Cybersecurity experts are known for their tough and varied opinions: Put six different experts in a room and you'll wind up with 10 different opinions, the old saw goes. With the US 2016 election cycle in full swing, internet voting is once again back in the news, this time in Utah as the state's Republican party rolled out online voting for the primary. Perhaps no other topic - save maybe the FBI requesting iPhone access - comes close to the near universal consensus among security experts, and that is that internet voting (and its cousin paperless electronic voting machines) is a really, really bad idea.
How bad? Well consider the situation. Users pre-register (who are these users, how are their identities verified?) from a variety of unmanaged devices (malware, keyloggers); receive a PIN that they use to login to vote (identity compromise); then verify it all went down correctly by matching a code they receive via email after they vote with a list on an online bulletin board. Simple, right? Maybe, but secure, definitely not.
One of the features of our current paper-based voting system in the US is that it leaves an analog paper trail. After the election results are tallied, paper ballots and registrations are shipped off to local county warehouses and archived for a period of time. This creates a verifiable paper trail that can later be followed up on by any interested parties. During the disputed 2000 US election, the Miami Herald and other news outlets were able to pour over storage rooms full of ballots to do their reporting (with inconclusive results). Still, it's pretty hard to fake thousands of paper ballots coming in from all over the voting precincts and their associated voter registrations. If these were electronic only, the possibility for foul play would be as wide as the internet.
The prescriptive antidote is for the security community to get ahead of this before states begin to implement this more widely. Fortunately, there are no indications of internet voting going widespread in 2016. There are many security components that would have to be considered, but to my mind, the chief one would be identity assurance. Identity assurance is the concept that you need a high degree of certainty that the person (not malware, a man-in-the-middle, or some unauthorized party) is your actual voter. To do this, you would need a variety of contextual, risk-based factors that are known about the user, including known device, location of the voter, maybe even some behavioral characteristics and a step up authentication. Not two-factor authentication, but enough factors to give the requesting party (the voting authority) assurance that the voter is who he or she claims they are. A simple PIN won't cut it.
Will we ever get to a wide-scale online voting or electronic voting regimen in the future? Well, just like the flying car or pizza delivery by drone, if the technology is there, user acceptance is there, and it can be nominally secure, it will happen. Nobody wants to be a technology naysayer. The question is, can we put in the proper security safeguards with a verifiable analog trail? Nothing less than our democracy would be at stake. Cybersecurity experts, to arms!
Author: Jeff Carpenter
Category: RSA Fundamentals, Blog Post
Keywords: Election 2016, Identity Assurance, Internet Voting