In the US, it’s been a very long election cycle. Don’t worry. I’m not going to get political here. However, if we put aside all the issues of the election, there is one very interesting thing to think about from an information security centric point of view. If you think about what an election is, you can see that it’s largely about data quality. Millions of people create a few pieces of data each. All that data flows through a multi-layered system and ends up being part of a very critical dataset that drives very real world matters. Is there any place where the security and integrity of information is more important?
Another thing I am not going to do is dive into the possibility of tampering with the election by hackers. This was a very real threat in the minds of many. I will touch on why it seems remote at best to me in a little bit. Right off the top, though, it’s easy to say that the notion of tampering with the actual voting machines seems slim.
There were reports of machines that did do bad things. But the common theme in each case was that the problem was caught immediately by the voter and dealt with by the people staffing the polling location. In other words, the humans were able to make up for the flaws in the machines. The source of the flaws – malfunction or malfeasance – are irrelevant from the security context if their effects are canceled out. The broader implications are for consideration elsewhere.
In fact, the ability of the humans in the system to make up for problems elsewhere is part of the larger point. The mechanisms through which a US election happens are large, fault tolerant and very resilient. Hearing the claims made from many quarters both before and after the election took place about things being rigged made me curious. I looked into it and was impressed with what I found.
There are many local variations. But generally there are several local, regional, and state level layers of checking and double checking of election results. The folks who do this are mostly volunteers. And it seems there are many efforts made in every place to ensure a balance of political parties are represented. Perhaps most important, there appear to be very clear and prescriptive policies that tell people how to handle contingencies. This is a policy driven, heavily audited, and thoroughly monitored process. Isn’t that the heart of what good information security is supposed to be?
Cybersecurity Can Learn From the Security Practices of Elections
There are several standard practices election monitors and polling staffers use that should be interesting to security folks. The most obvious is the use of multiple checksums that are compared to ensure validity. In the world of elections, this means using a combination of both paper and electronic results. Both are tallied and then compared to ensure they agree.
In privileged identity management programs that my company develops, we always advise that folks use our own auditing as one source of truth and that they also watch the system level monitoring for another, as a comparison. If we say that Bob took root password at 10am, then the system says root logged in at 10:01am, it seems like things are OK. But if there were a record of a root login without a corresponding check out in our system, that may spell trouble.
Another practice of election protection is to make people interact with several people during the process of casting their vote. You must sign in, talk to the people at the machine, and perhaps more steps depending on your area’s practices. Again, the similar mechanism of having people use a request and grant model in security can go a long way.
If you’ve got bad intents in mind, it’s harder to hide it when you have to ask just before you commit the crime. Also, people are surprisingly good at sniffing out when someone is up to no good. Most people can have a gut feeling about that. And, similar to the Israeli airport security that bucks the better scanner trends for better people, the people in your organization will also likely get better at spotting when a request just doesn’t seem right.
The last thing to think about is something we all already know. When there are issues, the thing that makes life easier for election officials is that there are clear policies that dictate what to do. Of course, there are places where judgment is called for (which hole is punched?). But for most decisions, there is a rubric that ensures fair process. This is the gold standard for security. If we can have
This is the gold standard for security. If we can have policy that tells people what to do to keep things secure, then we remove the most unstable elements of our equations. Elections have had 200 years or so to get this right. Most organizations haven’t had quite that much time to consider cybersecurity. If we keep that policy driven process as a goal, though, we are on the right track to having security that we can trust with the most important information we all have.