- Internet of Things (IoT) Security Market Size, Share, Growth, Revenue, Global Industry Analysis and Future Demand |Globalmarketers.biz - Cole of Duty - June 30th, 2020
- Surge in encrypted malware prompts warning about detection strategies - SecurityBrief Europe - June 30th, 2020
- NexTech AR to supply its video conferencing and virtual events platform to Dallas Independent School District - Proactive Investors UK - June 30th, 2020
- Dutch people are least concerned about safety, survey reveals - IamExpat in the Netherlands - June 30th, 2020
- Only 31% of Americans concerned with data security, despite 400% rise in cyberattacks - TechRepublic - June 24th, 2020
- WatchGuard Technologies Report Finds Two-Thirds of Malware is Encrypted, Invisible Without HTTPS Inspection - GlobeNewswire - June 24th, 2020
- How To Turn Off Firewall In Windows And Mac - Ubergizmo - June 24th, 2020
- OTF's Work Is Vital for a Free and Open Internet - EFF - June 24th, 2020
- Microsoft acquires CyberX to bolster Azure IoT security - Internet of Things News - IoT Tech News - June 24th, 2020
- Partner Content: ESET and Spire Technology on why you need a Password Manager - PCR-online.biz - June 24th, 2020
- Internet of Things (IoT) Security Market to Witness Robust Expansion Throughout the Forecast Period 2020 2025 - 3rd Watch News - June 24th, 2020
- Google is on a mission to stop you from reusing passwords - The Verge - June 24th, 2020
- Marking the 30th Anniversary of the Internet and Cybersecurity Treaty - CircleID - June 24th, 2020
- The Cyberlaw Podcast: Using the Internet to Cause Emotional Distress is a Felony? - Lawfare - June 24th, 2020
- DDoS Protection Market 2020 | How The Industry Will Witness Substantial Growth In The Upcoming Years | Exclusive Report By MRE - Cole of Duty - June 24th, 2020
- Julian Assange Extradition and the Freedom of Bitcoin Bitcoin... - Bitcoin Magazine - June 24th, 2020
- How to become a web developer? - The Tribune - June 24th, 2020
- Frost & Sullivan Report Finds BlackBerry Solutions Address 96% of the Enterprise Threat Landscape - PRNewswire - June 24th, 2020
- EAC to evaluate testing and certification of non-voting equipment - Politico - June 24th, 2020
- Global IT Security Spending Market Projected to Reach USD XX.XX billion by 2025- Check Point Software Technologies, Cisco Systems, EMC, Fortinet,... - June 24th, 2020
- OPAQ Webinar to Share Lessons Learned and Best Practices from Zero Trust Migration Project with TTX Company - Business Wire - June 24th, 2020
- Global Internet of Things (IoT) Security Technology Market 2020 Analysis, Types, Applications, Forecast and COVID-19 Impact Analysis 2025 - NJ MMA... - June 24th, 2020
- Put Your Risk on Mute: Using PKI to Simplify Remote Workforce Security - Hashed Out by The SSL Store - Hashed Out by The SSL Store - June 24th, 2020
- NetNumber Expands Industry Recognized Signaling Firewall to Protect SIP Connections - GlobeNewswire - June 24th, 2020
- How to fight back against Covid-19 scams - Global Banking And Finance Review - June 24th, 2020
- What Will The Crypto Market Look Like In A Post COVID-19 Economy? | Coin Insider - Coin Insider - June 24th, 2020
- US: Congress Should Back Open Technology Fund - Human Rights Watch - June 21st, 2020
- David Pratt: Will the next global pandemic take place online? - The National - June 21st, 2020
- Global Internet of Things (IoT) Security Industry Market Insights, Opportunity, Analysis, Market Shares & Forecast 2020 2027 - 3rd Watch News - June 21st, 2020
- Facial recognition to play key role in travel reopening as biometrics industry weighs social responsibility - Biometric Update - June 21st, 2020
- 'IT Act does not protect freedom of speech' - The Sunday Guardian - June 21st, 2020
- In Depth Analysis and Survey of COVID-19 Pandemic Impact on Global Distributed Denial Of Service (DDoS) Protection Market 2020 Key Players A10... - June 21st, 2020
- Cyber Liability Insurance Market (USD 4.6 Billion) Will Grow At A CAGR of 11.12% During Forecast Period 2020-2025 (Impact Analysis of COVID-19) - 3rd... - June 21st, 2020
- Internet of Things Security Market research report presents a thorough study on the overall market by Application Forecast To 2020 - Surfacing... - June 21st, 2020
- Global Internet of Things (IoT) Security Product Market 2020 SWOT Analysis & Key Business Strategies by Leading Industry Players and Forecast 2025... - June 21st, 2020
- Knoxville still quiet on ransomware attack and what's being done to fix it - Knoxville News Sentinel - June 21st, 2020
- Indias digital workforce needs secure software. Testing, not banning apps, is the answer - ThePrint - June 21st, 2020
- Bolton book can be released, but conduct 'raises grave national security concerns' - ABC News - June 21st, 2020
- Broadband Connection Disconnected: Things You Can Do To Fix It - TelecomTalk - June 21st, 2020
- Former Google CEO Eric Schmidt says there's 'no question' Huawei routed data to Beijing - CNBC - June 21st, 2020
- Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More - WIRED - June 21st, 2020
- Internet Security Software Market: Qualitative Analysis of the Leading Players - News by aeresearch - June 11th, 2020
- Global Internet Security Market 2020 by Manufacturers, Size, Development Analysis, Applications and Forecast to 2025 - Cole of Duty - June 11th, 2020
- Internet Security Software Market 2019 Break Down by Top Companies, Countries, Applications, Challenges, Opportunities and Forecast 2026 - Cole of... - June 11th, 2020
- Internet Security Software Market Impact Of Covid-19 And Benchmarking. - Personal Injury Bureau UK - June 11th, 2020
- Drivers is Responsible to for Increasing Internet Security Software Market Share, Forecast 2027 - Cole of Duty - June 11th, 2020
- Webroot Internet Security with Antivirus Protection Software | 3 Device | 1 Year Subscription | PC Download - The Report - June 11th, 2020
- Endpoint Security Market to Cross US$ 10,026 MN by 2026, Growing Adoption of Work from Home Services to Favor Growth: Fortune Business Insights -... - June 11th, 2020
- Internet of Things (IoT) Security Market 2019 Break Down by Top Companies, Countries, Applications, Challenges, Opportunities and Forecast 2026 - Cole... - June 11th, 2020
- Yukon's Gurdeep Pandher tries to spread some joy on social media - Lindsay Advocate - June 11th, 2020
- Microsoft Windows users in UAE advised to install security updates - Khaleej Times - June 11th, 2020
- Clear guidelines for remote work will boost security and control access - TechRepublic - June 5th, 2020
- Mozilla Funds Meething to Help Fix the Internet - GlobeNewswire - June 5th, 2020
- The Internet of Bodies is here. This is how it will change our lives - World Economic Forum - June 5th, 2020
- Crowdstrike CEO explains how the future of remote work and security will look - CNBC - June 5th, 2020
- Mocana Recognized as Industry Leader in Cybersecurity and the Industrial Internet of Things - GlobeNewswire - June 5th, 2020
- SC Awards Europe 2020 - CISO/CSO of the Year - SC Magazine UK - June 5th, 2020