Cyber security and electronic voting: SOeC at EVN 2014

Educating people about the challenges of cyber security is at the heart of what Securing Our eCity is all about, so it was only natural that, when the Electronic Verification Network held it’s tenth annual meeting in San Diego last week, SOeC would be involved. For ten years now, the folks at EVN have been dedicated to making sure that every vote cast in U.S. elections counts, and they are particularly concerned with electronic voting, where verification can be challenging. The SOeC foundation was happy to assist with sponsorship and speakers.

Using digital technology to process votes might sound like a good idea, but it raises a lot of security questions. These were addressed in several sessions over the two-day conference, starting with the “Fireside (Firewall) Chat” with SOeC board member Howard Schmid who was White House Chief Advisor on Cyber Security to Presidents George H.W. Bush and Barack Obama. Mr. Schmidt is now a principal of Ridge Schmidt Cyber, LLC. Although on a tight schedule with a plane to catch, he graciously found time for a quick snapshot with myself and SOeC executive director, Liz Fraumann.


Mr. Schmidt set the scene for later discussions by reviewing the current cyber security threatscape in conversation with Jeremy Epstein, Senior Computer Scientist, SRI International, and a member of the EVN Coordinating Committee.

Later in the day, I was privileged to participate in a panel titled “Cyber Security Crossover: Leveraging Cyber Security Best Practices in the Realm of Elections”. Fellow panelists included David Dill, Professor of Computer Science at Stanford University, and Gary Hayslip, the CISO of the City of San Diego. The moderator was Pamela Smith, President of Verified Voting Foundation.

Two points became clear to me during these two days of great content and conversation. First, America is very lucky to have EVN keeping an eye on electronic voting. Second, as one expert put it, when it comes to Internet voting, “there is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology.” Not now and not in the foreseeable future.

Recent discovery of longstanding flaws in Internet encryption protocols like SSL and TLS are a stark reminder of the practical impossibility of ensuring secure Internet interactions of the type required for a secret ballot, not to mention the widespread distribution of state-sponsored malware.

In 2008, Verified Voting founder and co-panelist, David Dill, organized the creation of a document that spells out the unique nature of secure voting: the Computer Technologists’ Statement on Internet Voting. The document warns against “pilot” Internet voting projects, which already exist in some states in the form of email ballot submissions, and describes “the severe challenges that must be met if an Internet voting system is to justify public confidence.”

I was very grateful to have the chance to participate in this tenth anniversary meeting of EVN, and proud that my employer, ESET, was a sponsor. It’s not every day that you get to hang out with esteemed experts such as David Jefferson, the author of the one paper on Internet voting that everyone should read: If I Can Shop and Bank Online, Why Can’t I Vote Online? David is a Computer Scientist at Lawrence Livermore National Laboratory, a member of the Verified Voting Foundation Board, and serves on the board of the California Voter Foundation.

If you are still wondering “what could possibly go wrong?” when it comes to Internet voting, consider the following slide. It comes from the very interesting presentation on Internet voting experiences outside the U.S. by former Technical University of Denmark professor Joseph Kiniry, now Principal Investigator at Galois. He highlighted actual code from an Internet voting program that was used in national elections in one European country.

voting-codeIf you are familiar with computer programming, this slide speaks for itself, and apparently it speaks volumes. When I tweeted the above photo it was re-tweeted almost 200 times, reaching over 220,000 Twitter accounts!

In this year of mid-term elections in the U.S. there will be renewed interest in electronic voting and Internet voting in particular. Hopefully the warnings from technology and cyber security experts will be heeded.