Open source or proprietary: how should we secure voting systems?

The stakes are always high when it comes to software security, which is why the ongoing debate over open-source vs. proprietary tends to be passionate.

But the stakes rise to a new level when it comes to the security (and integrity) of a nation’s voting systems. Which makes a recent, relatively civil, squabble over the topic – 15 months out from the next national US election – both passionate and significant.

There isn’t much debate that something needs to be done to make voting systems – more than 8,000 jurisdictions in the 50 states – more secure.

While the US intelligence community concluded that Russian hackers were “probably unsuccessful” in tampering with votes in last year’s presidential election, that doesn’t mean they didn’t try, or that their chances of future success are low.

Richard Clarke, White House senior cybersecurity policy adviser for Presidents Bill Clinton and George W Bush, wrote before last year’s election that “the ways to hack the election are straightforward and are only slight variants of computer system attacks that we see every day in the private sector and on government networks in the US and elsewhere around the world”.

And to the argument that a jumble of thousands of different systems would make it difficult, he noted that it wouldn’t require a widespread attack. “In America’s often close elections, a little manipulation could go a long way,” he wrote.

Bloomberg reported two months ago that federal investigators found “incursions into voter databases and software systems” in 39 states – more than twice the number previously reported. The news agency said a classified National Security Agency (NSA) document reported p”otentially deep vulnerabilities in the US’s patchwork of voting technologies …” and cited former FBI director James Comey warning that the Russians are “coming after America. They will be back.”

So, what to do? That’s where the argument begins. According to former CIA director R James Woolsey and Brian J Fox, original author of the GNU Bash shell and longtime free software advocate, the “obvious solution” is to run US voting systems with open-source software.

In an op-ed in the New York Times, the two noted that the National Association of Voting Officials, a California nonprofit, is leading the campaign to “begin to use software based on open-source systems that can guard our votes against manipulation”.

They cited the standard arguments in its favor:

Despite its name, open-source software is less vulnerable to hacking than the secret, black box systems like those being used in polling places now. That’s because anyone can see how open-source systems operate. Bugs can be spotted and remedied, deterring those who would attempt attacks. This makes them much more secure than closed-source models like Microsoft’s, which only Microsoft employees can get into to fix.

But that prompted a rejoinder on the Lawfare blog from Matt Bishop of the University of California, Davis, with contributions from seven other experts at institutions ranging from MIT to the Center for Democracy and Technology, reminding us all of that uncomfortable reality that so far there is no such thing as bulletproof security, no matter what software is being used. As Bishop put it:

Making source code available to everyone for inspection makes it available to the attackers for inspection. And the attackers are often highly motivated to find vulnerabilities. Complicating this is the relative ease of identifying one vulnerability and the difficulty of finding them all. Attackers need to find just a single flaw in order to exploit a system.

Even perfect software doesn’t guarantee perfect security. “Consider a system that uses a difficult-to-guess password, but that password can be found on a website. No amount of scrutiny of the system will reveal this flaw,” Bishop wrote.

The group doesn’t object in principle to open source. “We believe there are excellent reasons to move to open-source voting systems,” Bishop wrote, including:

  • Allowing vendor claims to be verified.
  • Such software, running on commercial, off-the-shelf hardware, “could be far cheaper to acquire and maintain than proprietary voting systems”.
  • Promoting a “competitive market for technical support for local election officials”.
  • Making it easier to “audit against the paper trail more efficiently than commercial systems permit”.

“But adopting open-source systems would not by itself provide any assurance that computers used in voting are doing what they are supposed to do,” Bishop wrote.

Clarke provided a short list for what he called “minimal election security standards”:

  • Don’t connect any vote-recording machine to any network — including LANs and VPNs.
  • Create a paper copy of each vote recorded, and keep them secured for at least a year.
  • Conduct a verification audit within 90 days on a statistically significant level.

It is probably also useful to keep in mind that voting systems are designed, run, secured and overseen by humans. Which creates its own challenges that can confound the best technology.

One of them is the clueless worker. The late Kevin McAleavey, cofounder and chief architect of the KNOS Project and a malware analyst, said last fall that most of the recent breaches of campaigns, voter roll lists and other confidential information were “done with malware planted by an unsuspecting, authorized user of the systems who got phished and clicked on the bait”.

And then there is the challenge of those who are not clueless, but malicious. As one of the world’s most lethal dictators, Joseph Stalin, put it: “I consider it completely unimportant who in the party will vote, or how; but what is extraordinarily important is this – who will count the votes, and how.”