Cybersecurity Snapshots #7 - Is Online Voting a Good Idea?

Cybersecurity Snapshots #7 -

Is Online Voting a Good Idea?

Government officials have expressed mounting concerns for how the coronavirus could diminish voter turnout during the 2020 presidential election. Officials have expressed interest in allowing internet voting as an alternative toson ballot casting in the upcoming presidential election in November. The concept of internet voting has been around since the 1990s. A handful of states including Delaware, West Virginia, and New Jersey, have introduced an internet voting pilot program. Many individuals in the computer science community see online voting as a slippery slope towards a looming security risk.

David Dill, a computer science professor at Stanford University, is against the idea of piloting online voting in the next presidential election. He believes that there is no way to ensure that devices and apps are free of malware that might influence a voter's choices. Dill also says that a hacker from an adversarial foreign government could theoretically hack their way into these systems and change or manipulate votes. Barbara Simons a former president of the Association for Computing Machinery has been a long-time critic of internet voting and overly mechanized voting systems. She believes that voting over the internet is too risky, and if voters are not able to vote in person due to COVID-19 in November, then Vote-By-Mail (VBM)is the safest way for voters to cast their ballots. The FBI, EAC, NIST, and the Department of Homeland Security's CISA have released a warning against the wholesale embrace of internet voting. They stated that there are some effective risk management controls to enable electronic ballot delivery and marking, but electronic ballot return technologies are high-risk even with controls in place.

Google recently announced that earlier this month, on June 4th, an Advanced Persistent Threat (APT) group targeted Joseph Biden's campaign staff with phishing attempts. The group behind the attacks is called APT31, also known as Zirconium. Zirconium is a Chinese state-sponsored hacking group that has been active since early 2016. Historically this group has targeted foreign companies to steal intellectual property but has also targeted diplomatic entities in the past. The adversaries did not appear to compromise the campaign's security. Analysts believe that China's primary motive for breaking into a campaign is to collect intelligence, such as Biden's proposals for U.S. policy on China. The adversaries could, later on, use the stolen information to interfere in the campaign itself.

In a new survey conducted by Vanfi, 485 IT security professionals attending the RSA Conference 2020 were surveyed about election infrastructure cybersecurity. Almost three-quarters of the cybersecurity professionals believe that - local governments cannot defend election infrastructure against cyberattacks from foreign and domestic threat actors. Most of the IT security professionals surveyed thought that the spread of malicious information was the most significant cyber risk to election integrity. In October 2018, voter databases of around 35 million U.S. citizens were being sold on the Dark Web. The databases were priced between $150 and $12,500. These databases included personal information like phone numbers, names, address details, and voting history. The databases included information of voters from 19 states.

In another new study, researchers explored a voting platform called OmniBallot to determine what vulnerabilities existed in this technology. OmniBallot is a platform approved for online voting in multiple US states. Researchers at the Massachusetts Institute of Technology (MIT) and the University of Michigan have found that OmniBallot is vulnerable on multiple levels and is susceptible to various degrees of manipulation. Researchers assessed risks connected with three methods of using OmniBallot which included blank ballot delivery, online ballot marking, and online ballot return. Adversaries would be able to change election outcomes without detection by leveraging many techniques. The researchers urge jurisdictions not to deploy OmniBallot's online voting features in order to - maintain election integrity.

To be completely confident in online voting and to deploy these types of platforms in the future, appropriate security controls, mechanisms, and auditing features are necessary. Researchers believe that blockchain technology or homomorphic encryption could help ensure the integrity of a voter's ballot selection and would help mitigate tampering concerns. A hybrid cloud provider under intense guard would also be needed to manage the load of data. Securing online voting needs to be organized as a central effort with federal regulations from the National Institute of Standards and Technology (NIST). The responsibility to regulate online voting should not be created and enforced piecemeal as it would create multiple unique opportunities for exploitation.