Proposed cybersecurity bills would 'prohibit' internet-connected voting systems

in #security5 years ago (edited)

A new article reveals that congress is preparing a bill which will ban Internet voting technology.

“In the wake of the DNC server hack and well-documented efforts by states to suppress the vote, citizens are rightly concerned,” Johnson said in a statement. “We must work to reduce the vulnerability of our crucial voting systems, protect the security and integrity of our electoral process, and ensure all Americans have the opportunity to vote.”

The Election Infrastructure and Security Promotion Act of 2016 will require the Department of Homeland Security, or DHS, to designate voting systems as critical infrastructure — an important reclassification move already under consideration by DHS Secretary Jeh Johnson. In practice, this change would result in a budget adjustment that puts election systems on par with power grid protection.

My thoughts

In my opinion this is a horrible idea and is entirely politically motivated. Cybersecurity professionals have not reached a consensus on whether or not Internet voting is secure. In fact, most of the professionals saying it is insecure seem to either have no knowledge of or do not mention the potential of blockchain or similar technology, or quantum key exchange / quantum communication technology, which could in my opinion allow for Internet voting in a way which is more secure than paper ballots. In my honest opinion, it is imperative that this bill does not pass and that instead a bill passes which funds research into the technologies necessary to improve voting technology so that Internet voting can be feasible. Feasibility in my opinion is near, and in my opinion it only has to be of a similar risk profile to the current voting methods, which means it does not have to be completely fraud proof, but merely has to have a similar percentage of fraud as the current voting methods which also are not fraud proof.

I suspect there is a political motivation for this bill rather than a technical reason. I will be one of the first to say that I'm against the current incarnation of this bill, and not just because it ignores the technical breakthroughs which have been taking place in it's excuse to exist(the case study that cybersecurity professionals cited is using outdated technology), but because it also would seem to slow down research, testing, and progress toward Internet voting which in my opinion we could have prior to the 2020 election. Experimentation in my opinion must be encouraged and certain aspects of this bill risk discouraging experimentation in favor of extreme caution. This bill to me is similar to the ban on Stem Cell research which happened under the Bush Administration.

Internet voting would have vast political implications. It would mean more millennial and younger people voting in elections which are usually dominated by older people. It would mean much greater voter participation. Yes it could have a few security concerns with regard to not being coercion resistant, but these concerns would not effect the actual ability to make the votes, count the votes, and keep the votes pseudo-anonymous, all which is possible to anyone who has a deep understanding of cryptography, blockchain technology, quantum key exchange/communication, and correct by construction software development.

We are supposed to believe that our software and technology is secure enough to drive our cars without crashing but we are afraid to vote with it? Does this add up to you?

The DNC server hack has absolutely nothing to do with voting security

The DNC server hack happened because they used an outdated model and took security very lightly. To compare the DNC server hack situation to state of the art cybersecurity is embarrassing and to compare it to a secure voting system is to use fear to pass a bill which has little to do with voting security. It is true that the server hack may have happened in an attempt to influence the election but that same hack would happen no matter how secure the voting system is, because a central server is a target, and if a trusted individual is in a position to plant any kind of backdoor or bug, then it may have been an inside job, it's the client server model itself which is the problem, and it's not going to be resolved merely by passing a flawed cybersecurity bill which would slow progress throughout the country on Internet voting.

Discussion of the bills details

It is understandable why they would be motivated to pass a bill like this but it's incredibly short sighted. Some aspects of the bill are good ideas which are long over due, such as classifying the election infrastructure as critical infrastructure. I actually support that because I support anything which would bring more funding, more rigor, and if it's on par with power grid protection I think that is good. But I think stopping all Internet voting all across the country is the equivalent of hitting the panic button, in favor of paper ballots which in my opinion are not actually going to make a difference. In most parts of the country there is no Internet voting, and it's not likely enough to swing an election, and even if we had Internet voting, it doesn't have to be banned (because this would prevent us from being able to test solutions which may be viable). If the bill were to limit Internet voting, rather than ban it, it might have been better.

Notably, the Election Infrastructure Act will seek to compel states to comply with relevant federal rules while incorporating additional security standards and testing measures. Under the rule, the National Science Foundation will be required to stand up a nondescript election technology development program.

This part of the bill in my opinion is good but in my opinion DARPA should be involved in this. The National Science Foundation? In any case, I definitely support funding to investigate election technological development.

Meanwhile, the Election Integrity Act specifically prohibits "election systems responsible for vote casting or tabulating" from being connected to the internet. Today's voting machines, themselves, are not connected to the internet in U.S. polling places, though other components of the larger process — like states' voter record databases, or VDRBs, online voter registration forms, or OVR, and e-polling books — rely on connectivity.

"We're interested in verifiable paper audit trails, avoiding hair brain ideas for connecting machinery to the public packet switch network and ensuring some security standards get updated and finished," said Gregory Miller, co-founder of the OSET Institute and Trust the Vote Project. Miller was involved in drafting both pieces of new legislation.

And the flawed part? While an air gap or while keeping machines from being Internet connected makes sense for counting the vote, for the most part Internet voting technology has dramatically advanced since the breakthrough of blockchain technology. In my opinion it is an important and critical time to investigate secure online voting using these new and interesting technologies. If they claim to be working on security standards, then why is the ban set to take effect in 2018? The ban aspect of the bill is a bad idea, while the funding aspect and reclassification aspects are good ideas. The verifiability of the vote is critical, and whether it's verifiable on a blockchain or on paper, it has to be verifiable, so that each voter can confirm that their vote went to the candidate of their choosing. This particular bill is not good enough, is not delicate enough, is too restrictive and defensive, and does not in my opinion do enough to promote development of better technology to make possible successful experiments.

References

  1. http://www.dailydot.com/layer8/online-voting-cybersecurity-election-fraud-hacking/
  2. http://fedscoop.com/proposed-cybersecurity-bill-warns-of-election-hacking-proposes-a-paper-heavy-solution
  3. https://www.reddit.com/r/Futurology/comments/53tc03/proposed_cybersecurity_bills_named_the_election/
Sort:  

Surely Steemit.com is the proof of voting possibilities through personal identification and crypto password technologies. This is certainly the best and most effective way of registering global votes on global issues on a safe global platform of free exchange.. They are already afraid of this and will apparently fight it to the end !! What will this mean for for this new Blockchain technology we Beta test now here , remains to be seen !!

Steemit would not be secure enough in my opinion for a national election. Not even close actually. But the data structure (blockchain) and the breakthroughs in cryptography will lead to secure voting technologies. In my opinion it's feasible to develop it, but I would not think it could be developed the way Steemit is being developed. It would have to be developed correct by construction, by "trusted" developers, to run on "trusted" infrastructure, and utilize quantum communication, such as from satellites in space and other technologies.

We know with blockchain technology that we can have a verifiable record of all transactions. These transactions could be votes. But the current blockchain implementations are not secure enough in my opinion for the United States elections, because we can't trust the developers, the compilers, the hardware the software runs on, at least not to the degree necessary. Any Internet voting scheme would have to in my opinion start out as a hybrid, which uses some of the verifiable elements of the paper ballot system while also using the cell phone networks and satellites to relay messages to and from the blockchain. Nodes can be put in space, so it is going to be possible to take advantage of quantum communication, but in my opinion no current software is secure enough you require a trusted compiler which produces verified code, and the hardware likely has backdoors, so you would need trusted hardware as well or at least a way to check via the software that the hardware isn't changing the results.

The point is we need the ability to do experimentation using blockchain and other technologies. We can't learn if we can't experiment, and a ban would prevent experimentation. A limitation on Internet voting would have been more sane, which would allow for some experiments to take place across the country, but not in places or in levels which could jeopardize an election.

Well i am greatly touched you have taken so much time to give me this extremely interesting and detailed response to my thoughts on this subject.So you see like me the danger signs here too ? am sure you are right when you say that steemiit does not have the necessary level of security for a a vote of national importance or more certainly at international level. Yes the weak link will always be the man or folks who have the key to the system, to manipulate, the trust we hand over to overly interested parties with an agenda outside democracy pure.the dream we as good people wanting to survive want. Sure , it not just the software hack problems, but more the hardware too as you so rightly point our !! So in true terms in these conditions it is dangerous to place such a huge amount of human " trust " into a system which may be as bad as the old one if not worse. Yes why not more a hybrid voting system, why not both at the same time then cross counted and referenced by ?? well a bot no?? ,yes Mobile network voting is I truly think how it will go at least when this thing if they permit it. happens. But does not look good eh?? with this big bit of internet tyranny being rolled out by the Quo to keep their Status, I mean i had to show my passport when opening my telephone account !!So surely if we can buy Bitcoins securely from my Android then why not vote on even global issues !! Such as to be Nuclear powered or not ?? a vote is just another transaction to be counted and written to the blockchain where it can be transparently analysed and counted by anyone and at any time, ad infinitum. No more shadows in politics, this i beñlieve is why we see this resistance now rising up within the controlling elites.Yes we need to test and experiment, I would love to see you Dana, do something like this in conjunction with maybe some steemit development members who are motivated by this vision of true democracy provided by blockchain technology ?. To show that a vote is nothing more than a value that once entered into a fair ly produced and housed algorithm will always give the best result, in terms of clarity in numbers without the manipulation of the invisible hand which pains so clearly our world right now !! Thanks again for this your great response to this idea of world future in voting systems on the blockchain of social interaction and response. This could be a vision of World government i would agree to, not you ?

To develop secure Internet voting requires a continuous iterative engineering process which is basically going to mean trial and error. The same sort of trial and error required to come up with the paper ballot approach which itself is not invulnerable to being hacked or I should say, manipulated. In my opinion Internet voting needs to be tested on a small scale until we find a way to do it which is secure enough to be scaled, but if we halt all trials it guarantees we will not find anything.

In addition, I don't think the search should be centralized. I don't think only the DHS or National Science Foundation should be qualified to try to solve these problems. I don't know that they do not have an agenda whether political or other. So I would say I prefer an effort which includes DARPA who is known for being successful at this kind of thing.

I don't know how to define "world government". I do think digital governance can be global but I don't assume it will be "world government". I don't assume one government will rule them all, but I do support the building of virtual governance technologies so we can experiment and learn from trial and error.

Yes we do need to put this great potential to the test as you say. But it certainly looks like they are not going to permit this system of efficient and " clean " voting to get off the ground as maybe this system is too "transparent " and does not for this very reason, suit them !
Of course you are right when you say that the research should be made by a joint global imitative and again not be put in the hands of the few for the loss of the many. World government does not need to exist in my opinion. But the worlds voice could be found by this system development, we just need the present political system to embrace and accept the possibilities of this blockchain technology and that which it could potentially bring to the table and lives of everybody living on this planet. This is surely something we could see as being a major step towards " world governance? " as the voice of the world could be collected and counted for the greater good of all.
But then " world government " is just a term and is in many ways not even important, the only thing which is important is that we try, like you say and see what can be done.
Its very sad and i would say a little disturbing to see that we are still far from this ever being the case. The very proof being the passing of this new law which you expose in this post. This law shows clearly their desire and more need to stem all online voting technologies development they are clearly not ready to renounce on their present system which I think we all see is flawed and open to negative manipulations.