Why can t I vote online? ONLINE SECURITY AND THE FUTURE OF INTERNET VOTING

Transcription

1 Why can t I vote online? ONLINE SECURITY AND THE FUTURE OF INTERNET VOTING

2 Verified Voting Founded in 2004 by computer scientists Non-partisan, not for profit. Focus on elections technology security, auditability, and accessibility. Board of directors and advisors include renowned computer security experts and election officials Organization provides analysis, expertise and advice, including to California Internet Voting Task Force, California Top to Bottom Review, and Department of Defense on the SERVE Internet voting project, among others. Produce research reports, Verifier, The Voting News.

3 Verifier

4 Internet Voting: Let s start with a definition Internet voting systems NOT online voter registration return of voted ballots NOT online delivery of blank ballots Fax return of voted ballots NOT online sample ballots Online ballot marking* (transmits vote choices over the Internet, introduces voter privacy issues) NOT online polling place lookup, etc.

5 Security of online elections online banking Secret ballot > unauditable Online banking is not secure No way determine acceptable level of loss. Can t buy insurance. Margin of error in voting is much smaller than for online commerce

6 Consensus that online voting can t be done securely yet because of unsolved security issues. Department of Defense (Federal Voting Assistance Program) National Institute of Standards and Technology (NIST) US Vote Foundation Future of Voting Utah Lt. Governor ivote Advisory Committee Computer technologists statement on Internet voting

7 Department of Defense [The Department of Defense] does not advocate for the electronic transmission of any voted ballot, whether it be by fax, or via the Internet. - Pentagon spokesman Lt. Commander Nathan Christensen April 16, 2015 Gordon, Greg, As states warm to online voting, experts warn of trouble ahead, The Olympian, April 16,

8 Federal Voting Assistance Program (FVAP) Electronic delivery of a blank ballot, when combined with the postal return of the voted ballot, remains the most responsible method for moving forward until such time applicable Federal security guidelines are adopted by the EAC. - May 2013 Federal Voting Assistance Program s 2010 Electronic Voting Support Wizard (EVSW) Technology Pilot Program Report to Congress -

9 Internet voting project repealed Because of unresolved security issues, Congress repeals direction to the DoD/FVAP to develop an Internet voting demonstration project in the 2015 National Defense Authorization Act (NDAA).

10 National Institute of Standards and Technology (NIST) Has studied Internet voting for many years for the Department of Defense Publishes reports on the security and risks of online voting procedures See

11 NIST summary statement concluded that Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems. Malware on voters' personal computers poses a serious threat that could compromise the secrecy or integrity of voters' ballots. And, the United States currently lacks a public infrastructure for secure electronic voter authentication. Therefore, NIST's research results indicate that additional research and development is needed to overcome these challenges before secure Internet voting will be feasible.

12 So why does NIST claim online voting can t yet be done securely? Security tools and features currently available encryption, firewalls, credential authentication, etc. can mitigate some classes of attacks but not all. Unsolved problems regarding voter authentication, privacy and system security Some types of online attacks cannot be mitigated.

13 Computer Technologist Statement on Internet Voting The internet has the potential to transform democracy in many ways, but permitting it to be used for public elections without assurance that the results are verifiably accurate is an extraordinary and unnecessary risk to democracy.

14 So.? No system is totally secure.

15 Risk factors of online voting 1. Vulnerability of the system/votes 2. Likelihood of an attack (value of the target) 3. Scale of potential damage 4. Recovery/ resilience of the election system

16 1. Vulnerability example Malware on voters computers 30-40% of computers infected. Via Dark Web attackers rent access to already infected computers; update remotely Cost: ~ $2500 Impact: Potentially large scale Vulnerability: Intercept, modify ballots marked online, sent by and/or via web portal Prevention/mitigation: none. Detection: probably not.

17 return of ballots Ballots sent by as attachments can be manipulated or corrupted in transit. least secure method significantly easier to modify Easiest attack is to strip the attached ballot, replace it.

18 A different intriguing example New South Wales

19 Computer scientists run an off-the-shelf security test on the system

20 Analysis of the ivote server showed a 3 rd party script running in the voter s browser Security of the 3 rd party script got an F from the Qualys test The system was vulnerable to multiple man in the middle attacks that could allow an attacker to manipulate vote choices undetected.

21 NSW ivote system vulnerable to multiple attacks

22 Attacks possible despite secure SSL protocol

23 So.. Ok, so there are vulnerabilities, what is the real likelihood of an attack?

24 2. Value? Elections are high value targets Not just for individual candidates and parties but from a national security stand point.

25 Today s cyber security threat environment No longer just this guy in a basement

26 Today s cyber security threat environment State sponsored cyber attacks Terrorist groups Cyber crime syndicates for hire (many in eastern Europe, former Soviet Union) Hacktivists (Anonymous, LulzSec)

27 Today s cyber security threat environment Advanced Persistent Threat (APT)

28 APT Cyber Attacks SONY stole and released data Sands Casino wiped servers, destroyed data, froze company OPM stole federal employee data ARAMCO

29 Aramco Hack Malware attack Erased data on ¾ of the computers, documents, spreadsheets, s and projected on all monitors an image of a burning U.S. flag.

30 Terrorist examining voting security

31 Cyber security environment today There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese. -FBI director James Comey "There is no data center or network in the world that hasn't been hacked. If you watched the number of attacks, they're going up exponentially this year, this year's going to be much worse than last year. - CISCO CEO John Chambers Attacks against us are increasing in frequency, scale, sophistication and severity of impact. - director of National Intelligence James Clapper

32 3. Scale of potential damage Attacks can be automated creating wholesale election fraud or corruption, rather than retail

33 4. Recovery/resilience of the system Resilience is a common factor when considering security of any online system How well can the system recover from an attack? --one that corrupts ballots digitally without the voter s or election official s awareness? --one that interrupts service at a crucial time of the election? Elections and voting especially UNRESILIENT in that it is unlikely one could detect a online voting attack and even if it could be detected, it would be uncorrectable.

34 So what about Estonia?

35 Estonia Public key infrastructure Not actually secure the system has been shown to be vulnerable to attacks Technologists acknowledged the system s insecurities Public distrust of the Internet voting system

36 So how do we go forward? Computer scientists are looking at ways to resolve the unresolved security issues presented with online voting. U.S. Vote Foundation Future of Voting Report Utah Lt. Governor s ivote Advisory Committee Report

37 U.S. Vote Foundation Explores using end-to-end verifiable voting systems Concludes nothing currently on the market secure enough for public, binding government elections But provides an outline for systems Recommends widespread polling place deployment first

38 Utah ivote Advisory Committee Concludes sufficiently secure internet voting systems do not currently exist. Offers two options online ballot build and build a voting system Recommends any system must undergo rigorous public testing.

39 We re not there yet. But election officials can use the Internet to improve voting in many other ways that don t endanger the legitimacy of the ballot and the election results.

40 Internet-assisted elections Online voter registration Online absentee ballot requests Online blank ballot delivery Online ballot tracking software for vote-by-mail and absentee voting Accessible remote ballot marking systems for disabled voters (offline) Smartphone apps for polling place lookup, voter registration info, etc. Online sample ballots

41 Thank you!!!

42 References NIST statement and reports - Computer technologist statement on Internet voting - NIST on malware NIST IR 7700 Security Considerations for Remote Electronic UOCAVA Voting NIST on ballots NIST IR 7551 A Threat Analysis of UOCAVA Voting Systems The Canvass - Internet voting, not ready for prime-time? Feb New South Wales Sands Casino hack - ARAMCO hack -

43 References continued U.S.Vote Foundation Future of Voting Utah ivote Advisory Committee Report %20Final.pdf