How much election security is enough? The answer: Enough to convince a losing candidate that they lost. Will that happen for the 2020 elections? Probably not.
"Is it enough? How much is enough?" Herb Lin, Senior Research Scholar at the Center for International Security and Cooperation at Stanford University, and co-author of the Stanford Cyber Policy Center's "Securing American Elections" report, asks. "Unfortunately it's not a technical answer. Enough means you've done enough so that you can persuade the loser of an election that in fact the voting machines weren't hacked."
"You have to take into account the possibility that the loser will rally his troops and complain about the result," he adds. "The election machinery, both organizational and technical, all of that has to be of sufficiently high quality, and resistant to attack, that you can persuade the loser of an election that they fairly lost."
That makes election security as much of a political problem as it is a technical problem. Voters must have confidence that the voting was fair, regardless of how much money is spent or what security controls are put in place. That makes securing election infrastructure categorically different than almost any other information security challenge today.
At present many jurisdictions are struggling to escape the bottomless pit of despair paperless voting, and that's a no-brainer. But once we raise the bar from wow-crazy-bad to meh-just-not-great, how do we reach a plateau of sustainably trustworthy voting security?
Like all political problems, that boils down to trade-offs.
Election security trade-offs
A consensus among election security experts is that human-readable paper ballots are the way to go. Are hand-marked paper ballots superior to machine-marked human-readable paper ballots? Or vice-versa?
Voters are notorious for making mistakes. Instead of an 'X' in the box, maybe they circle the box. Or they partially fill in the box. Or scratch out a mistake and mark a different square. Voter error of this sort has been with us since the beginning of paper ballots.
One proposed--and deployed--alternative is to use touchscreen voting machines that print out a paper ballot the voter can review before dropping the paper ballot into a ballot box. The touchscreen machine does not count votes; only the paper ballot matters. But how many voters will scrupulously review every ballot choice, especially on long ballots, to ensure the machine did not make a mistake? A hacked ballot-marking machine could potentially display the voter's choice on screen but print out a different voting choice. The gaslighting possibilities are troublesome.
That's a trade-off, with pros and cons each way. All it takes is a voter or two screaming bloody murder that the machine mismarked their ballot--whether true or not--to call the results of an election into question. Ensuring every voters' intention when voting is counted is also important.
Another trade-off is speed of counting. One major drawback of paper ballots is they take a long time to count by hand. That counting, even by good-faith poll workers, can be prone to error. Counting using optical scanners with risk-limiting audits--widely viewed as a suitable compromise between speed and accuracy--is faster, but still not instantaneous. Risk-limiting audits take time as well. That can be a problem when there's pressure to know the result.
"In Europe they wait," Lin says. "They wait until they get it right. We [in the U.S.] don't have the patience."
Another trade-off involves ensuring voting machines are accessible to citizens with disabilities. "Blind people are entitled to vote, and entitled to voter privacy," Lin points out. "Maybe you give them a special machine. Now they're being singled out and feel stigmatized. That's a political decision, somebody has to decide that, and they [politicians] will take flak for it either way."
"There are trade-offs to be made, and that's the fundamental point," Lin says. "How you decide to resolve the trade-offs is a question of public policy."
Stanford report calls for pen testing, code review of voting machines
As most CSO readers know, compliance does not equal security. The Stanford report slams checkbox-ticking compliance as a completely inadequate means of ensuring the security of voting machines, writing "the assurance of security by checklist compliance—a requirement of the certification process—provides a baseline level of security, but by itself is known to be inferior to security assessed through an adversarial process."
The report also casts shade on the closed-source, proprietary nature of for-profit voting machine vendors' products, although stops short of calling for open-source voting systems. "Vendors, who provide the hardware and software for elections, generally resist third-party inspection of source code on the grounds that allowing outsiders such access compromises their intellectual property."
The report calls for pen testing of voting infrastructure to become a regular, ongoing part of the electoral process to ensure the integrity of voting results. The report also calls for third-party source code review under both non-disclosure and non-compete agreements.
Close watchers of the election security space will be familiar with the National Academies 2018 report on election security, which offered specific, concrete recommendations by a number of security experts on how to bolster voting infrastructure. The Stanford report goes one step further, urging not only pen testing and third-party code review, but also multi-day voting periods (to give people time to vote when the inevitable computer glitches happen), and also recommends making it easier for political parties to provide funding and staffing resources to help candidates secure their campaigns.
So how much security, exactly, is enough to secure an election? The answer to that question is a constantly moving target. As technology continues to evolve, new threats will emerge, some we haven't even imagined yet. But in all cases the final test is the same: Are the voting results so airtight that even a bad-faith losing candidate has to admit they fairly lost? Then our elections are secure.