OSET Institute

View Original

Kraken Busting and the "Most Secure Election Ever"

The November 2020 election has been calledthe most secure ever,” for several good reasons, despite the fact that there is still a lot of worrisome room for improvement. My colleague Gregory Miller, COO wrote about that just after the assertion was made. Now it appears we may need to crack down on some more Kraken-wannabes before they become such.

In U.S. elections, we've picked off the low hanging fruit from the pre-2016 norms of “not a lot of attention paid to cyber-security or operational integrity, at all.” To be more precise, the “low-hanging fruit-picking” has started, but far from the entire country has finished, or in some cases, even started.

"But, but, but" we hear from concerned citizens, for whom the usual measures of "election security" aren't encouraging. Lest this spawn more mini-Krakens, I'll try to deliver some plain language about two things:

  1. Most secure, compared to what?

  2. What kind of security and public confidence we did and didn't get as a result.

1. The Goodness

Here are some of the most important ways that the 2020 election was the most "secure" ever, which we can list without getting specific about what kind of security we're talking about. The 2020 election had the:

  • Lowest use of paperless voting machines;

  • Highest portion of voters using paper ballots uniformly counted by OpScan (optical scanning);

  • Most jurisdictions conducting ballots audits that are or will be a regular process (admittedly still a small fraction, but growing);

  • Most state and local election staff having received basic training for cyber security;

  • Most cyber defenses deployed by states to monitor and protect voter records system;

  • Most cyber assistance to states provided by DHS;

  • Most participation by states and localities in cyber security information sharing organizations; and

  • Most efforts at state and local levels for contingency planning.

As a result, 2020 elections were "more secure" — though let's be precise and say "more resilient" — against technology malfunctions (thank you, paper ballots and audits), cyber-attacks (thank you, help from DHS), and threats to operational continuity.

You'll notice that what was not included in "security" here are:

  • More secure against malfeasance by election officials, that could effect election results;

  • More secure from accidents and human errors by them, that could effect election results;

  • More secure against malicious software and cyber-attackers if they acquire an actual handle on voting system devices or election management systems.

"Most secure yet" certainly applied to technical, cyber-defense, and operational issues, but not for insider fraud or the consequences of cyber attack succeeding despite increased defenses.

2. The Limits of Goodness

That's where the "But, but, but, ..." comes in. It is reasonable to wonder whether, despite all the goodness, there is badness lurking well beneath the water line. For a couple of examples,

  1. Nation state adversaries could have penetrated state voter registration systems or local election management systems, despite the complete absence of public telltale signs that we saw in 2016, in the most stealthy manner possible, and the National Security apparatus has chosen not to reveal anything about to the public, for national security reasons. None of the above goodness would help!

  2. Or voting system vendors could know about ways their products could be or even have been used to steal elections, but aren't telling, to protect their reputation and trade secrets.

That's always the case: various people could have secret knowledge that we lack!

No matter how great things are above the water line, we can never know what we don't and can't know about possible evil in the depths below.

So, although it is reasonable to wonder, it is not helpful to spend much time on it, much less worry about it. It's not reasonable to worry about what we can't know; that path awaits conspiracy theories.

For our work here, there is so much room for improvement above the waterline, I think it best to just live with the limits of my knowledge, and focus my energies on working toward improvements.

And I suggest you do too. In our case that energy is better used on improvement like:

  • Easier access to paper ballot voting;

  • Better tools for ballot audits; and

  • Improved technology for transparency of election operations.

What improvements in elections could you work toward, above the waterline? Definitely worth a thought, rather than a worry.  If you have ideas, I’d love to see them.

Afterword

Several journalists have tried to cover this topic. Here’s one we’ve noticed that’s a bit more of a comprehensive long-form effort and appearing on several publication plaforms.