Experts: Internet voting isn’t ready for COVID-19 crisis
Internet technologies are set to play a critical role in the 2020 presidential election, but precisely which voting alternatives will be pursued – and whether they can adequately be secured – is now a $400 million question.
COVID-19 doesn’t – at this point – present an excuse to postpone the general election in November. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency told a recent Axios forum that 42 U.S. states have mechanisms in place that allow for alternatives to in-person voting, and the other eight have break-glass provisions for doing the same when emergencies require it. A global pandemic would most certainly meet that threshold.
The $2.2 trillion coronavirus relief bill (CARES Act) signed into law last week included $400 million of grants the Election Assistance Commission can give to states to help them “prevent, prepare for and respond to Coronavirus.” Earlier versions of the bill stipulated that the grants were conditional on states spending it on election security, but these provisions were later stripped out. States retain the autonomy to make the preparations they each deem necessary, as officials face the daunting task of upholding the most essential function of democracy in the midst of a health pandemic that constrains the movement and assembly of people in public spaces.
How each state chooses to conduct the election now shapes as a partisan battleground. House Speaker Rep. Nancy Pelosi, D-Calif., paints the $400 million as a down payment on the several billions of dollars required to run a wholly “vote-by-mail” election. There remains a danger that President Donald Trump or Senate Majority Leader Mitch McConnell, R-Ky., might seize this as a political opportunity to promote radical alternatives.
The worst alternative, according to election security experts, would be online voting.
A line in the sand
Last week, Risky Business spoke to Jennifer Morrell, independent election security consultant for our feature podcast, as well as DEF CON Voting Village co-founder Harri Hursti and several top security researchers in the field to ask what trade-offs they’d make to ensure Americans still get to the polls.
None felt that online voting was ready for a general election, even in the midst of a crisis.
“It doesn’t make sense to rush into remote marking of ballots,” said Dan Guido, CEO of Trail of Bits.
In March, Trail of Bits published a complete white-box audit of Voatz, a mobile voting app piloted at small scale in several states including West Virginia, Colorado, Oregon, Utah, and Washington. The jaw-dropping report of that assessment detailed 79 security findings, a third of which were high severity. Voatz was one of several election apps Guido’s team has tested.
“To use a mobile phone to mark a ballot in a high-stakes election, you would need to trust every computer between you and the election official to correctly record your preference,” Guido told Risky Business. “There are any number of points at which remote marking of ballots could be interfered with. We haven’t seen an adequate solution to this yet.”
MIT researcher Mike Specter — who independently discovered a number of bugs in the same platform — shares the same concern. “It’s still not clear how to prevent attacks against the host (user) operating system” in a consumer device, Specter said.
Harri Hursti has dedicated 15 years of his career on the security of election systems, made famous in the 2006 documentary “Hacking Democracy” and the recent HBO sequel “Kill Chain.” He describes online voting as ‘snake oil’ that doesn’t solve any of the pressing problems facing elections.
“The first sign of a crackpot is somebody that says elections are easy,” Hursti told Risky Business. “There is nothing easy about elections. Elections are uniquely difficult problems because they require both a secret ballot and auditability.”
COVID-19 presents a very specific problem to the November election, he said, for which online voting isn’t necessarily the right answer. The need is for a mode of voting that doesn’t require hundreds of people to congregate in queues at polling stations. “But that problem is solved already,” Hursti said. “We’ve had early ballots, absentee ballots, mail-in ballots and other methods of voting for 40 or 50 years.”
The Internet is great at distribution and bad at authentication
If politics doesn’t get in the way, the internet’s best attributes can be harnessed in the November election in order to better facilitate these tried-and-true methods.
The most likely solution will be an electronic distribution of printable ballots that can be hand marked and posted back to the polling station. In some states, it will be augmented with earlier and staggered opportunities to vote at the polling place or ‘curbside’ drive-thru voting booths.
Morrell confirmed that these options are under active investigation. The bulk of U.S. voters are most likely to receive their ballot digitally and submit it physically. “The point of expanding mail-in voting is only to minimize the number of people you have to serve in-person on election day,” she said.
That’s because most election officials, she said, are as anxious as the cybersecurity community about ballots being marked online.
Guido was at ease with using the internet for voter registration and distribution of unmarked ballot forms.
“We should use every technology available to use to make the process of delivering ballots more efficient,” Guido said.
Election officials would need to adjust their threat model to accommodate the change. Voters would face heightened social engineering risks, such as malicious actors using the process for phishing. Misinformation campaigns will try to convince voters to mail their ballot back to the wrong place.
But these are risks that can be managed, Guido said, especially if information about the voting process is centralized — a difficult prospect in a process every state guards with zeal. An official voting app would quickly achieve primacy in the relevant app stores within the first million downloads, making it much harder for adversaries to trick people into downloading imitations.
Morell agrees that voters will need a trusted place to go for information and a consistent set of messages.
“We saw in recent primaries some examples of voters being told on social media not to bother showing up,” she said. Currently, CISA is focused on “how to operationalize for a huge increase in mail-in ballots,” and the agency will focus on voter outreach as November draws closer.
There will likely remain small pockets of the voting population offered mobile options , such as military personnel stationed overseas or disabled voters. Morell predicts a handful of states might also allow for voters to submit a scanned, marked ballot via PDF via a web portal.
It’s also unclear whether current election apps can scale to meet the needs of a general election. The identity verification process in Voatz, for example, appears to require manual confirmation of identity data by a human operator – making it no more scalable than the processes used by polling places.
Hursti urges policymakers to re-frame their threat model in order to meet the challenges for this election cycle. He feels that it’s less probable that a candidate would attempt to manipulate the system to win, and more probable that a motivated, well-funded adversary like a nation-state would use the compromise of an election system to seek to sow distrust and undermine a society.
“A peaceful transition of power is only possible when the supporters of the losing party accept that the result is fair and square,” Hursti said.
Morell wants researchers to keep “exploring and pushing for better ways” to improve election systems, and doesn’t want to write off the use of online voting altogether.
“But as for November, we’re not ready.”
Brett Winterford is an editor with Risky Business. This post was reported by and originally appeared on Risky.Biz, and was produced with support from the William and Flora Hewlett Foundation.