look at what can happen when automa+on is introduced. Presented to the ISSA, O=awa chapter, 2017-Jan-26 By ISSA member, Marcel Gingras (CISSP) PDAR Consul+ng Inc. O=awa, Ontario, Canada 1
learning a few new tricks - In my fourth year focused on the analysis of risks to electoral integrity - IMPORTANT DISCLAIMER: IN THIS PRESENTAION, I AM NOT REPRESENTING ELECTIONS CANADA OR PRESENTING THEIR VIEWS. I WILL NOT BE DISCUSSING PAST OR CURRENT ELECTIONS CANADA ANALYSIS. To set the stage, gauge this crowd’s percep+on with a few ques+ons and a show of hands: 1. Who thinks that we could run a successful federal elec+on over the Internet today? 2. Who thinks that we might be able to run a successful federal elec+on over the internet in the future? Why? 2
cover here today. We will focus on general vo+ng processes, administered by electoral management bodies such as EC. Correctness of result and trustworthiness of elec+on results is the mission outcome for any EMB. This is comparable to the C/I/A outcomes of security focused risk assessments. Of course, one can affect the other. This is a key concept. Ques+ons on this? 3
as the mission goals? Yes. What’s the difference? Order of magnitude of consequences, when risk events occur. Take-away: A convenient, easy, cheap elec+on process that delivers an incorrect or untrusted result, is a fail. 4
the assump+ons that people make may not stand up to scru+ny – and by that I mean risk analysis. Is banking online really like vo+ng? Are the consequences comparable? Can an internet vo+ng process stand up to elec+on risk scenarios (as opposed to banking risk scenarios). And so on…. I’m going to introduce you to this risk space. 5
that Canada is currently doing very well. (Rated by academic elec+on experts in a rolling survey.) An ongoing measurement project of “Percep+ons of Electoral Integrity” index rated Canada in 2015 (our last general elec+on year). Among 139 elec+ons held, Canada rated 18th. This is good place to be, rela+ve to others. How about scoring using key performance indicators in 11 categories. Canada scores in the top level of a 5-zone scale “Very high EI”, albeit closer to the bo=om of the range: 70 of 100. For comparison the best country in 2015 was Denmark with an 86. To compare, the UK scored 64 – middle of the next lower level labeled “High”. Did anyone see the headline “North Carolina is no longer classified as a democracy”. This is due to a 2016 score of 58, applying the same methodology. This puts it in the “Moderate” level alongside countries such as Sierra Leone. This creates “trust” problems for federal US electors, since states and coun+es run federal elec+ons. Now, let’s learn something about elec+on threats… 6
1846 Let’s look at the vo+ng process. We can see: - Vo+ng - Recording of votes Characteris+cs - No vote secrecy - Hard for observers to see what what is actually being recorded - A lot of opportunity to influence electors. Major categories of business risk include: - Bribery - Coercion/retribu+on - Interfere with free choice 8
#1. Many don’t get point #2, and so we get the “ballot selfie” folks who think their “freedom to disclose” should take precedence over all electors being able to trust the elec+on result. Historically, it was point #2 that drove the evolu+on of modern paper ballot elec+on design. 9
vo+ng evolved as did the controls to mi+gate the risk. 150+ years of evolu+on has created a paper vo+ng process with the poten+al for very high electoral integrity. Elec+ons have a sequence of core processes, all of which require controls to mi+gate risks in the categories previously men+oned: 1. Registra+on of en+tled electors 2. Proving en+tlement 3. Vo+ng – cas+ng ballots 4. Coun+ng ballots 5. Tabula+ng results - Each process in the sequence has it’s a=ack vectors and controls. - Each process in the sequence must demonstrate trust using real-+me, observa+on valida+on controls or aper the fact verifica+on controls (trusted records). 10
simple picture: 1. The physical design separates the voter from anyone else who might interfere. 2. The physical design supports easy observe-ability of what is going on. 3. Most vo+ng and coun+ng steps done by one iden+fiable, accountable person (applicability of penal+es that act as deterrents). 4. Poll workers work in pairs, with segrega+on of du+es and procedural checks on each other’s work. 1. Note: Was actually designed to be staffed by members of opposing par+es (zero-trust model). 2. Detailed records are kept in case a recount or audit is required (a rare event). 5. Addi+onal candidate representa+ves from any party may also observe. 6. Vote secrecy is maintained: 1. Nobody can snoop on how the voter voted. 2. The voter is not allowed to show or record his/her completed ballot. 3. The six-inch-ballot-drop breaks the connec+on between the elector and the ballot, crea+ng absolute secrecy (cannot be reversed). 7. Coun+ng occurs at the same loca+on, with the same controls. This control architecture is highly resistant to a wide variety of threat vectors including elector coercion, vote buying, other forms of interference, ballot box 11
threat categories remain – only the threat vectors change - Old threats that have not been problema+c for 80 years, might require mi+ga+on again - Example: Instead of trying to miscount in a back room, hack the vote- coun+ng code - In addi+on, some ideas, such as vote from home over the Internet, just fundamentally break the current business model - Vo+ng from unsupervised sites, such as your home, makes bribery and coercion possible again - So, where does that leave us? 13
par+cularly “absolute” secrecy. - Not all countries have absolute secrecy – many have “state-secret” secrecy. The whole vote from the comfort of my own couch thing, risks placing convenience over trust that the ballots represent the will of electors, without interference. 15
But, the risks being mi+gated are not wri=en down. If the legisla+on is only modified periodically, then the original reasons for the controls can be hard to fathom to later genera+ons of elec+on managers. 2. Some excellent IT risks analyses of vo+ng machines have been produced by academics. However, not all of them men+on that the biggest Internet vo+ng issues are non-technical – the ship to unsupervised environments that are vulnerable to voter interference. 3. Modern IT security risk methodologies and analysis skills adapt well to the elec+on domain: there are ac+ve threat agents, control vulnerabili+es and such. 4. I recommend two books that I think point to the future of IT-security risk analysis – and it’s quan+ta+ve analysis, not qualita+ve: 1. How to Measure Anything, by Douglas W. Hubbard 2. Measuring and Managing Informa+on Risk – a FAIR approach, by Jack Freund and Jack Jones 16