Elections, Trust and Critical Infrastructure (NDC TechTown)
1 like424 views
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society. We are building our critical infrastructure from hardware and software built by nations and companies we cant expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Elections, Trust and Critical Infrastructure (NDC TechTown)
- 2. TurtleSec @pati_gallardo 2 In 2017 I made a bit of fuss about election security Ok, 鍖ne, I made a lot of fuss And, ok, yes, I didnt stop
- 3. TurtleSec @pati_gallardo 3 This year Norway 鍖nally made it mandatory that one of the ballot counts has to be manual On Monday we will have our 鍖rst election with this in place
- 4. TurtleSec @pati_gallardo 4 January 1st Norway's new National Security Act went into effect It makes protecting the democratic process a matter of national security
- 5. TurtleSec @pati_gallardo 5 Both of these events will have profound effects on election security in Norway. But nothing new happened to make elections less secure in 2017.
- 6. TurtleSec @pati_gallardo 6 Except suddenly it seemed much more likely.
- 7. TurtleSec @pati_gallardo 7The Turtle vs The Hare
- 8. TurtleSec @pati_gallardo 8 The Turtle 63.1% The Hare 36.9%
- 9. TurtleSec @pati_gallardo@pati_gallardo Who can you trust? Who feeds you the data?
- 10. TurtleSec @pati_gallardo Elections Trust and Critical Infrastructure NDC TechTown 2019 Patricia Aas Turtle Sec
- 11. TurtleSec @pati_gallardo Patricia Aas -Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo Turtle Sec
- 14. TurtleSec @pati_gallardo@pati_gallardo Is the Norwegian Election System complex? 14@pati_gallardo
- 16. TurtleSec @pati_gallardo The testing is performed using a prototype implementation in Java. Though the implementation does not take into consideration security and anonymity concerns, it is a full implementation of the Electoral System. Evaluating the suitability of EML 4.0 for the Norwegian Electoral System : A prototype approach Patricia Aas, Masters Thesis UiO, 2005 https://www.duo.uio.no/handle/10852/9298 16
- 17. TurtleSec @pati_gallardo What are these security and anonymity concerns? 17
- 19. TurtleSec @pati_gallardo 19@pati_gallardo What are we protecting?
- 20. TurtleSec @pati_gallardo Worst Case Scenario An accepted, but manipulated Election Result 20
- 21. TurtleSec @pati_gallardo@pati_gallardo What is the Election Result? 21@pati_gallardo
- 22. TurtleSec @pati_gallardo The Election Result is the distribution of the mandates 22
- 23. TurtleSec @pati_gallardo An Election doesnt have to be 鍖awless as long as The Election Result is correct 23
- 24. TurtleSec @pati_gallardo 24 The Turtle 63.1% The Hare 36.9%
- 25. TurtleSec @pati_gallardo 25@pati_gallardo What is the Threat Model?
- 26. TurtleSec @pati_gallardo@pati_gallardo What are you afraid of? 26@pati_gallardo
- 27. TurtleSec @pati_gallardo Adding ballots Removing ballots Changing ballots Reporting wrong counts 27
- 28. TurtleSec @pati_gallardo At its most extreme: Preventing a coup Keeping a democracy 28
- 29. TurtleSec @pati_gallardo Who are the Threat Actors in Elections? 29
- 30. TurtleSec @pati_gallardo The most likely Threat Actor Historically Internationally Is the sitting (local) government 30
- 31. TurtleSec @pati_gallardo Others include: Foreign governments, private companies, terrorists, activists, lone wolfs 31
- 32. TurtleSec @pati_gallardo The most likely Threat Actor in an election is the sitting government 32
- 33. TurtleSec @pati_gallardo The same government running the election 33
- 34. TurtleSec @pati_gallardo Two acceptable outcomes 1. A correct election 2. Prevented a rigged election (hopefully correctable)孫 34孫 How feasible is a new election?
- 36. TurtleSec @pati_gallardo@pati_gallardo How does a secret ballot play into elections? 36@pati_gallardo
- 37. TurtleSec @pati_gallardo True democracy requires the freedom to Vote your conscience 37
- 38. TurtleSec @pati_gallardo Prevent coercion Prevent vote selling Prevent persecution now or in the future 38 #goals
- 39. TurtleSec @pati_gallardo No. The answer is not blockchain 39
- 41. TurtleSec @pati_gallardo To prevent persecution You dont want to connect a vote to a person 41
- 42. TurtleSec @pati_gallardo To prevent coercion and vote selling You dont want a person to be able to prove what they voted 42
- 43. TurtleSec @pati_gallardo And what put that vote on the blockchain? Whos in charge of that? How about chain of custody? 43
- 44. TurtleSec @pati_gallardo 44@pati_gallardo Man vs Machine
- 46. TurtleSec @pati_gallardo Nah. I love computers. But manual elections are hard to beat. Theyre just that good. 46
- 47. TurtleSec @pati_gallardo Isnt manual counting slow? 47
- 48. TurtleSec @pati_gallardo Surprisingly, no. Its massively distributed. 48
- 49. TurtleSec @pati_gallardo Isnt manual counting error prone? 49
- 51. TurtleSec @pati_gallardo Norwegian risk model for ballot counting errors Manual vs Machine 51
- 52. TurtleSec @pati_gallardo 52 1. Can it affect the Election Result? 2. Can it go undetected? 3. Can it discredit the Election Result? 4. Can it create more work? Evaluating severity
- 53. TurtleSec @pati_gallardo 53 1. Historically how common is it? 2. Is there a known threat? Evaluating likelihood
- 54. TurtleSec @pati_gallardo 54 Likelihood Severity Innocent manual Innocent machine Premeditated manual Premeditated machine Likelihood Innocent Premeditated Manual High Low Machine Low-Medium孫 Low Severity Innocent Premeditated Manual Low族 Medium続 Machine Medium-High High Risk diagram: Counting Errors (no Machine Count Audit) 孫 Bugs: Has happened many times irl 族 Distributed proportionally on parties 続 Will almost certainly be detected, but cast doubt and ballots are compromised
- 55. TurtleSec @pati_gallardo 55@pati_gallardo What is the alternative?
- 57. TurtleSec @pati_gallardo Software independence孫 57孫 Ron Rivest (The R in RSA) and John P. Wack (NIST)
- 58. TurtleSec @pati_gallardo 58 A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome On the notion of software-independence in voting systems http://people.csail.mit.edu/rivest/RivestWack-OnTheNotionOfSoftwareIndependenceInVotingSystems.pdf
- 60. TurtleSec @pati_gallardo Verify the election results, not the voting system 60 Rivest & Wack, On the notion of software-independence in voting systems
- 61. TurtleSec @pati_gallardo What is a manual election? Paper ballots Manual count孫 61孫 Keep computers for all parts that are auditable
- 63. TurtleSec @pati_gallardo 63 Likelihood Severity Innocent manual Innocent machine Premeditated manual Premeditated machine Premeditated machine Innocent machine Risk diagram: Counting Errors (with Machine Count Audit) An Audit will reveal - Bugs - Manipulations
- 64. TurtleSec @pati_gallardo What is an auditable election? 64
- 66. TurtleSec @pati_gallardo Norway 2019 Manual preliminary count孫 66孫 Ask me about this process sometime ;)
- 67. TurtleSec @pati_gallardo Norway has two counts: Preliminary and Final Results can be compared 67
- 68. TurtleSec @pati_gallardo Goal for many US researchers Risk-Limiting Audits 68
- 69. TurtleSec @pati_gallardo Whats a Risk Limiting Audit? A statistical model for manual ballot sampling 69
- 70. TurtleSec @pati_gallardo The Norwegian electoral system: a study of EVA Skanning, implemented error detection mechanisms, and applicability of risk-limiting audits Vilde Elise Samn淡y Amundsen, Masters Thesis NTNU, 2019 Thesis Advisor: Patricia Aas http://www.valgforum.no/wp-content/uploads/2019/02/Masteroppgave-Vilde-Amundsen.pdf 70
- 71. TurtleSec @pati_gallardo What was the problem in Norway? 71
- 73. TurtleSec @pati_gallardo Paper ballots are not enough There has to be an audit Performed by regular folks 73
- 74. TurtleSec @pati_gallardo Manually counted elections have a built-in audit People. 74
- 75. TurtleSec @pati_gallardo Manually counted elections can also be rigged But everyone knows they are 75
- 76. TurtleSec @pati_gallardo If an election is rigged and nobody knows, do you have a democracy? 76
- 77. TurtleSec @pati_gallardo No. Youve had a coup. And you dont even know it. 77
- 78. TurtleSec @pati_gallardo@pati_gallardo What could an attack on Critical Infrastructure look like?
- 79. TurtleSec @pati_gallardo 79 Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Kim Zetter Attack on Siemens PLCs in centrifuges at an Iranian uranium enrichment plant The diagnostic data was manipulated so it seemed like there was no error Probably hundreds of centrifuges were destroyed Stuxnet
- 80. TurtleSec @pati_gallardo@pati_gallardo What is modern life if not ruled by Critical Infrastructure?
- 81. TurtleSec @pati_gallardo 81 Modern society is a legacy system Never designed, it evolved Based on layers of dated technology Containing massive technical debt Lacks in holistic security analysis
- 82. TurtleSec @pati_gallardo@pati_gallardo Did something happen to make us less secure?
- 83. TurtleSec @pati_gallardo@pati_gallardo Or did it just suddenly feel more likely?
- 84. TurtleSec @pati_gallardo@pati_gallardo What lessons can we learn from the mistrust in Election Security?
- 85. TurtleSec @pati_gallardo 85 Make diagnostics that dont depend on computers Be wary of single points of failure Segment your infrastructure Manual operations require physical presence, this is a feature Figure out who are your most likely Threat Actors
- 86. TurtleSec @pati_gallardo 86 On the other hand...
- 87. TurtleSec @pati_gallardo 87 July 10th 2019 Ukrainian Secret Service (SBU) raided South Ukraine Nuclear Power Plant
- 89. TurtleSec @pati_gallardo Best way to rig an election? Internet voting. 89
- 91. TurtleSec @pati_gallardo 91 H淡ringssvar, Patricia Aas, TurtleSec, https://elections.no/2018/12/13/hoeringssvar_turtlesec.html Election Cybersecurity Progress Report, Professor J. Alex Halderman (University of Michigan), https://youtu.be/U-184ssFce4 Electronic Voting In 2018: Threat Or Menace, Professor Matt Blaze, Joe Hall, Margaret MacAlpine, and Harri Hursti, https://youtu.be/Lo3iibtVh6M Testimony of Prof. Matt Blaze, Professor Matt Blaze (University of Pennsylvania), https://oversight.house.gov/wp-content/uploads/2017/11/Blaze-UPenn-Statement-Voting-Machines-11-29.pdf Securing the Vote: Protecting American Democracy, The National Academies of Sciences, Engineering, and Medicine, https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy DEF CON 26 Voting Village Report, Blaze, Braun, Hursti, Jefferson, MacAlpine, Moss, https://defcon.org/images/defcon-26/DEF%20CON%2026%20voting%20village%20report.pdf Resources