(I hope to return to this blog. There are interesting postings.)
Elections Canada recently stated that sometime after 2013 it intends to trial online voting, a system that lets citizens vote over the Internet. Fortunately, they are just committing to a trial but if the trial is conducted improperly then Elections Canada, politicians, and the Canadian public may mistakenly come to think that online voting is secure. Worse, they might see it as a valid ‘complement’ to traditional voting processes. If Canadians en masse vote use the Internet, with all of its existing and persistent infrastructural and security deficiencies, then the election is simply begging to be stolen.
While quick comparisons between the United States’ electronic voting system and the to-be-trialed Canadian online voting system would be easy to make, I want to focus exclusively on the Canadian proposition. As a result, I discuss just a small handful of the challenges in deploying critical systems into known hostile deployment environments and, more specifically, the difficulties in securing the vote in such an environment. I won’t be writing about any particular code that could be used to disrupt an election but instead about some attacks that could be used, and attackers motivated to use them, to modify or simply disrupt the Canadian electoral process. I’ll conclude by arguing that Elections Canada should set notions of online voting aside; paper voting requires a small time investment that is well worth its cost in electoral security.
Why Online Voting?
In the 2011 federal election, Elections Canada issued a social media ban that prohibited Canadians from using public social media tools to report on election results before the last polling station had closed. This was meant to sustain Section 329 of the Elections Act by applying a law meant for analogue communications to popular public digital communications channels. This section, titled ‘Premature Transmission‘, states that
No person shall transmit the result or purported result of the vote in an electoral district to the public in another electoral district before the close of all of the polling stations in that other electoral district.
In the aftermath of the election, Elections Canada prepared a report about the election and presented it to the Speaker. Such reports are produced after every election. Section 329 is specifically raised as a ‘key issue’ in the recently submitted report. While “Elections Canada has no information to suggest that there was widespread disregard for the rule” prohibiting premature transmissions of electoral results, it does acknowledge that “the growing use of social media puts in question not only the practical enforceability of the rule, but also its very intelligibility and usefulness in a world where the distinction between private communication and public transmission is quickly eroding. The time has come for Parliament to consider revoking the current rule” (49). Digital communications are demanding re-articulations and/or repeals of laws governing electoral policy.
The report also spells out a need to accommodate Canadians’ changing expectations of convenience as related to voting. Specifically, Canadians are increasingly online – demonstrated in part through their adoption of social media communications platforms – and consequently Elections Canada is interested in whether Internet voting could be “a complementary and convenient way to cast a ballot. The Chief Electoral Officer is committed to seeking approval for a test of Internet voting in a by-election held after 2013″ (10). Proposals to shift towards online voting raises considerable concerns, but to realize them we need to briefly talk about ‘hostile deployment environments.’
Hostile Deployment Environments
Smart engineers and developers are quite often poor security engineers and security developers, on the basis that the two categories of developers and engineers have radically different intentions, expectations, and aims. For the former, technical systems are meant to function even when experiencing a non-normal condition; people should still be able to read a file despite an error and systems should not fail and aggravate users. In essence, engineers and developers aim to provide systems that work and that continue to work in the face of (effectively) random errors or problems. These errors are unintentional, random, non-malicious, and ‘mere’ artifacts of working in the world.
Security engineers and developers tend to be different beasts. As noted by Bruce Schneier, they do “not care about how a system works” but “about how it doesn’t work.” They are interested in “how it reacts when it fails” and “how it can be made to fail” (2006: 51). In effect, a security engineer is worried about fail-states that are intentionally created, where what would be random environmental events are intentionally recreated, potentially over and over, to exploit the system’s reactions in a failure situation.
We can abstract away from computers to think about this analogously: When building a bridge, engineers are concerned with maximum fault tolerances related to load, shifts in the foundation, and environmental damage related to wind, weather, earthquakes, and other disasters. They plan accordingly, overbuilding elements of the structure to withstand statistically likely (and often unlikely) fault conditions. A security engineer, however, will wonder: what happens when I intentionally meet or exceed a designed fault condition? What happens when I damage a support that the engineers know (by the statistics and threat model they’ve adopted) “can’t” be weakened significantly? Does the bridge collapse, or become more vulnerable to other statistically expected environmental conditions? The model that the security engineer carries, in essence, is a critical interrogation of design intended to exploit non-perceived or minimized risk scenarios that a well-trained engineer or developer would never consider as prospective threats.
While most bridge builders are assuming they are building for a non-hostile environment – an environment where neither its occupants or ambient behaviours indicate ‘attacks’ in excess of regular statistical profiles – bridge builders in war zones have considerably different design condition. This latter builder knows that bridges must be able to carry weight, fail ‘gracefully’ if damaged by artillery, bombs, or tank treads, and that bridges often adopt very different strategic values than in peace-time. Further, the builder may consider differing ‘fail’ conditions: perhaps a bridge should ‘fail’ such that while vehicles could no longer traverse it, it would break apart in a way allowing for foot passage. Perhaps the aim is that when a friendly military blows up a support column, the bridge breaks in a manner that is hard to clear away and thus limits invaders from crossing narrow parts of rivers or channels. In essence, the movement to a hostile (or non-hostile) working environment radically changes the characteristics of development and engineering. Designing online voting is like designing for a war situation: engineers must assume they are developing for a hostile space, within which it is very hard to get things to ‘fail’ properly when millions of devices have to be coordinated across non-secured systems situated around the country and that are maintained by a plethora of differentially skilled actors.
The Internet is Hostile
The Internet is not, and has not, been a safe place for a very long time. Its progenitor, ARPANET, was largely ‘secure’ because there were few individuals using computers and most were at least moderately trained. There are more and more products, books, and ‘gurus’ who sell, advise, and guide members of society about the value of the Internet, a value proposition that does not require any actual knowledge of the Internet itself. As as a result (and not necessarily a bad one!), today’s Internet is filled with a massive user base who use a plethora of devices and who often lack even basic computer awareness or training.
As a result, ‘securing’ the Internet is a Herculean task. It absolutely cannot be regarded as a ‘secure’ development environment, especially when dealing with matters that are highly sensitive to political, technical, and social fault conditions. Such conditions may be worse that a fail condition, on the basis that faults generate fear and concern without a clear indication that something has gone wrong. In the case of an election, a perceived exploitable fault condition threatens to undermine political legitimacy and politically-generated solidarity on grounds that electoral results might be questionable. Thinking back our bridge example, a ‘fail’ might be a bridge collapsing. A ‘fault’ might include cracks spanning the support columns that cause motorists to avoid using the bridge out of fear, even though the cracks do not endanger the bridge’s stability. If ‘faults’ cannot be corrected, then there may be general fear about the validity of an election even if the election is not manipulated. If a ‘fail’ condition occurs but is not detected, then there may be a perception of electoral legitimacy without the election actually being legitimate.
Abstractly, at least four things are required to establish the Internet a secure development environment for online voting:
- Policy: a clear statement of what is meant to be achieved;
- Mechanism: the ciphers, access controls, hardware tamper-resistance and other machinery that you assemble in order to implement the policy;
- Assurance: the amount of reliance you can place on each particular mechanism;
- Incentive: the motive that the people guarding and maintaining the system have to do their job properly, and also the motive that the attackers have to try to defeat the policy. (Anderson 2007: 4-6).
From a policy perspective, we can state that the aim of online voting is to increase voter turnout and, by extension, the legitimacy of the vote and inclusion of Canadians into the political process. As a result, mechanisms must be developed to guarantee this aim. Further, audit systems must be established to verify mechanisms and their correspondence with policy aims. Finally, incentive systems must be developed that guarantee the legitimacy of the mechanisms and audit features. To put some of this in perspective, consider the vastness of the system that must be brought into the secure development environment for online voting:
- every user’s computer and every computer attached to the common local routers. Not only the computer that you’re voting on in your home needs to be secure, but so do all the devices connected to you router (e.g. all other computers, all iDevices and wifi-connected mobile phones, appliances connected to the wifi router in your home, etc.). This means the hardware must be secure, that the operating system must be secure, and that all programs on the devices must be free of exploits.
- all levels of the telco/cableco system. This means both physical and electronic security must be guaranteed.
- citizens themselves must be entrusted to follow all the electoral roles; they cannot influence, threaten, or otherwise modify the course of their own or others’ electoral process.
- audit mechanisms must be built into the system, such that peripherals (e.g. printers, email systems) used to deliver audit documents cannot be compromised.
- bad actors cannot be introduced that could take advantage of privileged access to modify/disrupt data streams.
I have to stress that these are only a handful of the systems that must be drawn within the development environment. Elections Canada, to enable secure and reliable online voting, would have to guarantee that all technical systems associated with the process were secure from:
- zero-day attacks;
- malicious code intrusions (e.g. malware) that could take control of and modify electoral choices in real-time;
- distributed denial of service attacks that cut off certain areas of the network, potentially to prevent some of the electorate from voting online while enabling others to vote online (perhaps based on what computers were already under the control of attackers);
- audit mechanisms would need to ensure: the reliability of the person voting (are they who they say they are? were they coerced to vote in a particular way at their screen?), the reliability of input devices, the reliability of the transit mechanisms, the reliability of the encryption systems, the reliability of each device that took part in the online voting transaction, the accuracy of the audit system itself, the security of each DNS hub, and the appropriateness of ‘fail’ conditions built into each stage of the online voting system;
- impropriety by those who actually ran the electoral process itself.
If the government of Canada can figure out a way to actually harden communications in this manner, then our debt problem and cyber-security problems will be solved as well: we can sell our expertise abroad and the entire Internet would be safe from most of the ‘evil’ that makes the Internet an unsafe place. I have severe doubts that the Canadian government’s commitment to cyber-security, in the amount of $90 million over five years in addition to an ongoing commitment to $18 million dollars per year, is likely to even consider all these problems, let alone resolve them. Security is a multi-billion dollar business and the Canadian government is acting like a high-paying venture capitalist instead of a serious, committed, long-term player.
Risk and Online Elections
For many transactions we expect and accept certain levels of fraud. That the credit system itself is highly vulnerable is of considerable worry, but uncertainly around the legitimacy of credit-backed transactions is a market problem with implications for the capacity of state action. In the case of elections, however, increasing vulnerability can impact markets, environmental and foreign policy, trade negotiations, and ongoing political processes. In essence, while the market is essential to the business of the state, and significantly regulates the state, it lacks the sovereign powers of the state itself. Regardless of whether the state has seen itself ‘hollowed out’ over past decades, neither IBM nor Google have fleets of strategic bombers, the capacity to issue formal declarations of war, seize corporate property, or the other ‘strong’ expressions of sovereignty that states retain even today.
Humans assessments of risk are challenged in the contemporary world, insofar as some risks are highly elevated and given undue degrees of attention when they rapidly and prominently appear and other risks are pervasive, non-exception, and highly deadly. Examples of the former include the twin-tower attacks, the rare murder in Canadian cities, lightning strikes, or specialized harms towards particular individuals. For pervasive and/or non-obvious risks, humans are biologically ill-equipped to deal with them; when the red berries kill you over a ten-year period instead of within a day or two, we just don’t really recognize the ‘badness’ of the ten-year-old poison berry. In a world with more and more ‘invisible’ harms – online fraud, environmental woes, pervasive harms from automotive vehicles, and so on – humans simply aren’t well-suited to gauge risk in an effective manner.
If regular citizens are bad at risk assessment, politicians and bureaucrats are worse. Remember that a primary aim of a politician is to be (re)elected. As a result, they are predominantly interested in what garners favour with a large number of constituents, with issues that can be translated into electoral votes often being selected for emphasis and personal attention. Consequently, being ‘strong against crime’ is seen by many as a positive stance to assume, with novel crimes such as digital intrusions, hacking, and virus writing increasingly common political targets. We are warned that cyber-wars, cyber-terrorism, and cyber-everything-else-bad-in-the-world are coming, and that to assuage them more money, more authority, and more power must be allocated to the government. Such efforts are often supported by bureaucratic staff, both on the basis of political pressure and because it can expand the importance, value, and budgets of their respective departments. Despite such allocations of power and wealth, digitally-mediated intrusions still occur at the highest levels of government: for all it’s ‘tough on crime’ talk there seems to be limited impact on reducing intrusions. Despite the regularity of attacks and the political rhetoric surrounding the ‘danger’ of online transactions for commercial enterprises, online voting – a key element of the Canadian democratic process – is being considered.
So, while the risks associated with carrying out online transactions are real and government sponsored prevention capabilities limited, some areas of the country have already chosen to adopt online voting. It will be tested in upcoming civil elections in Vancouver, with the chief election officer noting that “the model is “not without risk”. Potential risks include the possibility of personal identification numbers being stolen or mailed to the wrong person, and hacks or viruses impacting election results.” While the BC government has not approved online voting for the 2011 civic elections, the ministry of community, sport and cultural development is committed to making online voting a reality for the 2014 elections. Similar comments abound, with over-trusting/ignorant journalists beating the drum that online election systems should be as commonplace as online banking. Perhaps most concerning are statements like those of Prof. Dave Reynolds in his article at the Independent:
Even when I consider the threat of real, experienced, black hat hackers attempting to interfere with elections, I cannot help but think that if Canada can’t provide the security to protect an online voting system, then we have got some serious problems here. The government already offers online submission that is secure enough when you file your taxes, claim your EI, or apply for student loans, so it’s more than a bit ludicrous that haven’t already provided an online form that list less than half a dozen candidates and asks you to CHOOSE ONE.
Canada cannot secure its most important financial information from what may be its most significant state-level competitors. As noted before, financial information is absolutely essential to the continuance of a nation and has serious impacts on subsequent policy and political decisions, but lacks the equivalent significance of voting. Voting is not only used to put particular candidates in parliament but to encourage a sense of the government’s legitimacy. Even if the party you voted for doesn’t become a majority, (the idea is) by taking part in the electoral process and having your vote counted you exercise a key legitimizing element of your Charter rights. This links Canadians together, perhaps with their government, but certainly with one another as they mutually share a common patriotic principle: voting matters and it is an action that unites us regardless of political parties through shared Charter rights. Banking lacks this functionality, as does tax filing, student loan applications, and so forth: voting is significantly more important for democratic legitimacy, even as it is potentially less important for how Canadians go about their daily lives.
It’s important to note that the inability to secure the Internet as a site for the government to conduct its most sensitive business is not a fault of the Canadian government any more than a fault of the individuals using the networks or the network providers offering network functionality. The Internet is, quite simply, a treacherous place to work and hasn’t been for a long, long time. We do not live in the world of superheroes – while we might impose or work through our uncertainties and fears through the worlds those heroes exist within, we should not fool ourselves into thinking that a Mr. Fantastic, Tony Stark or Hank Pym will ‘fix’ the Internet anytime soon. Quite simply, the underlying infrastructural qualities of the Internet that make it the wondrous playground that it is today also makes the Internet an incredibly unsafe environment to try to coordinate and secure millions of people’s unsecured systems, unsecured networks, and ill-educated citizens to carry out any action, including online voting. None of these characteristics are likely to change anytime soon.
Some Potential Attackers
What Elections Canada, politicians, and the electorate should all realize is this: state actors like the United States, Britain, China, France, Brazil, Israel, and every other nation with an Internet connection will have some interest in manipulating a Canadian election if chances of being caught are slim or delayed enough to not matter. State-level actors can throw millions or billions into a dedicated attack and have demonstrated a willingness to intentionally subvert sovereign policies where such actions are in their interests. Canada’s intelligence services have already indicated there are sympathies between Canadian politicians and foreign governments; there isn’t a need for a state actor to vote a nobody onto the ballot where they could merely get existing, sympathetic, politicians elected. Political change needn’t change overnight when a state measures its lifetime and processes in decades and centuries.
Corporations would also have strong motivations to interfere with an election. The ability to promote candidates who were appropriately ‘sensitive’ to corporate machinations could provide incredible competitive boosts and strategic advantages. Canada remains one of the wealthiest nations in the world and many of our industries still relatively protected by foreign investment laws. Both local companies and international conglomerations would have strong interests in seeing politicians who were either protectionist or foreign-friendly as elected representatives.
Individuals may also be interested in interfering with electoral processes. Everything from petty grievances, to being paid to hack the election, to curiosity about their ability to interfere with national governance (think taking the hack of Time Magazine’s top 100 people to the international scale) could drive their actions. In an era of cheap botnets, poor general computer and network security, and the ability to effectively launch attacks from anywhere in the world, there are billions of potential bad-guys whose motives cannot be easily drawn into a threat analysis.
Importantly, we’re not constrained to just one actor being involved in hacking an election; there isn’t any good reason why all the above listed interests (plus potentially a few more added to the mix) couldn’t simultaneously be trying to influence the election, further muddying both the legitimacy and outcome. In effect, Elections Canada cannot secure an online electoral process, and that process is too important to risk to the Internet. Paper voting is annoying. It’s not necessarily as convenient or as fasat as using a smartphone to move your money around using a banking app. Voting is also one of the very few political expectations/hopes that are put on Canadians every few years. It is not too much to mail in a vote, go to a polling station, or (quite reasonably) abstain from voting for political, personal, or other reasons. It is too much to expect that we would endanger the entire electoral process just to attract those who are already unwilling to take a half-hour of their time every few years to cast a ballot.
R. Anderson. (2007). Security Engineering: A Guide to Building Dependable Distributed Systems (Second Edition).
B. Schneier. (2006). Beyond Fear: Thinking Sensibly About Security in an Uncertain World.
Michael Geist linked to your article. I thank him and I thank you. This is an extremely important issue. I will forward the link to others and post to my blog under category “Democracy or Corporatocracy?” I do not know the current status of the project to trial e-voting in Canada in a by-election by 2013. I think I will send a communication to Canada’s Chief Electoral Officer, Marc Mayrand, to answer that question. The fear I have is that once an individual, let alone an institution, invests a lot of time, money and ego in a project they create neural pathways such that any challenge to their “deeply held belief” will circumvent their capacity for rational processing. They don’t actually even process conflicting information. How do you deal with that?