Election Security: A Case Study in Cybersecurity and Public Trust

By Sean S. Costigan
August 17, 2020

If you are a local government election official, a vendor of electronic voting machines, an intelligence analyst, a cybersecurity expert working for a social media company, someone holding high office, or simply a voter, you are invested in election security.  You may even hold strong, expert opinions on aspects of the issue.  However, as a multivariate global challenge, each investment people make may not be commensurate with present-day risks nor result in the desired outcomes.  

Consider electronic voting: when asked about e-voting, transparency and verifiability are topmost in the minds of many.  While those are necessary criteria, they are not sufficient, as any deep view of the cybersecurity concerns will suggest that the most fundamental problem is one of trust.  People must trust that the systems they rely on are both fair and decisive, in equal parts.  After all, at the heart of democracy is the power to choose representation. Voting (perhaps the most civic of exercises) needs to result in clearly knowing not just who won but also, critically, who lost.

Several nations have undertaken the development of election security as a matter of national security, with varying degrees of success and faith in the process. Estonia was among the first countries to create a system of electronic voting, one in which its people have held a high degree of confidence. Contrast that example with Switzerland where an early push to expand e-voting paused last year amid mounting security concerns.  In the case of Switzerland, the source code was made available and a bug bounty offered but, ultimately, without sufficient confidence in the results. 

As the pandemic has made plain, the United States is an enormously complicated nation with multiple and, very often, overlapping systems of government.  Even when it comes to what policy people term “systems problems,” which are invariably complex, it is the states that make decisions that are consequential not just to their constituents, but to the rest of body politic.  For instance, while belief in foreign interference may be low in some parts of the nation, in others the slightest whiff of deviation may set off alarms.  Both positions generate consequences. For its part, the federal government is deeply aware of the challenges and yet — by design — holds little power to compel states.  Instead it offers warnings and assistance to states while standing at the forefront of intelligence efforts.

Paradoxically, the seemingly good government enterprise of detailing risks and offering public assurance that the government seeks to guarantee security may actually result in heightened mistrust in the very systems on which we depend.  People must have faith that digital systems are not easily hackable and that, if the systems are hacked, there is an auditable trail to resolve the issue. 

Promising research is now being done in technologies that, from the view of computer science, do not fundamentally rely on trust.  For example, some envision a blockchain-based system that is decentralized, not corruptible and publicly verifiable.  Yet as a public policy challenge, technological solutions need to be developed with public confidence baked in.  After all, election security — even considered narrowly as e-voting — is much more than a technical issue.  The replacement of auditable, tried and understood systems with novel digital technologies is bound to be messy.  In the end how government shares knowledge and encourages the adoption of good practices in election security is of paramount importance to the trust people place in democracy.