Black Hat 2020: Fixing voting issues – boiling the ocean?

With the big voting day rapidly approaching, can the security of the election still be shored up? If so, how?

With the big voting day rapidly approaching, can the security of the election still be shored up? If so, how?

Following the Black Hat keynote about voting security, we wonder how the security of elections could be remedied, and even whether it might be possible in the next few months amidst pressure of U.S. elections rapidly approaching, requiring massive, coordinated effort at immense expense. Is that possible? If so, how likely?

It’s hard to quick-fix a many-headed monster decades in the making.

Since each state has its own say about running its own election, with predictably differing approaches, it all filters upward to create a federal mess. That, coupled with the impracticality of building something secure quickly on tight budgets, and with reduced public mobility during a pandemic, you can see the problem.

No pressure.

Add to that the training cycle needed to get a whole multitude of energized volunteers up to speed on whatever systems are to be replaced in record time.

What to do? Folks out in Oregon dust off a rousing chorus of “paper ballots only!” But can the rest of the states in a federal election year do the same? Hardly. With fewer than 100 days to go, the federal government couldn’t hand out free beer to the electorate, let alone overhaul to paper.

And how would you staff massive change? Many election volunteers would probably have a difficult time setting up and securing a home router, so they can’t be reliably trusted to stop election hacking with a few tools, even if they had the time and inclination.

At Black Hat you get reamed for even mentioning blockchain in any presentation, but there, I said it. Every sticky accounting problem was supposed to be fixed by blockchain. Turns out some of the same software challenges needed to make blockchain behave in an election context are similar to any other software project. Good software is hard. Software isn’t perfect because people aren’t perfect – even if they have a blockchain at their disposal. And you couldn’t do it quickly.

In all likelihood, there will be a bevy of trust-building statements from everyone with “election” in the name of their organization. Organizations will over-promise and sit nervously by hoping nothing really bad happens, with few tools to measure if it did. Not much comfort for those running for office, or those seeking to elect them.

What IS possible is enlisting some security wonks to get the best instrumentation on the subject between now and the big voting day. If those embroiled in the voting festivities can coax security folks to help between now and then, we’ll be so much the better.

It seems plausible – after engaging the security community meaningfully – to produce two deliverables:

  • Assume a breach of integrity is imminent and develop a meaningful response plan. As data people, we’re good at being thrust into situations with few facts and expected to tell C-level folks both what could happen and how to respond to minimize impact. We’re good at this.
  • Start a long-term plan now to build a secure election stack. We’re good at that sort of thing too. That doesn’t mean eliminating any possibility of becoming compromised, but making it far more expensive for the perpetrators.

Meanwhile, the giant droves of bots and their masters will attempt to swing the needle on public sentiment, making its veracity even more opaque.

Fixing voting issues will take time, but not as much time as it took us all to get into this mess. There is hope in the end.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center