Skip to content

Trending tags

Episode 15| Election Security, US Midterm Edition: The Big Picture

Melissa Michael

29.10.18 32 min. read

LISTEN TO EPISODE 15

Democracy in the digital age is a wonderful yet wild beast. When it comes to electing our leaders nowadays, we’re faced with questions about how to escape the influence of malicious actors. With the US midterm elections just around the corner, F-Secure security adviser Sean Sullivan joins us for Episode 15 of Cyber Security Sauna to explain the complexities of the US election system. Sean covers campaign misinformation, why security is not as simple as going back to all paper ballots, and how the hacker mindset can help. Listen to the episode or read on for the full transcript.

Janne: Welcome, Sean.  

Sean: Thanks, Janne. Glad to be here. 

So give me a crash course. What do we need to know about the differences between the election systems?  

Election systems in Europe versus say the United States and the rest of North America, for example?  

Sure. 

Okay. Well, so in the years since this has become of grave concern, I’ve seen a lot of security experts suggesting that paper is better than electronic, it’s easier to secure paper, we shouldn’t get into electronic voting. But all of that advice is premised on the system that they know. The American election system is far more complex than the European system. I have voted in Finnish municipal elections. I’m not a Finnish citizen, but I can vote in my local election here in Helsinki because I’m a resident of Helsinki. And that’s not the same in the States. If you’re not a citizen, you don’t vote. Whereas here in Europe, things work differently. And the ballots work differently. So here, you know, post-2000, the Brookings Institute wrote a 221-page book about the not so simple act of casting a ballot. Do you think casting a ballot is complicated, Janne?  

No, it isn’t.  

Well, because most ballots, I think, in your experience probably look something like…this Vox article has the Brexit ballot, which is check one of two boxes.

F-Secure's Sean Sullivan on election security

Absolutely. That’s what it is. It’s a piece of paper. I write the number of the guy I like, that’s it.  

Right. Which is exactly what I did in the municipal election in Finland. I picked the party. I picked a particular person from that party. They had a number. I went in there, there was a simple blank piece of paper with a box. You write the number in the box, you hand them the ballot, and the whole process takes five minutes, from walking in the door to getting the ballot, to casting the vote to giving it back to the guy and then out the door again. So you’ve never actually waited an hour in line to vote?

No. Is that a thing?  

That is totally a thing, yes. An hour might be actually getting off easy in some places. And you haven’t ever filled out five pages worth of votes? 

No, I haven’t.  

And as a resident of California, you’ve never had to listen to a jingle with 42 different ballot initiatives to help you keep them all straight?  

To vote?  

No, to understand what it is you’re voting on.  

No.  

Exactly. So let’s start with some of the campaign differences. I’ve got some stuff I’d like to show you just as a crash course in campaigning in the States, and it’s going to differ a lot from what you’re used to. Okay, so this is an ad from 2014. Fairly current. Okay, so you ready?  

Yep.  

Okay, here we go:  

Joni Ernst: I’m Joni Ernst. I grew up castrating hogs on an Iowa farm. So when I get to Washington, I’ll know how to cut pork.  

Voiceover: Joni Ernst. Mother, soldier, conservative.  

Joni Ernst: My parents taught us to live within our means. It’s time to force Washington to do the same. To cut wasteful spending, repeal Obamacare, and balance the budget. I’m Joni Ernst and I approved this message because Washington’s full of big spenders. Let’s make ‘em squeal. 


Sean: So Janne, what do you think?  

Janne: Well, you know, it was different from the ones we see here. We don’t get a lot of political ads in Finland, but I can absolutely see where this is coming from.  

Right. Of course she’s doing two things there at once, right? Because she’s a woman running for Senate and castrating hogs…and she’s differentiating herself in many different ways. Okay, so that’s not maybe that incredibly surprising to you, because it looks like modern advertising. Let’s go back in time now to some of the earliest of the campaign ads, the famous ones. What are the stakes of an American election?  

Little girl picking daisy petals: One, two, three, four, five, seven, six, six, eight, nine… 

Loudspeaker: Ten, nine, eight, seven, six, five, four, three, two, one, zero… 

(Bomb exploding)

Lyndon B. Johnson voiceover: These are the stakes. To make a world in which all of God’s children can live, or to go into the dark. We must either love each other, or we must die. 

Voiceover: Vote for President Johnson on November 3. The stakes are too high for you to stay home. 


Janne: So we just watched presidential election ad basically about nuclear war.  

Sean: Well, that’s the stake of American elections. It’s either like –  

Is it, though? 

(Laughing) From the perception of the US electorate. This is from 1964, so it’s either you need to vote for the right candidate, or we all die.  

That’s harsher language than what we’re used to in Europe.  

In Finland certainly perhaps, but Finland has its own sort of existential concerns over the years, right?  

Sure. Absolutely.  

Absolutely. Okay. But like, you have never seen a political campaign ad suggesting that if you vote for the wrong guy, we’re all going to die in a nuclear armageddon? 

No, no, that’s – no.  

So this being on the topic of disinformation…I mean, you know, if you’re trying to come up with some sort of news in sort of this environment that influences people, they’re already having to deal with quite a lot of strange influences.  

Sure.  

Alright, so here’s another one. This one’s much more subtle. I love this one. This is one of the best. This is from the Reagan years:  

Voiceover: There’s a bear in the woods. For some people, the bear is easy to see. Others don’t see it at all. Some people say the bear is tame. Others say it’s vicious and dangerous. Since no one can really be sure who is right, isn’t it smart to be as strong as the bear? If there is a bear? 


Janne: I love that. There’s a bear in the woods. 

Sean: President Reagan, prepared for peace. And what’s the bear, Janne?  

I’m going to go out on a limb and say it’s the evil empire. 

Right. And America being the shining city on a hill.  

Yep.  

Okay. So that’s the tone of political ads. And so when I see the political landscape, see the kind of ads that are out there and then see people worried about Facebook influence campaigns, I mean, it’s just one small slice of the overall noise in the American political system. So like from outside the US, there’s a lot of news about Facebook influence campaigns, without very much perception of the sort of influence campaigns that are going back and forth between different campaigns attacking one another. Attack ads are very common in the States, and attack ads are massively distorting information. At a scale that’s been going on for decades. So that’s the biggest concern I think they have about Facebook and understanding Facebook. When Facebook is called in front of the Senate and the House in the States saying that they’re going to put more controls on political ads on Facebook, that’s concerned about ads like this that have actual sponsors behind them saying this ad was paid for by such and such campaign.  

Sure.  

That is not the majority of what was going on in Facebook however, it was Facebook groups and not political ads that were being purchased. And Facebook has been sort of, whenever they’ve been asked about like, are you going to do enough to curb influence operations on Facebook that are targeting elections or trying to influence the American electorate, Facebook answers with like, “Well we’ve got new controls for political ads.” But groups that are trying to get people to join it and then go to a campaign rally or a protest rally and then trying to organize counter protest rallies, they’re not paying for ad space, they’re just buying ads on the platform to promote their groups. Two different things. So the ads that are out there are just part of the mix, and it’s a very loud mix of very strange ads. These are the sort of influence operations that already exist in the States before you get any foreign influence operations. The foreign influence operations, to me, I’m skeptical that it’s actually all about the elections. A lot of people in Congress are concerned that the Facebook influence campaigns are about the midterms, but to me I’m more concerned about actual hacking of things that are really the threat to election systems.  

So information operations are basically going on as it is by the political parties themselves and, and it’s a noisy landscape where it’s easy for outside parties to insert influences anyway. So there’s not maybe a lot that we can do about that.  

Yeah, and it’s a big question in my mind as to whether or not they can successfully insert things into the American electorate. You know, the mindset.  

Amidst all that noise, where somebody actually picks it up? 

Yeah, exactly. And the thing about the Facebook influence operations, the stuff that was shown to the Senate intelligence committee, that they then made public, the New York Times did a good interactive piece with the information. The majority of the ads actually occurred (the ads for the groups that were organizing people to protest on the streets) were actually done after the 2016 elections, and they were done targeting people under 18 who can’t vote. And the group that’s allegedly behind this, the Internet Research Agency, the folks there are involved in Russian elections, and the Russian opposition organizes people, puts them on the streets. So the Internet Research Agency might literally be doing that, researching the Internet. How do people organize on different platforms and how do people organize counter protests on these platforms? And it’s a great big sandbox for them to play in, basically. So it may be about the elections, it may be influence operations, or it may be like, “Here’s a big free sandbox for us to play in. We don’t care if we mess things up, we just want to understand how these platforms are used to organize people. So when political opposition at home organizes something, we know how to organize a counter protest organization to deflate their movement.”  

Sean Sullivan, F-Secure Security Advisor

Sean Sullivan, F-Secure Security Advisor

Okay. So instead of the information operations you think we as the infosec community should be focusing not so much on the reelection campaign stage, but the actual elections and how to secure that? 

Yeah. The actual election is the hacking that was done in 2016 and then the leaking of that information from the different groups. So the Internet Research Agency is less interesting to me to then what the GRU was potentially doing in the 2016 elections. See, we see little evidence of something that the GRU would be involved in with the midterm elections. 

Yeah, I guess we should talk a little bit about that. How does the whole midterm election thing work?  

So every two years, members of the House are elected, House of Representatives. Senators are elected on six year terms. Every four years are the presidential elections. The midterms are what we call the elections without the presidential election cycle. So 2018 is a midterm because it’s middle of the president’s term. Because everything is focused on the guy at the top. So we think of those as the big elections, the presidential elections. Now in Finland, I’ve participated in municipal elections, but parliamentary elections and the presidential elections are not held at the same time in Finland. Right?  

Yeah.  

So in the States you go in and vote for everything all at once.  

Literally in the same session? 

Well, yeah. Let me pull up a sample ballot for you here. Take a look at this. So this is a primary ballot from Ohio.  

I’m looking at a page full of text and different options and different instructions all over the place. This isthis looks like a test.  

(Laughing) Yeah, exactly. It looks like a test as opposed to going in and marking a number on a piece of paper. This looks like a test.  

I would need to look at this for a minute. 

Oh, you would need to look at this for many minutes, yeah. So this is a for governor and lieutenant governor, okay? And you can see how many choices here. Half a dozen?  

Yeah.

Okay. So then you’ve got attorney general, judges. We vote for judges in many states. Besides judges, you’ve got the House of Representatives. You got the local people, and then we’ve got some ballot initiatives, proposed constitutional amendment, something going on here in Ohio. Have you ever voted on a constitutional amendment?  

I have not.  

You have not? Well, I mean, that’s – have you ever had a vote on a bond referendum?  

No. No.  

I mean, simple stuff, I think, and… 

I think we sort of elect people to take care of things like that.  

You elect people to take care of things. We have things called citizen democracy in the States, ballot initiatives and – like I said, in California, they have ballot initiatives that are put forward by people. They craft the actual initiative. They put it up there after so many people signed the petition. When the people vote on it, it actually becomes law in California. So here’s another sample ballot from Texas. So you’ve got a US senator, Supreme Court stuff. Have you ever voted for a railroad commissioner, Janne?.  

I have not.  

Why not? 

Surely there are people in my municipality who can pick a guy. But here’s my question. I’m looking at pages and pages of what looks to me like a test in school. And it’s not just writing down one number and then somebody sits down somewhere and counts how many votes this number got. How do you even tally the votes for in a system like this?  

Well, we do have yes and no choices. 

So for each question you take everyone’s paper, you go through it, you record how they answered in every single category.  

Yeah. And this is like filling in the bubbles, right? And you actually feed them through an optical scanner, just like you would do for a test where you fill out bubbles of questions. So like if you had your test where you have A, B, C and D, and all the above. You fill out the bubbles here, you feed it into the optical scanner. So when we’re talking about paper ballots in the states, these are tallied up with the help of electronics anyway. And if we’re concerned about, I don’t know, a touchscreen voting system as being something that you can manipulate, I mean there’s no reason why it’s stuff that’s scanned into an optical scanner can’t be hacked. Is there?  

Yeah. 

I mean, if I can get the firmware of the optical scanner to do what I want, you know, like just drop every something number of votes that you’re scanning in. I mean, it’s got to be tallied somewhere, yes? 

Absolutely.  

Right. So there’s ways of manipulating votes in a hybrid system and nothing is purely paper in this sort of regard, right?  

No, I mean, I’m used to a system where if I write down the number seven, I think they actually stitch up all the ballots that have number seven on them and somebody stores those for a number of years. But how would you even go about checking  

Yeah, so the stack of sevens would literally be bigger than the stack of sixes (laughing) 

Absolutely. Yeah, you can see who won. But a system like this, you would need computers very early on, like you say, optical scanners to read all this stuff. So maybe, I guess I can see how the step from having optical scanners one second after you fill out this form, as opposed to having this done electronically in the first place is not so much different.  

Yeah, because there’s always going to be several layers of these kinds of things. And this is the in-person sort of voting that you would do, but there’s also absentee voting and there’s also early voting. I’ve done all three in my voting history. So I’ve walked into the election authority in my home county. You go in there and they need to electronically come up with the ballot that’s appropriate for you, in your part of the county with the different things that you’re voting on. So a touch screen interface, it pulls up your version of the ballot and then you tap, tap, tap. That prints out a paper receipt. This is really what the debate is in the States. We want electronic voting machines that have a paper receipt where you can review that the paper matches what the input that you put into the machine is, and things look like they match. 

Sure.  

Then what would you need to do to secure a system like that, after the fact?  

What would you?  

Well, so as a security consultant, I mean, I guess you’d want to say that you need to do audits on this kind of stuff.  

Yep, absolutely.  

Right. But in the American system, nobody’s going to do a recount unless there’s a close election and one of the campaigns challenges and start actually paying for recounts. They don’t do random audits to make sure that like, “Hey, we’re going to go back and look at the paper trail.” So if it’s an uncontested election because the margin of victory is pretty good, there’s no reason to go back and audit.  

Okay.  

But is there a security reason to go back and audit? I would think the security consultant would be like, “Yeah, you need to make sure your system sort of does what it says on the tin,” right?  

Yeah. I think we do audits as par for course.  

Well, so that’s kind of absent in this sort of system, right? Because if there’s like a large margin of victory and the thing is so complex, it costs a lot of money to do an audit of a system this complex. 

Absolutely.  

And so that’s kind of part of the problem when thinking in terms of how do you secure a complex system like this, because it’s different in every county and there’s more than like 3000-something counties in the States and they all have different ballots, different sort of things that people are voting on. And each state has their own rules, and they can define how they want their system to work. It’s really trying to understand 50 very complex systems with many, many local systems within that. So I guess, would a security consultant here at F-Secure go to the client, do a security assessment and start focusing on how to secure that product or service if the code of that product or service is spaghetti code? 

I guess our advice would be maybe take a look at the code and try to simplify that a little bit.  

Refactor the code first. So let’s get that straight first before we try to point out here’s the security flaws. Because trying to secure spaghetti code is….

Pointless.  

That’s exactly the word that I was thinking. Pointless. Yeah, exactly. So there’s also a lot of free advice being offered to American election systems and the officials that are there are saying, “Well, this is how you secure elections.” But it’s kind of like, this is how you secure spaghetti code. And in my mind, a lot of it is just kind of pointless.  

I’m sensing you’re leaning towards the idea that maybe there’s no way of securing a system this complex.  

True. But then on the flip side of the coin, is there a way to hack something that’s spaghetti code? 

Several different ways, often. 

Effectively hack something where, again, there’s more than 3000-something counties?  

Right, right, right.  

So how do you want to turn a particular election, and what’s your goal?  

Yeah, because even you don’t know how that’s gonna work.  

No. It’s like if I need to take a herd of cats and get them to go left, which cat do I hack?  

I’m getting confused here. I don’t know what our sort of end result or advice is. Is this too complex or is it not complex enough?  

Well, so security versus usability right? And we’ve got securing complex systems. A key takeaway here for anybody listening to a security podcast is like, if you’ve got spaghetti code, refactor the code. Then focus on the security of that code. So that’s just the basics.  

F-Secure's Sean Sullivan on election security

Okay. People who tuned in looking at election hacking were maybe expecting us to talk about how to hack voting machines and the counting systems. What do you think, is hacking election machines just trick hacking? 

To some extent, yeah, I think so. Again, there are machines such as this that have had flaws, like I’m thinking back to 2004 where there was a state race in North Carolina where 4,000 votes were lost because the buffer was misset by the election official. And the margin of error in the election was about 2,000 votes. So 4,000 lost votes kind through the whole system into confusion. And they didn’t have any rules about how to resolve an election like that.  

And there’s no sort of local backups or anything? There’s no way to go back and verify the results? 

Well, they were going to take affidavits from people in the county to swear “This is how I voted,” and they were going to go ask all the people who showed up to vote, “How did you vote?” And they were going to go to the courts. So instead of having rules in place, like “This is what we do when we accidentally lose votes because of an electric electronic system,” they were just like, “Whoops, we had a glitch and we lost the votes. And we’re going to get the courts to try to figure out like how to recreate this thing in time that happened in the past.”  

You were talking earlier about voting machines printing out a receipt for you. So nothing like that exists? There’s no paper hard copy of how each vote went down? 

Different system, different counties buy their own election machines.  

Right. 

So hacking these machines, again, they’re very hackable, but hackable by whom and for what goal? So securing this against foreign adversaries, they might be able to figure out how to hack a particular machine. Do they need to hack it in person? Can they hack it remotely? Can they hack the back end after the fact when the votes have been tallied? Is there a paper receipt? There’s going to be thousands of variations of that.  

Yeah. And I was watching the Black Hat demonstrations, I think this year about hacking voting machines. And I was looking at some of the things the researchers were doing and I was thinking, if you can do that at a voting station, maybe you need to redesign the voting station.  

Yeah. But when you get to the voting station, again, like the secret ballot, in my experience, I’m standing in a room with a bunch of people watching me. So physically tampering with the machine in a room where there’s four election officials watching you – you’ve got like a slight partition, I mean, they can’t exactly see you punching in what you’re punching. But if I start reaching around the back of the machine, fiddling with something, in my experience, most of the places where I voted, they’re going to notice something’s up. So the physical security does play a lot in the function of securing the election. But my point is, you’re asking about, is it trick hacking? Can you hack a system that’s that complex? Like, can I hack spaghetti code in sort of a predictable manner? 

Well, I mean complex code gives you more opportunities to do things that the designer didn’t think about, but also complex code is more complex, so it’s harder for you to understand if I do this here, what’s the outcome?  

Exactly. So I think in terms of hacking an American election, my biggest concern is that you could crash the election, right? So if I go into someplace and deliberately hack it in a way, and throw around some false flags so that when people do the investigation, I’ve muddied the waters with was it North Korea, was it China was Iran, was it Russia? Maybe I just throw a bunch of markers down there. And at that point you’ve got a crisis of confidence. That’s how you would hack an American election. By deliberately hacking one particular precinct that might have an important campaign going on in it. And then you just leave a trail of breadcrumbs to an investigator. And when that investigator goes in, they will find that yeah, in fact this machine, this precinct was hacked, the votes were altered in this precinct, and look at all this evidence that we found. We found too much evidence. Meanwhile, the press goes nuts reporting that this precinct has been hacked. And then then you let the American media take over, and then you’ve got politicians left and right worried about the integrity of every election going on in the States with no audit trail, with no way to effectively quell people’s concerns.  

I hear you. But you’ve had confusing end results before. I’m thinking of hanging chads and missing votes and stuff like that. So there’s been even presidents elected with a margin and done some confusion about how exactly did Florida vote and things like that. So you’ve dealt with this stuff before.  

That was dealt with by the courts and by Al Gore stepping aside, not causing a constitutional crisis. That was like hanging chads and recounts and it got to the Supreme Court and then Al Gore said, I’m going to accept these decisions. Now if there’s an outside influence, deliberately hacking an important precinct – 

Nobody’s going to step down.  

Well, I mean, the attacker is not going to concede anything, right?  

Sure, sure.  

It’s going to be like, “Well, hold on a second. What were the election results supposed to be like? Why are we being attacked from outside?” It’s going to cause a much different mentality and the entire election results, everything’s going to be thrown into chaos. That’s how you would hack an American election. Or, you go after the mainstream press and hack their systems when they’re reporting the election.  

I don’t know, maybe it’s just the security consulting in me talking, but it sounds like an audit trail would be the answer here.  

Yeah. I think a big thing about securing elections would be to run audits, to simplify ballots, to make elections more understandable for people. It shouldn’t look like a test like you said. It should be like, okay, we’re going to go in and vote on local stuff this time and we’re going to have federal elections separate from local elections. How do you think I vote, by the way?  

Well, you know, back when I thought voting was simple, I thought you just go to the embassy and then write down the number of the guy you like.  

Go to the embassy. That is what everybody assumes that I’m able to do. No, I have to like contact –  

That’s what I do when I’m abroad.  

Well that’s not what Americans do. They have to contact the county in which I used to live and get a ballot from that county.  

What, they mail it to you? 

Yeah.  

By the mail?

Yeah.  

How’s that secure?  

That’s what I got to do. And I don’t even live there anymore, right? So in one sense, I mean, who should my local representative be, who should my senator be? There is no senator at large for Americans living abroad. I mean, I could vote for president, right, because he represents all Americans. But like, I vote for the senator of the state that I used to live in.  

So the last state you lived in?  

The last county that I lived in. I can vote for the mayor of the town that I used to live in on that ballot. There is no sort of ballot for people who live abroad. I can’t go to the embassy. I am registered to vote in the last place I lived.  

Huh. This isthis is weird.  

Exactly. So there’s tons of advice out there that’s really important for people to pay attention to about the security of the physical voting machines. That’s very important. But when I look at this big picture and think of it in terms of code, the code of the system in the United States of America is overly complex. It’s spaghettified. It’s like there’s no way to actually practically run it in a lot of ways that Europe does.  

Yeah.  

So you can go to an embassy when you were abroad and vote.  

Yeah.  

Do you have to register to vote in Finland?  

No, I’m a citizen.  

I’m a resident of Helsinki and, being a resident, you go to the magistrate, you say “I live in Helsinki” and then you get city services, like the transit cards and things. And then they just send me a letter in the mail saying, “Hey, by the way, Sean, you can vote in the municipal election.” And I’m like, “Wow, I didn’t have to register. They told me I could vote.”  

Yeah.  

That’s not how it works in the States. Every time you move you need to go register to vote in that county. And if I don’t tell the previous county where I lived, that I’ve moved and take myself off their election roles, they’ve got a database with my name in it still, and all they know is that I didn’t show up to vote that election term. 

Hold up, but you could still vote by mail. So would be there be any sort of check to make sure that you haven’t voted in two different places? 

No. There’s no audit trail in this regard. And so basically every state also then has rules about when to purge the voting rolls. And we live in 2018, and there are these things called databases, and databases can be consolidated like in the cloud and states could, I don’t know, consolidate them into one massive American database of where people are registered to vote. But nothing like this exists, right? So basically, you should, if you’re a good citizen, tell the county from which you’re leaving, “Hey, take me off the voter rolls, I don’t live here anymore.” And you’re in some new database in a different state somewhere. That’s how the system works. So again, you know, it’s hard for the people running the system to keep it secure, up to date, because there’s invalid data sitting in their databases because people don’t inform their local election officials that they’ve moved.  

Yeah.  

In Finland, you’re going to register with the new magistrate. So if you move from Helsinki to Oulu, you register in Oulu, it’s going to consolidate. And do you need to tell Helsinki you’ve left, or does it just take care of itself?  

No, no. If I registered in another city, the system knows that I’m no longer in the previous one.  

Right. So you’re going to get a ballot for the local Oulu municipal elections.  

Yeah. Yeah.  

So we don’t have a unified system to take care of all this in the States. So hacking elections in the States could be done if you’ve got some guy that, I don’t want that guy to be mayor. And I’m going to go into that local precinct. I’m going to go into that local town. I’m going to hack their boxes, I’m going to manipulate the votes – 

On that particular result.  

I might be able to do it at a state level. Once I get beyond that to a federal level, then it’s like I’m going to have to figure out which state or which precincts in multiple states to go after in order to get results that are predictable in my mind. So I don’t think you can have a predictable outcome from a hacking of election. The only predictable outcome would be the one that I’m more concerned about. Like, can I cause a crisis of confidence in the electorate? And I think Europeans are also vulnerable to that as well.  

Absolutely. Absolutely.  

Yeah. So if you’ve got like a system in Finland and you can show that there’s been hacking in the back end, that would be a crisis of confidence. Auditing, simplification of systems. This I think would help because then the crisis of confidence can be rectified by going back and looking at the audit trail. You can go back and say, “Well no, we actually haven’t given as much of an attack surface because we’ve simplified the system.” That would help a lot. 

But okay. But we’re used to doing like important things from home. We’re used to doing online banking. Some people gamble with a lot of money from the privacy of their own homes. So is there, is there no way to do this in the digital age? Like is there no country in the world that has figured out like electronic voting for example?  

I think yes and no, right? What is the line in security, don’t let the perfect be the enemy of the good? 

Yeah.  

Right. So we have a lot of people pointing at electronic voting systems that exist like in Estonia and they like to point out the flaws of the system in Estonia, how it might be vulnerable to different types of hacking. But the participation rate in Estonia is much higher than in many other countries. So if you can get a higher participation rate and the amount of votes that might be manipulated is less than the increase in participation, what’s the better outcome there? So I don’t know that there’s a perfect electronic voting system, but if 95 percent of the population votes, whereas in the States only, I mean maybe at most half of the eligible voters show up to take this “test.” What’s the better outcome? I’d rather have a potentially insecure electronic system that massively increases voter participation than have the system that currently exists that has such low participation. A lot of people write it off as political apathy, but you know, in the states, again, we vote on Tuesdays. Because, you know, you can’t go on church day, and you need a day to get into town on your horse.  

Oh, please don’t tell me it’s something like that.  

Oh, that’s when the system got defined. It’s something like that. So you need a Monday to get into town, Tuesday to vote and Wednesday to get about, get back out into the farms. So we vote on Tuesdays in the states, right? There’s this sort of basic premise of things that exist that don’t make any sense that we’re burdened with. In the state of, I believe it’s Oregon, almost everybody does absentee voting. They mail all the ballots, they mail all of ballots back, and it seems like it works. So there are states where they do have experimentation. I would invite the people who want to hack stuff to go and look at legal code like they look at computer code, and figure out how to like refactor that code. And look at it in more in terms of code and figure out which of these things in the American system that are being experimented with would make for a better system.  

Yeah. This is making more sense to me now. I’ve always wondered about the discussion about electronic voting because to me it seems like our system is fine as it is. And then, you know, every now and then somebody comes along and says, maybe we could use our online banking credentials and maybe blockchains, and that would make everything better. And we’re all like, well, no, it absolutely wouldn’t. But the system we’re talking about now, the US system, is super, super complex. I agree with you that definitely something needs to happen there.  

There’s room for innovation, for sure. I think when when security experts look at political systems, they think it’s about people and they don’t look at the code, the legal code, nearly enough. I would like to see a lot of creative hacker types figure out how the code can be refactored. They’re distracted just like everybody else by the personalities involved. And there’s a lot of talent going to waste, where really talented, security-thinking individuals could look at the code and figure out how to refactor the code. That’s how the infosec community could help in my mind.  

So take a step back from looking at election machines and look at the way elections are done in general and apply the hacker mindset to that.  

Absolutely. I think there’s too much focus on the end points and not enough focus on the systems overall. 

Hey, I want to thank you for joining us for a super interesting conversation. Thank you Sean.  

You’re welcome, Janne. 

 

LISTEN TO EPISODE 15

Follow and connect with us on Twitter @CyberSauna

 

Melissa Michael

29.10.18 32 min. read

Categories

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Highlighted article

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.