The Internet Is No Place For Elections

Uploaded on 2016-10-08 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

Despite what election officials may tell you, you can’t trust the Internet with your vote.

This US election year foreign hackers infiltrated the Democratic National Committee’s e-mail system as well as voter databases in Arizona and Illinois. These attacks have reinforced what political scientists and technical experts alike have been saying for more than a decade: public elections should stay offline. It’s not yet feasible to build a secure and truly democratic Internet-connected voting system.

Researchers from government agencies and leading academic institutions studied the issue extensively following the debacle of the 2000 presidential race, and the consensus emerged that it should not occur. That’s still the case, and today’s rampant cybercrime should be reason enough to keep voting systems disconnected. We have no good defense against malware on voters’ computers or denial of service attacks, and sophisticated adversaries like those behind the attacks on big corporations we’ve seen in recent years will find ways to get into connected voting systems, says Ron Rivest, a leading cryptographer and MIT professor. “It’s a war zone out there,” he says.

Nevertheless, 32 states and the District of Columbia allow at least some absentee voters (in most cases just voters who live overseas or serve in the military) to return their completed ballots using poorly secured e-mail, Internet-connected fax machines, or websites. In the most extreme example, all voters in Alaska are allowed to return their completed ballots over a supposedly secure website. 

And there is a danger that Internet voting could expand. Vendors like the Spanish company Scytl, which supplied Alaska’s system, and Southern California-based Everyone Counts keep marketing these systems to election boards against the advice of security experts. And they haven’t opened their systems to public security testing.

In some cases, election officials don’t have enough technical background to distrust claims from vendors, says Pamela Smith, president of Verified Voting, a non-profit group that advocates for greater integrity and verifiability in elections. Terms like “military-grade encryption” or “unhackable” should be red flags, she says.

Even if the risk of cybercrime could be mitigated, building an online voting system that preserves the core components we expect from democratic elections would be technically complex. Today’s commercial systems do not achieve this; most of the states that offer ballot return via the Internet ask that voters first waive their right to a secret ballot. The key challenge is building an online system that generates some sort of credible evidence that proves the outcome “is what you say it is” during an audit, while maintaining voter privacy and the secret ballot, says Rivest.

In principle, this can be done using cryptography. But while there are cryptographic protocols that can help solve the “integrity and privacy facets” of Internet voting, the technology would be difficult for many people to use, says Joseph Kiniry, a voting technology expert and the CEO and chief scientist for Free & Fair, a startup that develops open-source, verifiable election technologies and services. That’s a disqualifier for use in democratic elections.

Kiniry, who also advises the US government on election technology via public working groups, was the technical lead on a recent project to examine the feasibility of “end-to-end verifiable Internet voting.” Such a system would rely on encryption to secure votes, keep them private, and make them verifiable after they are cast. The team of cryptographers (including Rivest), computer scientists, and other election experts, in collaboration with the US Vote Foundation, published a comprehensive report last year, concluding that many challenges remain in creating an Internet voting system.

Compared with a traditional, supervised voting system in a polling station, an Internet voting system requires “several hundred” additional technical properties for it to be suitable for elections, says Kiniry. “If someone builds a system that fulfills those properties and can prove it, great, then let’s use it,” he says. “But until we can do that, we just don’t have democratic voting infrastructure when it comes to Internet voting.”

Technology Review

 

 

« IBM’s Real -Time Cloud Platform For Financial Services
Otto: Uber Acquires Self-Driving Lorry Startup »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

IoT European Research Cluster (IERC)

IoT European Research Cluster (IERC)

IERC brings together EU-funded projects with the aim of defining a common vision for IoT technology and development research challenges.

Foresite

Foresite

Foresite is a global service provider, delivering a range of managed security and consulting solutions.

ETAS

ETAS

ETAS (formerly Escrypt) is a pioneer and one of today’s leading solution providers for embedded IT security.

Niagara Networks

Niagara Networks

Niagara Networks is a Network Visibility industry leader, with emphasis in 1/10/40/100 Gigabit systems and mission-critical IT and security appliances.

Volatility Foundation

Volatility Foundation

Volatility is an open source memory forensics framework for incident response and malware analysis.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

ConvergeOne

ConvergeOne

ConvergeOne is a leading global IT services provider of collaboration and technology solutions including cybersecurity.

Quantum Security Solutions (QSec)

Quantum Security Solutions (QSec)

QSec is an innovative information security consultancy based in Ghana. We can provide your organisation with information security products and services that assure against information risk.

Opticks Security

Opticks Security

Opticks provides fraud detection and monitoring solutions for leading brands. agencies and networks. Our relentless mission is to deliver reliable and innovative software to beat digital fraud.

Aceiss

Aceiss

Aceiss empowers access security, providing unprecedented visibility and insights into user access.

Anatomy IT

Anatomy IT

Anatomy IT empowers healthcare providers to deliver exceptional patient care with cutting-edge technology and cybersecurity solutions.

The Purple Guys

The Purple Guys

The Purple Guys offer Trouble-Free IT Support to businesses across the Central and Southern US. Safe and Secure, Rapid Response, Friendly Support that’s our Purple Promise.

Benchmark IT Services (BITS)

Benchmark IT Services (BITS)

BITS is a leading cyber security company in Australia. Our certified professionals work with you to keep your data assets safe and secure.

Nortal

Nortal

Nortal is a strategic digital transformation partner for leading companies and governments around the world.

Novem CS

Novem CS

Novem CS are bespoke cyber security specialists providing a highly effective and specialised approach to solving your cyber security challenges.