Proposed cybersecurity bills would 'prohibit' internet-connected voting systems
A new article reveals that congress is preparing a bill which will ban Internet voting technology.
“In the wake of the DNC server hack and well-documented efforts by states to suppress the vote, citizens are rightly concerned,” Johnson said in a statement. “We must work to reduce the vulnerability of our crucial voting systems, protect the security and integrity of our electoral process, and ensure all Americans have the opportunity to vote.”
The Election Infrastructure and Security Promotion Act of 2016 will require the Department of Homeland Security, or DHS, to designate voting systems as critical infrastructure — an important reclassification move already under consideration by DHS Secretary Jeh Johnson. In practice, this change would result in a budget adjustment that puts election systems on par with power grid protection.
In my opinion this is a horrible idea and is entirely politically motivated. Cybersecurity professionals have not reached a consensus on whether or not Internet voting is secure. In fact, most of the professionals saying it is insecure seem to either have no knowledge of or do not mention the potential of blockchain or similar technology, or quantum key exchange / quantum communication technology, which could in my opinion allow for Internet voting in a way which is more secure than paper ballots. In my honest opinion, it is imperative that this bill does not pass and that instead a bill passes which funds research into the technologies necessary to improve voting technology so that Internet voting can be feasible. Feasibility in my opinion is near, and in my opinion it only has to be of a similar risk profile to the current voting methods, which means it does not have to be completely fraud proof, but merely has to have a similar percentage of fraud as the current voting methods which also are not fraud proof.
I suspect there is a political motivation for this bill rather than a technical reason. I will be one of the first to say that I'm against the current incarnation of this bill, and not just because it ignores the technical breakthroughs which have been taking place in it's excuse to exist(the case study that cybersecurity professionals cited is using outdated technology), but because it also would seem to slow down research, testing, and progress toward Internet voting which in my opinion we could have prior to the 2020 election. Experimentation in my opinion must be encouraged and certain aspects of this bill risk discouraging experimentation in favor of extreme caution. This bill to me is similar to the ban on Stem Cell research which happened under the Bush Administration.
Internet voting would have vast political implications. It would mean more millennial and younger people voting in elections which are usually dominated by older people. It would mean much greater voter participation. Yes it could have a few security concerns with regard to not being coercion resistant, but these concerns would not effect the actual ability to make the votes, count the votes, and keep the votes pseudo-anonymous, all which is possible to anyone who has a deep understanding of cryptography, blockchain technology, quantum key exchange/communication, and correct by construction software development.
We are supposed to believe that our software and technology is secure enough to drive our cars without crashing but we are afraid to vote with it? Does this add up to you?
The DNC server hack has absolutely nothing to do with voting security
The DNC server hack happened because they used an outdated model and took security very lightly. To compare the DNC server hack situation to state of the art cybersecurity is embarrassing and to compare it to a secure voting system is to use fear to pass a bill which has little to do with voting security. It is true that the server hack may have happened in an attempt to influence the election but that same hack would happen no matter how secure the voting system is, because a central server is a target, and if a trusted individual is in a position to plant any kind of backdoor or bug, then it may have been an inside job, it's the client server model itself which is the problem, and it's not going to be resolved merely by passing a flawed cybersecurity bill which would slow progress throughout the country on Internet voting.
Discussion of the bills details
It is understandable why they would be motivated to pass a bill like this but it's incredibly short sighted. Some aspects of the bill are good ideas which are long over due, such as classifying the election infrastructure as critical infrastructure. I actually support that because I support anything which would bring more funding, more rigor, and if it's on par with power grid protection I think that is good. But I think stopping all Internet voting all across the country is the equivalent of hitting the panic button, in favor of paper ballots which in my opinion are not actually going to make a difference. In most parts of the country there is no Internet voting, and it's not likely enough to swing an election, and even if we had Internet voting, it doesn't have to be banned (because this would prevent us from being able to test solutions which may be viable). If the bill were to limit Internet voting, rather than ban it, it might have been better.
Notably, the Election Infrastructure Act will seek to compel states to comply with relevant federal rules while incorporating additional security standards and testing measures. Under the rule, the National Science Foundation will be required to stand up a nondescript election technology development program.
This part of the bill in my opinion is good but in my opinion DARPA should be involved in this. The National Science Foundation? In any case, I definitely support funding to investigate election technological development.
Meanwhile, the Election Integrity Act specifically prohibits "election systems responsible for vote casting or tabulating" from being connected to the internet. Today's voting machines, themselves, are not connected to the internet in U.S. polling places, though other components of the larger process — like states' voter record databases, or VDRBs, online voter registration forms, or OVR, and e-polling books — rely on connectivity.
"We're interested in verifiable paper audit trails, avoiding hair brain ideas for connecting machinery to the public packet switch network and ensuring some security standards get updated and finished," said Gregory Miller, co-founder of the OSET Institute and Trust the Vote Project. Miller was involved in drafting both pieces of new legislation.
And the flawed part? While an air gap or while keeping machines from being Internet connected makes sense for counting the vote, for the most part Internet voting technology has dramatically advanced since the breakthrough of blockchain technology. In my opinion it is an important and critical time to investigate secure online voting using these new and interesting technologies. If they claim to be working on security standards, then why is the ban set to take effect in 2018? The ban aspect of the bill is a bad idea, while the funding aspect and reclassification aspects are good ideas. The verifiability of the vote is critical, and whether it's verifiable on a blockchain or on paper, it has to be verifiable, so that each voter can confirm that their vote went to the candidate of their choosing. This particular bill is not good enough, is not delicate enough, is too restrictive and defensive, and does not in my opinion do enough to promote development of better technology to make possible successful experiments.