Cybersecurity, like death and the march of time, is agnostic to politics. Regardless of anyone’s outlook, technology is pervasive in all societies. As it continues to evolve, so does its adoption and, thus, the need to secure it for privacy and security’s sake.
For the first time in 244 years, the United States presidential election’s integrity has been called into doubt, and the world has now seen what a genuinely contentious election looks like for a superpower. Humanity has learned that the process for selecting America’s next leader is a confederated framework that depends on states and local governments to ensure security. That process leaves multiple gaps in the current defense. In the age of cloud computing and cybersecurity, the electorate needs more assurance.
Looking back over the last few years of election security standard improvements – or lack thereof, really – it’s time to understand the lessons of this past contentious election and how the United States can improve its election security. Given the events of the past 24 hours, now more than ever does the American public need reassurance that their institutions are in place, secure, and can deliver accurate results so situations like this never happen again.
Lesson One: Ensure the physical and technical security of voting machines.
While this is a two-fold lesson, both of these points are intertwined as it focuses on the voting machines themselves. Voting machine manufacturers have had a history of being called out for lax standards and practices in both the machines’ coding and their safety. To fix this, manufacturers need to build in tamper-resistant locks with audible intrusion alarms. The software that runs each machine should adhere to a standardized software development lifecycle that is routinely audited by independent cybersecurity personnel to ensure that machine coding isn’t altered. These independent reports should then be made public, minus the machines’ actual source code or other proprietary information, to assure the electorate it’s safe when using voting machines.
An asset management solution should be in place to ensure that all voting infrastructure is accounted for and periodically kept up to date to ensure that the machine’s operating systems and application(s) are as secure as possible.
Finally, all companies voting machines within the United States should have their infrastructure, code, and update servers independently audited before and after elections. With the recent SolarWinds data breach, the world learned that if you can poison the updates at the source – infecting multiple systems without breaking into each one. These independent audits will help to ensure no misconduct has occurred just before, during, or after the election that could corrupt a voting machine.
The ideal scenario would be to see the United States go back to 100% paper ballots, but since that isn’t likely, the above lesson will help cut down on allegations of tampering.
Lesson Two: Ensure election judges cannot tamper with the election.
Change logs for any interaction with the voting machines by election judges need to be independently created and securely stored where the judges cannot access them. This would help to ensure that no election judge can attempt to alter a voting machine, and when paired with video surveillance of the voting machines, it will be tough for any partisan actor to “fix” the vote.
Lesson Three: Ensure the accuracy of a citizen’s vote.
Every voting machine should be required to produce a paper receipt for the voter once they have voted to review who their candidate selections. Further, this receipt should have a unique identifying code on it. If the election is disputed, the voter can produce this receipt as authentic proof of voting.
Lesson Four: States should verify and collaborate with other states on voter rolls
Voter rolls are somewhat challenging to maintain. Over 2.8 million people die in the U.S. annually, and about 32.4 million move to a new home or state during the same period. The deceased really can’t alert their local election officials themselves (insert “dead people voting joke” here), nor do families think about these things in their grief. People who move to register in their new state or district rarely alert election officials in their previous district. By virtue of this, voter rolls become messy due to their retroactive nature, leading to accusations of fraud.
State laws should require moving and eligible to vote to fill out the appropriate voting paperwork, which should be integrated into the mortgage contracts or rental agreements. This paperwork should also include the past address of voting eligibility. This way, the person is registered to vote automatically, and the new state or district’s computer system can synchronize with the previous district to remove the user. At the same time, he or she is added to the new district. For the deceased, the local coroners should be required to alert local election officials, which can also be achieved electronically as they fill out the paperwork. This will cut down drastically on accusations of the dead voting or of people voting twice.
Lesson Five: State-issued identification should be required to vote, no exceptions.
States should create a set-aside in their budgets for identification cards, which would be free to their citizens. This budget would also include the personnel needed to visit any citizens who are unable, for whatever reason, to appear at a state facility yet have requested identification. No one can then say that they are disenfranchised from voting, given all available opportunities to get an official identification. Since there is no evidence of widespread voting by non-citizens, this lesson should remove this issue as a political football.
Lesson Six: The Integrity of the Post Office needs to be reinforced.
Isolation from federal control during national elections is of paramount importance to maintaining the integrity of the USPS. Safeguarding ballots to their destination should be the highest priority and enforced under threat of possible termination or criminal charges for any postal worker found to be willfully interfering with this process. The Postmaster General should also be hired via internal promotion from within the USPS, and furthermore, no political appointee should be allowed to hold this position. During an election, the USPS should also have a third party, an independent commission appointed to oversee it, which will ensure that the USPS budget’s focus is on the election during this time and operational changes during an election would not be made for potential political purposes. Any citizen who chooses to impersonate the USPS, whether in person or by deploying fake ballot boxes (as recently seen in California), should be held criminally liable and prosecuted.
Lesson Seven: Voter Education and Disinformation Awareness Training should be required to vote.
Any candidate for federal office, regardless of party, should be required to formally state their positions on major national issues such as taxes, capital punishment, foreign policy, abortion, and more on an independent non-partisan website. Candidates who fail to submit their positions should be rendered ineligible. The United States’ voting population should be required to take educational classes that lay out the candidates’ beliefs and on how to spot and disregard disinformation. Given the tendency to support news stories, real or fake, that support a person’s confirmation bias, this will hopefully begin to turn the tide for a healthy percentage of the population that believes fake news. For many, skepticism ends where political bias begins. That’s an entirely untenable position for any nation long term. This education can be done online or in-person and is required, though a test should not be required due to possible concerns of disenfranchisement (think Jim Crow Literacy Tests).
All of the above lessons help ensure that the chain of custody for voting is ensured while hopefully mitigating much of the political noise regarding election rigging while ensuring a modernization of election security.
These lessons are too late for the 2020 election. This framework should be used for the 2022 election and beyond. The U.S. Senate has failed to pass any election enhancements thanks to blocking by the majority party, so here’s hoping we can correct this severe problem in time to ensure we will continue to have free and secure elections.
______________________________________________________________________________________________________________________
Nick Espinosa
Nick is the founder and CEO of Security Fantatics, the Cybersecurity/Cyberwarfare division of BSSi2dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations. As a member of the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the Official Spokesperson for the COVID-19 Cyber Threat Coalition and a board member of Bits N’ Bytes Cybersecurity Education as well as Strategic Cybersecurity Advisor for the Private Directors Association, Nick helped to create an NSA certified curriculum that will help the Cybersecurity/Cyberwarfare community to keep defending our government, people and corporations from Cyber threats globally. In 2017 Nick was accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives, and is a regular contributor of articles which are published on forbes.com as well as smerconish.com.
______________________________________________________________________________________________________________________
