Think of what has happened in the past few months alone. We have seen mass civil unrest due to a horrifying 8 minutes and 46 seconds that should have never happened, the entire west coast on fire, and we are preparing for the impending hurricane season. Not to mention the ongoing pandemic, which has taken more than 200,000 American lives and growing. No wonder many of us are dejected and fearful of the current environment. We are practically bracing for the impact of the next unknown disaster.
Naturally, the nation needs comfort and a sense that all will be OK in the end. Both major political parties have taken their approach to reassurance during this rather unprecedented election cycle. The Biden Campaign and the Democrats crafted a message designed to reassure the American public that a return to normalcy and stability will happen, provided their candidate is elected so he can undo the “damage” of the current administration. Trump and the GOP have taken a different approach, stating that the suburbs will be destroyed by crime while the opposition imposes socialism. Whether it’s more subtle or blatantly overt, the tactic of introducing fear into the electorate is a powerful one that tends to win votes.
Welcome to Security Theater and the deep-seated concerns security professionals, such as myself, have ahead of the 2020 presidential election. Security Theater is the constructed perception that there are security controls or safeguards in place when, in fact, said measures are rather cursory or not nearly as adequate at deterrence as is perceived.
For example, the general population expects TSA agents to be an effective deterrent against a determined attacker hell-bent on using an airplane as a weapon of mass destruction. The TSA catches quite a bit contraband, which they proudly display on Instagram as a warning to would-be criminals; however, the rules they adhere to are implemented as a reactionary response to the extreme occurrence when security lapses. Security penetration tests have shown that the TSA fails most tests and misses serious contraband, including firearms and even explosives. The TSA is but one example of the many facets of our national security apparatus that are woefully underequipped.
One thing to know about security is that it’s a cat and mouse game of the attackers innovating around defenses, requiring our defenses to react and improve. In every facet of our national security – from counter-terrorism to cybersecurity – our defensive strategies for critical infrastructure are frequently under attack. That’s a terrifying prospect when those institutions tasked with protecting this aspect of our lives are often behind and reactive.
Our presidential election is no different.
What many don’t realize is that the American election system is a confederated process. Each state has its methodology for properly holding and counting an election. Within all fifty states are local election authorities that can further dictate rules and policies. Some Americans tap a screen to vote, some draw black lines with a marker on paper, and I’m sure many remember the hanging chads of the 2000 election. Those took years to phase out alongside lever pulling.
With the election on the horizon, everyone is talking about mail-in voting in particular. This situation has some advantages, but serious drawbacks such as the perception that the supply chain custody of ballots can be compromised on a broad scale, thus causing a health percentage of the electorate to believe that mail-in voting is “rigged.” However, since not everyone will be voting in person, the US election is harder to attack in an attempt to change election totals. To “stuff the ballot box” nationwide, it would take a massive and in-depth campaign of threat actors physically breaking into voting facilities to replace paper ballots.
In the 2016 election, a massive disinformation campaign happened on social media by Russian actors known as the Internet Research Agency. This fact is not in dispute as congress itself released a comprehensive report on this issue, complete with every single fake or hyperbolic ad the Internet Research Agency leveled on the American public (anyone can read them here). Russia calculated that influencing local populations in swing states via their favorite social platform was cheaper, easier, and safer than sending an army of operatives to Wisconsin or Florida.
One of the most concerning aspects of the Security Theater of this election is electronic voting machines. In 2018 an 11-year-old hacker broke into a voting machine live on stage at a hacking conference. It took less than ten minutes. This wasn’t the first time either: Security researchers have been breaking into voting machines or various local governments for years to underscore our elections’ insecurities. One researcher even turned the voting machine into a Pac-Man machine. For years, other researchers have been posting photos of themselves walking into municipal buildings before elections and freely walking into rooms where the voting machines are stored, which are often unlocked. Without a standard for security, it’s rather difficult to contend that our election has been, or will be, the “Fort Knox” we expect it to be.
So, how does the US election system shift from the quintessential Security Theater footing to a standard that ensures the election’s integrity?
It requires a multi-pronged approach, but the core umbrella defensive strategy should encompass the following items:
First: The physical security of voting machines needs to be ensured. A national security voting policy should always be keeping these devices under lock and key with video monitoring except when in use. In this vein, voting machine manufacturers – who have been notoriously lax with security – should require a complete supply chain assurance that the products and parts they’re using to assemble the voting machine are secure and cleared of any malicious coding. They also need to enhance the physical security of the voting machines as well.
Next, we need a documented log of any changes or upgrades to the voting machines if they are maintained and reviewed before the election. This will mitigate any election judge malfeasance before the election, especially when paired with the machines’ video surveillance. Similarly, every voting machine should be required to produce a receipt for the voter once they are done voting, clearly showing who the voter chose. This receipt would have a unique randomized identifier on it, so if the election is called into doubt, the receipt can be reproduced and verified as authentic.
Third: Every voter should be required to have state-issued identification. These identifications should be free to the state’s population. State budgets should set-aside a budget for the ID cards and the personnel it may take to visit those citizens who cannot make it to a state facility whatever reason or are infirmed. Once that process is completed, anyone who doesn’t have state identification doesn’t care to vote or decided against it for whatever reason. They can’t say that they’re disenfranchised from voting, given all opportunity to get that identification.
Fourth: The US Postal Service should be as isolated from the federal government as much as possible when it comes to elections. Any election mail-in or absentee voting should have the highest priority to be delivered to the states under penalty of termination for any employees who interfere with the mail. The Postmaster General should be required to be hired from within the USPS and cannot, by law, be a political appointee. Furthermore, an independent commission should be appointed for the USPS when elections are taking place, budget concerns should be suspended, and no changes should be made to operations for potential political purposes.
Finally, and perhaps most importantly, a national standard for candidate and election education. All political party candidates must submit positions on every major national topic (think gun control, abortion, capital punishment, taxes, foreign policy, and more) to be eligible for election. The general voting population must take this educational course that lays out the guidelines.
This education can be done online or in-person. Since Facebook, Twitter, and other large platforms are reactionary at best to the onslaught of disinformation, this educational material will cut through the noise and get to the heart of the issues that should matter most to voters. A portion of the population will easily let their own confirmation biases rule the day and believe every fake news story aligns with their worldview. Still, this education plan should cut down on that number hopefully by many orders of magnitude.
Research shows that the US electorate is worried about election fraud and misconduct. Along party lines, research has a desire for more security beyond the Security Theater currently on display that everyone from John Oliver to major news networks have picked apart. The nation is learning that in a contentious election, the process for choosing the next leader isn’t as secure as it needs to be. This is further compounded by the fake news and conspiracy theories that are littered across the internet daily.
Security Theater is an excellent tool for calming a distressed population with a reassurance that they’re not out in the wild alone and left to fend for themselves. Still, there is a time and place where it works and a time and place where a heavily divided electorate requires more to help ensure the smooth transition of power, which may seem like a distant memory come November.
May state-sponsored hackers never learn the difference.
______________________________________________________________________________________________________________________
Nick Espinosa
Nick is the founder and CEO of Security Fantatics, the Cybersecurity/Cyberwarfare division of BSSi2dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations. As a member of the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the Official Spokesperson for the COVID-19 Cyber Threat Coalition and a board member of Bits N’ Bytes Cybersecurity Education as well as Strategic Cybersecurity Advisor for the Private Directors Association, Nick helped to create an NSA certified curriculum that will help the Cybersecurity/Cyberwarfare community to keep defending our government, people and corporations from Cyber threats globally. In 2017 Nick was accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives, and is a regular contributor of articles which are published on forbes.com as well as smerconish.com.
______________________________________________________________________________________________________________________
