Given that fact, the only attainable objectives when securing an information system are (1) to make the time and resources required to break the system greater than than the value gained by breaking the system, and (2) to make any breach visible to the system's owners. In the context of electoral processes in general, the potential "value" of the attack could be to demonstrate the capability to disrupt an election in order to extract ransom from an unprepared government. Alternatively, the motive could be political rather than monetary, and the value in this case would be to undermine faith in the electoral process, to deny a government the ability to declare a valid outcome, or to change the outcome without anyone in the target country being aware of the hack.
Protecting the validity of election outcomes is, of course, fundamental to the viability of a republic such as the United States. Famous rulings by the Supreme Court in the 1960s established that equal protection of the law, guaranteed to each citizen under the Fourteenth Amendment, applied to the individual's right to vote. In Baker v. Carr, the Court ruled that the Tennessee legislature had to redistrict on the basis of population, with the intention of ensuring that each individual's vote counted equally. Attacks on electoral systems that favor one party over another, besides being prima facie illegal, threaten this principle of equal protection of the law. Protecting electoral processes that provide a valid outcome wherein each registered voter can be certain their vote was not tampered with or discarded is therefore essential to protecting the right to vote.
Proper information security protects the confidentiality, integrity and availability (C-I-A) of the information in an information system. Safeguarding confidentiality means we keep secret things secret, allowing only authorized people to see data that has been restricted from public view in some way. Protecting the integrity of information means keeping the data safe from changes caused by any unauthorized person or process. Ensuring availability means that all authorized users can access the systems and information they need at designated times and places without interruption. In a well-designed system, information security professionals use a layered approach of physical and procedural safeguards in conjunction with dedicated hardware and software resources to detect and defend against attacks.
This traditional layered approach is the best defense against attacks aimed at the confidentiality and availability dimensions of an electoral information system. While voting machines, by definition, must be accessible to the public, the physical security of these machines should include inspection and certification that each machine functions properly and has not been tampered with prior to election day. From the point of certification, election officials must ensure proper chain of custody and protection from unauthorized access to the machines until the polls open. During the election, proper access control ensures only registered voters touch the machines and only for the purpose of casting their individual vote. Other nodes in the electoral system should be protected with the same physical security measures used to protect sensitive data centers--access only by authorized people with appropriate credentials for specific, official purposes. Information must be encrypted at rest and in transit, with hardware and software firewalls along with appropriately hardened network infrastructure protecting access to the transmissions and storage locations for the encrypted data. Technology staff access should be segmented, monitored, and guarded by appropriately complex multi-factor authentication and authorization protocols.
Traditional defenses remain important for the integrity of information in information systems. So-called ransomware attacks modify data in an information system by encrypting it, compromising the integrity of the data in a way that denies availability of the system to authorized users until some sum of money is paid to the attackers. To protect against this type of attack, systems must not only prevent unauthorized access, but also must ensure that authorized inputs to systems and software are validated to screen out malicious code that could alter system data.
For electoral systems, protecting the integrity of information requires even more. Voters must have confidence that their vote is recorded accurately, and that the ballot is not altered after it is recorded. The best way to ensure votes are recorded accurately is through some kind of audit mechanism. Then, use of blockchain technology provides a nearly foolproof way of ensuring ballots are not altered once recorded. As a final step, election officials should empower designated third-party services to audit and certify the blockchain implementation.
In recent years, blockchain technology has surged onto the scene as a leading method for ensuring the integrity of transactional systems of all types, including electoral systems. West Virginia, Utah, and Colorado have all successfully implemented Voatz, a blockchain solution, for their absentee voting solution in recent elections. Understanding the mechanics of blockchain technology will clarify the potential of this new way to preserve voter confidence.
The "blocks" in a blockchain are basically payloads of encrypted information tagged with complex hash values. A hash value is a digital fingerprint for an electronic file--the unique result of running the file through a one-way algorithm. There are many different algorithms to produce hash values. Once a file has been hashed, any change to the file--no matter how small--will produce a radically different hash value. Therefore, when an encrypted file is sent with its hash value, the receiving station can confirm that the original file has not been changed by running the received file through the same hash function and comparing the hash value produced at the destination with the hash value that accompanied the file.
Inside each block are other hash values. There are individual hash values for some number of encrypted transactions, some metadata, a function called a "nonce" that is the trigger for closing out the block, and the completed hash for the entire contents of the preceding block. As each transaction is hashed and added to the block, all of the participating nodes in the blockchain system calculate the current hash of the entire contents of the block at that instant. When one of these calculated hash values reaches the trigger point designated by the nonce, the hash of that entire block is transmitted to the entire network. When the majority of participating nodes confirm that the block hash satisfies the requirement for completing the block, the block is added as the next block in the chain.
Even blockchain solutions must be audited. When the network of participating nodes is sufficiently centralized, as we might expect it to be in a state voting system, it is technically possible to insert one or more counterfeit blocks into the chain if a majority of the nodes concur. So, for instance, in my home state of Utah, with 29 counties and a finite, relatively small number of precincts, it is possible for some number of pre-built counterfeit blocks to be seeded by compromised nodes in a manner that would preempt legitimate blocks if a sufficient number of nodes were involved in the conspiracy. The only way to ensure that the election results are valid is an end-to-end audit that can tie specific election results to specific ballot transaction id's.
Given recent efforts by rogue state actors to create doubt about electoral processes using social media, the ability to perform an end-to-end audit of the voting process in a way that allows officials to certify election results in a credible manner is increasingly important to maintaining voter confidence. Systems to enable this type of audit by establishing a transaction id for each ballot were challenged several years ago on the basis that they violated voters' right to privacy. But a 2012 ruling in federal district court (Citizens Center v. Gessler) held that there is no constitutional right to a secret ballot. Given the need for an audit mechanism to protect the systems that guarantee our right to vote, it seems appropriate to me that the individual voter's right to privacy should be subordinate to legitimate mechanisms for providing a credible audit. It also seems to me that, beyond what is absolutely necessary to create a credible audit mechanism, the secrecy of the individual's voter data should be protected to the greatest extent possible.
In the context of election security, traditional information security combined with blockchain technology and appropriate auditing protocols can provide credible assurance that votes are accurately counted and protected from tampering. Given the demonstrated threat, it is important for all Americans to insist that the state officials responsible for the administration of elections take aggressive actions to implement comprehensive election security and auditing solutions.