Election Security

It’s Time to Start Thinking About Election Security in 2020

By Matt Tait
Tuesday, November 13, 2018, 12:34 PM

Those hoping for some peace and quiet after the conclusion of the contentious 2018 midterm elections have been sorely disappointed. As absentee ballots continued to trickle in across Georgia and Arizona, and as Florida braces for a recount of both its senatorial and gubernatorial  races, several politicians—including most notably President Trump, Florida’s current governor and Republican Senate nominee Rick Scott, Sen. Marco Rubio, and others—were busy alleging voter fraud and casting doubt on the integrity of the vote count itself.

Although there is currently no evidence to support any claim of voter fraud at a scale that could plausibly affect any given race’s outcome, such claims reveal an important and usually overlooked aspect of the challenge of ensuring election security—one that the United States will need to address before its next presidential election, in 2020.

Election security is somewhat of a strange subject because elections perform a more nuanced and complicated role than at first it might appear. The primary job of an election sounds simple enough: The goal is to poll eligible voters, count votes and accurately produce the name of a winner upon whom everyone can agree to confer power. But this is only half of the process. For elections to work, it is not sufficient that they produce an accurate tally of the votes cast. They must also convince the public that the tally is accurate.

In other words, it is not enough that elections are fair; they must also be seen to be fair.

Every election necessarily comes with losers, and some may seek to claim their loss was due to misconduct by their opponent or votes being miscounted. This much is not new. And problems in the election process at the incomprehensibly vast and distributed scale of a national election—whether problems caused by accident, negligence or actual malice—will always give these people a hook on which to base their claims of election illegitimacy.

But where claims of intentional vote miscounting in the past tended to be easy to dismiss as the ramblings of bad losers or conspiracy theorists, worries about the correctness of election counts are gaining traction in the mainstream—and with good reason. During the 2016 campaign, then-candidate Trump began suggesting that the vote would be “rigged” by Democrats. His rhetoric did not end in November 2016. Trump’s tweets since the midterm elections will only further stoke fears that the U.S. elections are not always counted honestly. Nor is this a purely partisan fear. Evidence that the Russian government targeted election registration websites and e-vote companies during 2016 has led many of Trump’s opponents to question whether perhaps the vote was rigged in the other direction, or might be in a future election.

Foreign governments looking to cause division have also intentionally stoked such fears. In its last post before the 2016 election, the Russian cutout “Guccifer 2.0” wrote that it would be watching "from inside the FEC," insinuating that Democrats would likely try to rig the results. The intelligence community’s January 2017 unclassified intelligence assessment into foreign interference in that election also described an aborted social media campaign—"#DemocracyRIP”—that the Russian government planned for election night and abandoned only after the election tilted toward Trump’s victory.

The same intelligence community assessment did say there is no evidence of voting-machine compromise or tallies being tampered with during the 2016 election. And there are good reasons to think the Russian government would avoid crossing that Rubicon in the United States. But it’s not sufficient that votes in democratic elections actually are counted correctly, or that cybersecurity experts have no proof that they were not tampered with. If citizens are to retain faith in the ballot box as the proper mechanism to change national leadership, election systems must defend not only against actual hacking but also against worries and wrongful claims of hacking.

It is this need to prove the negative that causes the field of election security to become so confusing, even for hardened cybersecurity professionals and people tasked with overseeing elections. Most actions in cybersecurity are aimed at making it harder for hackers to break in, not about proving that they can’t. Since it is impossible to build election systems so robust that sufficiently motivated and resourced hackers and insiders can’t break in, the task instead becomes building election systems that will remain robust even if hackers break in or insiders try to subvert it.

That is a statement with highly unintuitive consequences. It means that a secure election system is one that people would be comfortable using even if it has malware on it. After all, if malware on the machine can secretly change votes cast through it undetectably, the same machine was already vulnerable to malicious code placed by insiders. Traditional cybersecurity measures like code reviews, post-election forensics and security audits are all very well, and they certainly help reduce the risk that hackers could get malware onto the e-voting machines in the first place. But they can never prevent worries or false claims of vote-tampering—especially by insiders—which election systems must do when operating in a climate of public angst or political opportunism about election security.

Surprisingly, it is actually possible to secure e-voting even in the face of compromised voting machines, corrupt officials and determined hackers. There is an entire subfield of cryptography dedicated to this project. The solutions here are, sadly, mostly a baffling mix of advanced math that results from trying to square the various, seemingly conflicting requirements that make up elections. Take, for example, the requirement that voters both prove their identities to polling workers so as to ensure only eligible voters can vote—and do so only once—but also that votes are cast so anonymously that nobody can associate who a voter is with how they voted. Or the complicated requirement that nobody can see how any individual voted but that everyone can see how the district voted in aggregate in order to know who won. Or that a voter should have enough information to prove their vote was not changed after it was cast but not have enough information that someone else could compel them to reveal how they voted.

It is one of the many miracles of cryptography that these seemingly contradictory requirements of identity vs. anonymity and transparency vs. opaqueness can be mapped into provably secure code, even in the face of determined intrusion by hackers and insiders. But such cryptography-based systems do have one enormous downside. The math may show that the result is accurate, but that does not mean that ordinary voters will ever trust the math. The point of elections is that voters have confidence in the outcome, not that some high priesthood of cryptographers do.

It is in this one area that ordinary paper ballots have a clear advantage: They are easy for average voters to see and to understand. But paper ballots aside, the theoretical existence of secure e-voting protocols doesn’t mean the e-voting machines used in real elections actually use any such protocols.

These secure e-voting protocols, however, should provide a baseline for what we expect if society does collectively opt to use e-voting machines, and provides some rules of thumb to quickly identify which e-voting systems are not secure. For example, an e-voting machine that does not provide a paper receipt that voters can use to prove after the fact that their vote was correctly counted can never defend against worries that malware on that machine is quietly miscounting the votes. Similarly, e-voting machines that demonstrate their security through any mechanism short of a publicly described cryptographic protocol cannot defend against malicious insiders. Since such systems cannot prove that they counted the votes correctly, they cannot allay fears that the election might be conducted dishonestly.

The threat that foreign hackers, domestic hacktivists or corrupt insiders will try to illegitimately change vote counts during the 2020 presidential election is real. But there is an even greater threat that foreign governments, activists and unscrupulous politicians will conduct campaigns to cast doubt over whether the final outcome was correctly counted.

But there is good news. In a time of bitterly divided politics, everyone can agree that eligible voters who cast their votes should have them counted correctly. After all, elections are how democratic countries transition power peacefully from one government to the next, and avoid the more brutal methods of power transition more commonly associated with their non-democratic peers.

The United States has two years to get ready.