The Black Hat USA 2020 virtual conference kicked off on August 5 with a keynote session exploring the challenges of modern election security in the US and the impact of the COVID-19 pandemic.
The keynote was delivered by Matt Blaze, McDevitt chair in computer science and law at Georgetown University in Washington DC. He is also the co-founder of the Voting Village at the DEFCON security conference that follows Black Hat. Blaze began his remarks but stating that technology and elections in the US are very heavily interrelated today, but that wasn’t always the case. In fact, he noted that early elections in the US had very little technology and relied on the simplicity of a paper ballot.
According to Blaze, the paper ballot approach works pretty well and voters can be confident that their vote is counted as it was cast. That is, as long as that ballot box didn’t get tampered with and the counting process had high integrity.
“It’s very important that we trust, not only the people who are involved in elections, but also the technology that we depend on for those elections to be secure, to have high integrity and to be genuinely reflective of how we voted,” Blaze said.
The Complexity of US Elections
Among the challenges of election security in the US is the fact that the elections themselves are exceedingly complicated.
Blaze explained that in practice, each state sets its own rules and requirements for the elections that are conducted in that state. In total, he noted that there are over 5000 different government entities that handle different aspects of elections and the whole process is a very decentralized operation.
“I don't think I’ve ever encountered a problem that is harder than the security and integrity of civil elections,” Blaze said. “It’s fundamentally orders of magnitude more difficult and more complex than almost anything else you can imagine.”
Technology to the Rescue?
Prior to the 2016 election, Blaze said that election officials had not really considered the impact of foreign state adversaries for election interference.
Technology can be used to both help as well as prevent potential mischief by those that might want to interfere in an election, according to Blaze. Fundamentally, modern elections have largely relied on technology, which means that technology needs to be trusted and secured, which is no easy task.
“The integrity of the election results depends on the integrity of software and hardware,” Blaze explained. “So the correctness of any software you’re depending on for that purpose is critically important.”
Blaze highlighted recent developments that can make a big difference in validating the integrity of election technology. One of them is the concept of software independence, which has been advocated by cryptographer Ron Rivest.
“This [software independence] is essentially a requirement for voting systems that you should design your voting system in a way that an undetected change or error in the software can’t cause an undetectable change or error in the election outcome,” Blaze said. “It doesn’t say you can’t use software, it says, you shouldn’t depend on software for the outcome in ways that you can’t detect.”
Thanks to the adoption of the software independence approach for voting systems, as well as enhanced scrutiny throughout the process, Blaze noted that there is reason for optimism. He added that if he were giving his keynote in February, he would end the presentation on that positive note. The reality though is different now, with the COVID-19 pandemic raising a new set of issues.
The Pandemic Election
There are already multiple mechanisms in the US election system that allow for elections to occur during times of disruption. Blaze outlined the absentee, mail-in ballot system used in the US and the various steps it integrates to help ensure authenticity.
A big challenge however is scaling that system for the current crisis when tens of millions more Americans will want to make use of the mail-in ballot system than ever before. Whether or not there will be enough printed ballots, systems to scan those ballots or the personnel needed to enable the process, are questions that will need to be answered.
“Time is really short and the election is less than 100 days away,” Blaze said. “For many of these problems, the logistical aspects of this are familiar to computing specialists.”
In Blaze’s view, there is a lot that the IT and the cybersecurity community can do to help local election officials with the challenges of running an election during a pandemic. He advocated for the Black Hat community to engage on this issue, contact election officials and find out how to help, whether it’s a need for poll workers, IT expertise or otherwise.
“I think we can do this but we have to want to and we have to all take responsibility for this,” Blaze concluded.