23 April 2020

Election security during Covid-19: A conversation with Mark Kuhr and Jake Braun

Mark Kuhr

Expand vote-by-mail. Take a stronger stance against digital adversaries spreading disinformation. Quickly expand remote security research on election systems ahead of 2020. Those are just a few key takeaways in an interview with Synack cofounder Mark Kuhr and Jake Braun, executive director for the University of Chicago Harris School of Public Policy and co-founder of the DEF CON Voting Village, about how to approach election security during the coronavirus health crisis. 

The interview conducted by James Azar, co-host of CyberHub Engage, was edited for length and clarity. 

 

Q: What are the security and election integrity concerns as states consider how to deal with running a presidential election and the remaining primaries during a pandemic?

Mark: It’s around the physical security of the health of people voting. How do we maintain some sense of normalcy while keeping social distancing in place? Efforts to get out the vote are really important. Voting by mail has been a reliable and secure way of voting for decades. It should become more prevalent as we enter a season where we can’t have people congregating in polling stations.

Jake: Expanding access to absentee voting is critical. One of the big concerns will be in states where absentee is a smaller part of the overall vote. Do they have enough machines to count the mail-in ballots? If not, are they able to bring in machines to tally the absentee votes quickly? The volume of absentee votes can be a challenge. At DEF CON, [researchers] found multiple vulnerabilities with a lot of machines that count absentee ballots. Still, hand-marked paper ballots are the most secure and we should expand paper absentee ballots.

The other thing that I’m really concerned about is disinformation spread by either foreign actors or domestic folks trying to tell people not to vote or they shouldn’t even take an absentee ballot because it could have coronavirus on it, which is ridiculous. That kind of disinformation could drive down turnout. 

 

Q: When you think of that level of disinformation and you look at the resources that counties have to deal with it, it’s almost impossible for them to be able to deal with something of this scale. Should the federal government get involved here and, if so, in what way?

Mark: The federal government has passed legislation to allocate hundreds of millions of dollars to this problem and states need to get the grants to roll out safe voting procedures. There’s lots of room to improve absentee voting. I think one of the things that we have to make sure about is that we have reliable voter education. Funding to secure elections should be for voter education as well as for the security of vote tallying. The federal government can step in and provide funding that gives the states plenty of money to fix this problem. We just need to go ahead and do it.

Jake: The last thing that [that should happen is to] have the federal government try and help implement voting. That shouldn’t happen. Certainly more funding for expanding absentee would be good.

The federal government should use Cold War-style deterrence to raise the stakes for anybody who wants to spread disinformation or hack our election infrastructure. They need to know [there will be consequences]. The NSA and others had operations in 2018 to let folks know that [the US wasn’t] going to sit back and let them spread disinformation. That should be expanded and enhanced.

 

Q: Where does deterrence more or less lie and should the government be doing deterrence in terms of setting policy or should it be more of a national security issue?

Mark: Deterrence combines military, policy and financial [aspects] imposing sanctions on countries carrying out these attacks, conducting computer network attacks through US Cyber Command to shut down these actors and make sure they can’t disseminate their messages. Then you’ll look at the policy framework. There have to be strategic ramifications for that actor. That’s really the only way that they’re going to to stop doing it.

The federal government could do a lot more to help companies defend themselves through information-sharing initiatives. Too many corporations just aren’t equipped to counter foreign adversaries. 

Jake: We need to bring together democratic countries to fight against [election interference] and publicly call it out so when this happens in France or Germany, all of the democratic countries in the world are calling out whoever’s doing it. When it’s happening to us, you’ve got the entire EU and the Japanese and South Koreans and Nigerians and Mexico saying its’ not OK. 

 

Q: Online voting is something that several countries such as Estonia have done. Are there any models that the US should be looking at now seriously and invest in terms to ensure we can run an online election if another pandemic hits around election season?

Mark: Estonia is an interesting model. They’re obviously much smaller than us and also have a rigorous national ID system, which we do not have. So, there are things that we would have to do to ensure the integrity of that type of election in the US including getting some kind of standard validation around voter identification, which is a very controversial topic given our history with vote suppression. But perhaps the Real ID initiative is something that will help get us to a place where we’re confident in using state ID for federal elections.

Jake: One thing we probably could figure out to do in a secure way is to get people ballots online to print at home and drop off at a facility like a Post Office where you wouldn’t come within six feet of other folks. There’s certainly nothing on the shelf right now that would get us to hold the entire election online by November.

 

Q: Jake, is there a role for DEF CON in testing some of the mobile voting technology that have cropped up in the last few years and really authenticating them so that they can become a powerhouse maybe not in this upcoming election but in the 2022 midterms?

Jake: DEF CON doesn’t certify or call what [it does] assessments. They have an open-door policy to anybody who wants to bring technology to DEF CON to have folks take it apart, hack it, and beat on it. There’s an open invitation to all the mobile voting companies that are out there. 

Mark: There’s definitely a role for this type of testing. Synack is a crowdsourced solution so we like having more eyes on the targets. For example, if we were Russians [trying to attack a] voting system, how would we do that? There are really smart people in countries that are our enemies who are focused on doing that. It’s their full-time job. So unless we’re putting ourselves in that same situation, we’re not going to not going to prevent the adversary from carrying out their attacks.

Our election machines have no [universal] requirements to go through security [third-party] audits before they’re purchased by a state. That’s a policy gap we should consider.

Jake: One of the things that DEF CON did last year that it’s planning to expand this year is a kind of arranged marriage between hackers and election officials. A lot of these counties remember we’re talking about over 8,000 election jurisdictions can’t find a security expert to help them. So, as a last resort, they were turning to DEF CON to find volunteers. So, the conference is planning to expand that this year. Some small rural counties where their budget is $100 have no other option besides volunteers. So the Voting Village is hoping to provide some of that support because there’s this great asset 30,000 technologists who convene in Vegas and thousands and thousands of whom care deeply about election security.

Mark: We have a pro bono initiative where we’re working with anybody who needs it at the local and state level to do security testing for election infrastructure. There are a lot of people in the security research community who want to help. We’re providing that outlet. We’re connecting the dots through our technology platform where we can tap into researchers who live anywhere in the world and connect them to these systems, allowing them to hack and find vulnerabilities. We’re hoping we can be part of the solution.