Election interference is the new normal, or perhaps it quietly has been for some time now. Until recently, though, it has escaped the limelight because the process of voting in most places has barely changed since the dawn of democracy. People show up their designated voting booth, wait in line, verify their identities and cast their ballots – but in the era of COVID-19 this idea is more complicated than it once was – and also more compromised. Obviously, the ideals of democracy must be upheld even during a pandemic in which the pathogen at large is airborne, and people must be empowered to vote even if they aren’t able to stand in line. Especially as an important US Presidential election approaches in a mere handful of weeks, the idea of remote voting has emerged as a potential solution to the obstacles put in its place by coronavirus – but solutions must also be found for securing the remote vote itself.
Rather than mail-in ballots, which require immense administrative efforts to corral, count, and authenticate, remote voting would entail using technology to mimic the same processes but in a streamlined digital manner. In the midst of COVID-19, governments have already embraced digital alternatives for physical processes steeped in tradition and respect – just look at the testimony of Dr. Anthony Fauci, who recently appeared in front of the Senate via Zoom. Thanks to H.R. 965, which was passed in mid-May during the throes of the pandemic, members of the House have been alpha testing remote voting at a very small scale. While Senators must still show up and have their Yeas and Nays tallied on paper, House members are able to send in their votes via encrypted email and have them counted. This is still an early and rudimentary solution, and there’s no doubt that rolling out digital voting to the greater USA or even individual States would require something much more complex. So far, some States are experimenting with digital voting, but they are doing so against the advice of Homeland Security’s recent report, which highlights remote voting as extremely high risk. This is no doubt a remnant of 2016, when hackers successfully breached online voter registration systems in an attempt to sway results of the election – or simply to test the water in advance of the “real” interference attempts which are soon to come. The wagons haven’t circled yet, and any efforts to advance remote voting efforts now are as undefended as they were then.
Evidence points to the fact that the varied and disparate digital systems that already exist can’t be capably secured, meaning any attempts to institute remote voting will be built on a flimsy foundation and cause even more trouble. This would create an untenable situation in which both election results and faith in the system can be challenged, so any efforts to help US citizens vote from afar must also come with accompanying security technology. Attempts to secure local and state voter registration systems so far have focused on the lowest-hanging fruit: patching software and hardware, and “backing up” incoming digital votes by writing them down on paper. This approach is smart, because it’s often the most basic exploits that hackers use to disrupt the voting process. The remote voting apparatus, in the States where it currently exists such as Delaware and West Virginia, is extremely flimsy and reliant on a stack of tools that are each capable of being compromised in different ways. Hackers don’t necessarily need to infiltrate systems and change votes themselves, they can simply disrupt the process by deleting or multiplying votes, adding false data, compromising signature-verification software, or overloading them via DDoS. This can occur for the ballots, voting machines, Secretary of States or registration websites, and other weak links in the chain. Accordingly, the entire voting flow must be secured from the moment a citizen logs on, through the verification process and until the final vote is tallied.
Remote voting is coming whether we’re prepared for it or not, because if you ask election officials, it’s more important to re-enfranchise those who are disenfranchised than it is to secure the systems we use to accomplish it. Though problems are bound to arise, given that in classic federal government style it’s up to individual States and the agencies within them to choose relevant security vendors and solutions, a new type of unified product is emerging that can kill many of these issues with one stone – in theory. Coined by research firm Gartner, SASE is a cloud-based security product that is capable of being integrated directly into many different types of resources and environments, like those in use across government offices, and regardless of where they are physically. It essentially weaves an impressive array of different networking and security solutions into all network resources, such as those deployed in the digital voting process, and theoretically can blanket protections over participatory voters and officials across the country, including custom access privileges, security layers and close monitoring for suspicious activity. The thinking is that if a SASE product were to be deployed in the State of Florida, it might mandate that voters logging into whichever voting application Florida chooses will first need to authenticate with 2FA, for example. During the vote, voters’ connections to State applications would be encrypted with IPSec tunnelling, and even automatically disconnected from the internet if the application should fail.
If government IT teams match the variety of remote voting hardware and software with a similarly disparate selection of security tools, then their efforts will be further distracted from ensuring an accurate vote and go instead towards managing their teetering software stack. What’s necessary is a unified security model encompassing all tools that States need to protect their voters, and one that fits natively into the systems they’ve already begun implementing and is therefore easily onboarded as other States come “online”. This idea has become more real thanks to SASE, though the security industry has some catching up to do before it’s ready for elections. That’s alright, because poorly deployed security would do more harm than good, and it’s important to be airtight: The point of elections isn’t to pick the winner but to remove any doubt in the mind of the loser that results can be argued. For this reason a robust and proven security solution is necessary if remote voting is to be the status quo.