For the first time in history, many elections will have to happen without in-person voting. In the US, we have already witnessed the pandemic’s impact on the Democratic Primaries, many of which had to be postponed and were mired in massive legal controversies. Throughout the ongoing pandemic, leaders continue to hotly debate whether or not elections that rely on in-person voting are therefore asking citizens to make a decision between civic participation and personal safety.
Despite the upcoming US election being less than 100 days away, the impact that the current crisis will have remains unclear with speculation continuing to dominate the media. However, long-term strategizing is vital in order to ensure that democracy will be resilient in the face of future pandemics, as well as other novel 21st century threats.
In this unprecedented challenge to democracy, online voting is the obvious solution. Compared to mail-in ballots, online voting is certainly more convenient, accessible, and safe in the ongoing pandemic for each and every voter, poll worker, and mail carrier across America. But can online voting ever be fully secure in the light of cyber security concerns?
Cutting corners isn’t an option
We know that nation-states, hacktivists, and cyber-criminals will directly target online voting platforms and data. This issue has been magnified by the controversy surrounding the Iowa Caucus app, a smartphone app designed to help announce the results of the first nominating contests in the Democratic Party primaries for the election. Fraught with coding issues, the app was quickly deemed ‘a disaster waiting to happen’. The same has been reported of the Voatz app, used in elections across West Virginia, Oregon and Colorado, which has been found to suffer from a number of security flaws.
Companies building mobile voting applications are incentivized to move as quickly as possible in order to take advantage of the current demand for this technology. As this pressures companies to cut “non-essential” corners in order to be first to market, some will choose to prioritize functionality and accessibility over security.
Even when security is a priority, ensuring the security of online voting methods remains challenging. For example, though the Voatz app uses blockchain, biometrics, bug bounty program and other security protocols, a recent study by a team of independent researchers at MIT found alleged vulnerabilities in the voting platform that “allow different kinds of adversaries to alter, stop, or expose a user’s vote.”
Trust is the lifeblood of democracy
Ensuring that citizens trust an online voting platform is as crucial as ensuring the security of the platform itself – trust is the lifeblood of American democracy, and all democracies globally. If people do not believe that their vote will count, they will lose their incentive to participate in the democratic process. In order for people to believe that their vote will count, they need to have faith that each and every vote will be accurately counted. Trust is democracy’s bedrock principle, and security is vital to trust.
We can only build people’s trust in online voting platforms by building powerful and rigorously vetted security protocols into the foundation of emergent voting technologies. Yet, US state governments will likely not have the resources to fully validate possible solutions that are pitched to them by a vendor – these remain the weaker underbelly of the federal government, and their security maturity tends to be much lower, explaining why they are frequent targets for ransomware attacks during and outside of election season. Creating a central approval body on the federal level will accordingly alleviate pressure on states as they meet the demands of the present moment.
The US federal government should define clear, comprehensive security requirements for all online voting platforms that involve a rigorous testing and certification process. This process should be transparent and should leverage private expertise and crowdsourcing methods such as Hacker One’s bug bounty program. Contracting ethical hackers can reveal vulnerabilities in a platform’s cyber security protocols before malicious actors discover them.
Lastly, in order to ensure trust in the case of a potential compromise, all voting methods must maintain a “verifiable, auditable paper trail and paper-based balloting backbone.” This is because the American public retains a justified sense of skepticism concerning the security of mobile applications and the privacy of their data. They have seen a steady stream of data abuse and mishandling from the likes of Facebook and Capitol One, as well as successful cyber-attacks against other entities that many people consider more trustworthy, such as Equifax, the Defense Information Systems Agency, and the Office of Personnel Management.
A new democratic era
As America and the rest of the world enters the era of digital democracy, it has never been clearer that we must adopt the most sophisticated tools—from blockchain and data validation to AI technologies that provide full visibility into the transfer of all data across enterprise networks — in order to ensure the security of elections, census, and all other governmental operations that rely on the internet.
We must move forward with caution – democracy is a delicate process, and there is no short-term fix for this paradigm shift in the channels of democracy. Paper trails are needed in order to preserve public trust in the present, and advanced security technologies are also needed in order to shepherd democracy safely forward into the increasingly uncertain future. To maintain social distancing while allowing for more voter participation, mail-in paper ballots matched with the appropriate auditing measures might remain the most promising and secure near-term solution.
- Marcus Fowler, Director of Strategic Threat, Darktrace.