Securing the 2020 Election Process (Part 2)

In the first part of this two-part article, a set of four stakeholder groups involved in the United States federal election process — Elections Officials, the Electorate, Political Parties and Candidates, and Self-interested Parties — were described, along with ways in which an adversary could target these stakeholders to influence the outcome of a federal election. Several individuals and groups having analyzed these issues were cited, along with some commenters who are calling for action prior to the 2018 or 2020 election cycle getting fully underway.

In this second part, I will analyze the proposed solutions, mitigations, and responses that have been put forward. I will then show where I believe a gap exists and how to fill that gap.

“The transcendent issue here is the Russian interference in our election process, and what that means to the erosion of the fundamental fabric of our democracy,” former DNI Clapper told the Senate Judiciary Committee on May 8. “And that to me is a huge deal. And they’re going to continue to do it. And why not? It proved successful.”
Peter Grier and Jack Detsch

While a spotlight has been put on the issue of electronic voting systems, very few detailed recommendations have been put forward for securing the larger election process (including voter registration, voter sign-in, and political party operations and communications). A complex and inter-dependent system cannot be secured if the majority of the focus and energy is placed on just part of the larger system.

“[To] address these challenges, governments, private companies, and individuals must begin working together to build more resilient digital systems and the ability to monitor how these digital systems may be exploited for nefarious purposes.”
Anup Ghosh

What is being done?

Recall that the four areas identified in the first part that require attention are securing the integrity of voter perceptions, the integrity of the election results, the availability of your ballot, and the confidentiality of party communications. There have been some initial actions by the stakeholder groups listed above towards some of these areas, but not equally across all four of them.

Addressing the Integrity of Voter Perceptions

Representatives of Facebook, Google, and Twitter testified in front of the Senate Intelligence Committee on November 1, 2017, about how their platforms were manipulated in order to get incendiary contents pushed out to nearly 150 million American citizens during the lead up to the 2016 election.

Facebook, one of the central levers of influence involved in the 2016 election, has donated $500,000 to Harvard University’s Kennedy School of Government to support a project called “Defending Digital Democracy.” One of the group’s goals, according to Alex Stamos, is “to help politicians running for office in 2018 protect themselves from cyberattacks,” though it appears the group may be focused more on securing the integrity of voter perceptions than on party communications or election operations.

These companies are being pushed hard by Congress to prevent their platforms from being exploited, but they are the only ones who can do anything about hardening their own platforms against abuse.

Recent advances in computer science may lead to an even more dangerous potential for harm. As described in the Radiolab episode, Breaking News (http://www.radiolab.org/story/breaking-news/), computer science researchers have developed methods for real-time modification of facial expressions in archival video and for manipulation of audio from a fake transcript. As they state in the podcast (18:58 to 22:42 for this specific reference):

Join the video manipulation with the [voice] manipulation and [you’re] the ultimate puppeteer. You can create anyone talking about anything you want, in their own voice. And having any kind of emotion around it. [And] you’d have it right there, for anyone to see, in video. And all you need to do is take that, put it on Twitter or Facebook, and if it is shocking enough, minutes later, it is everywhere.

They demonstrate this at http://futureoffakenews.com/.

Screen capture of fake video demonstration from https://futureoffakenews.com

Despite what some computer scientists may believe, the potential for widespread harm is something that I (and the creators of this podcast) believe should be evaluated when determining what is or is not ethically defensible research. At the minimum, researchers should be able to clearly articulate the ethics underlying their research and the impacts, both positive and negative, resulting from their research.

Addressing the Integrity of Election Results

This area has perhaps the greatest attention. It is the primary focus of “The Secret Ballot at Risk: Recommendations for Securing Democracy” report, Alex Halderman’s recommendations, the report from the Brennan Center for Justice, and Buchanan and Sulmeyer.

States and lower-level State, Local, Territorial, and Tribal (SLTT) government entities are looking at what would need to happen to address voting systems.

“In computer security, you’re talking much more about the capabilities of local jurisdictions,” said Joseph Lorenzo Hall, the chief technology officer at the Center for Democracy and Technology in Washington. “And they vary dramatically, from L.A., which has a small army of folks, to many jurisdictions that don’t even have a full-time person for their election work. To the extent they have an ability to defend against these attacks, it’s quite limited.”

The United States Government has already acted. On January 6, 2017, Jeh Johnson, then Secretary of the Department of Homeland Security, designated the election system as critical infrastructure. (This was one of the government actions urged by Buchanan and Sulmeyer, quoted in Part 1 of this article). In the DHS statement announcing this designation, they state:

We encourage security companies and private sector owners and operators to look back within their network traffic for signs of the malicious activity described in the Joint Analysis Report. We also encourage such entities to utilize these indicators in their proactive defense efforts to block malicious cyber activity before it occurs. DHS has already added these indicators to its Automated Indicator Sharing service, which provides indicators of malicious cyber activity at machine speed. Entities that are participating in this service have already implemented these indicators for the network protection activities.

The “indicators” that Secretary Johnson is referring to are generically called threat intelligence feeds, information about malicious activity known in the computer security field as Indicators of Compromise (IOCs) and Observables. DHS, through the National Cybersecurity and Communications Integration Center (NCCIC) and its Cyber Information Sharing and Collaboration Program (CISCP) program, provides IOCs and Observables, threat assessment bulletins and reports to SLTT government entities to help protect, detect, and respond to threats. There are also threat intelligence feeds available for free to defenders from many sources. Two open source systems that are commonly used to ingest threat intelligence feeds are the Collective Intelligence Framework (CIF) and Malware Information Sharing Platform and Threat Sharing (MISP).

Of course you can’t look back into logs that are not preserved. You can’t take advantage of threat intelligence feeds if you are not prepared to ingest those feeds and correlate them with event logs. And you can’t adjust your defensive posture by blocking access to suspected hostile systems or networks when you don’t have an easy way to adjust host and network firewall rules.

The U.S. government has also produced both analysis of past intrusion activity and guidance for future defenses. A list of these documents was assembled by Just Security:

Several Committees in the U.S. House of Representatives and the Senate are investigating the meddling in the 2016 election. Senators Susan Collins (R-ME) and Martin Heinrich (D-NM) have introduced legislation to fund grants to states allowing them to secure election systems and improve information sharing about threats.

On December 12, 2017, Senator Ron Wyden (D-OR) sent a letter to the White House requesting “immediate action to secure federal elections from hacking by foreign governments.” The Senator is recommending the following steps be taken: (1) designate a senior official in the White House to “own” the issue; (2) direct NIST and DHS to create an objective framework allowing “scorecard” grading of states to enable improvement over time; (3) direct DHS to designate political campaigns as critical infrastructure to enable assistance as needed; and (4) direct the U.S. Secret Service to expand their protection duties for Presidential candidates to include advice and assistance related to cybersecurity.

There is more that could be done by other governmental entities, however. The Federal Election Commission (FEC), for one, has this topic clearly in their mandate.

Addressing the Availability of the Ballot

The legislation introduced by Collins and Heinrich could have some affect on voter sign-in system improvements, though this legislation is early in the process of becoming law, has no concrete funding allocated yet, and even if passed before the end of this year it would likely not have an impact until the 2020 election cycle due to the complexity of the process. (The stakeholders involved and steps they must follow in replacing electronic voting systems are detailed in Section A of the paper mentioned in Part 1.)

Addressing the Confidentiality of Party Communications

Political Parties and Candidates, some are starting to take this seriously. Politico discusses what campaign managers are starting to do.

While some candidates may be asking potential campaign managers about what they would do to improve security, a larger effort to comprehensively deal with security throughout the country has yet to materialize.

“I just don’t think there’s anyone whose job it is, really. There’s no clearinghouse,” said Michael Ambler, campaign manager for the gubernatorial campaign of Democratic Maine Attorney General Janet Mills. “For finance or fundraising or field, there are best practices … passed down from older campaigns. There really isn’t anything comparable for data security.”

Potentially a group like Higher Ground Labs, mentioned in the Politico article, may drive a solution to help in this area, but it isn’t clear yet how that will be accomplished.

“While the DNC’s response during this episode did not amount to cybersecurity ‘best practices’ by any stretch of the imagination, a committed adversary will almost always find a way in, even when best practices like network segmentation and dual factor authentication are used.”
Niloofar Razi Howe

What is not being done (yet)?

If the only action taken was to replace every single voting machine in the United States, would that solve the problem? Of course not. If every other aspect of the election process was hardened, would that prevent a determined adversary from manipulating the vote with existing voting machines? Not only would it not prevent manipulation, but if the only remaining weakness is the voting machines, it may be more likely that they would be targeted!

Left out of much of the recommendations and discussion to date is the electorate itself, the voting public. A more grass-roots effort by the electorate to get involved in voluntary (or not-for-profit?) efforts to follow the recommendations of all the references cited above is also necessary. After all, the voters are the key stakeholders and have the most to lose. Realistically, the number of private citizens who will get involved will be very small, but it only takes a small number of technically sophisticated and socially active citizens to improve the defensive posture of political party or election operations. Many SLTT agencies that manage elections have provisions for citizen involvement, for example the King County Citizen’s Election Oversight Committee in Washington State. These entities could provide a vehicle for citizen involvement in defending the election process.

“As history has always shown, Americans answer the call in defense of democracy. In response to the growing body of evidence showing Russian interference and exploitation of our freedoms to undermine democratic institutions, it is time that we answer that call again.”
Ann Ravel

The two areas that appear to me to be the least-well articulated and getting the least focused attention are securing the availability of your ballot (the operations of balloting) and the confidentiality of party communications (i.e., campaign operations at the state level and below). What follows is a list of some of the elements needed in a system to address these gaps, but this time some possible solutions and mitigations are included.

Second-factor authentication

A combination of a username and password is common, but reliance on a single factor — the password — in authenticating a user is risky. Weak passwords can be guessed by programs and humans. A password shared on multiple sites means that when one site is compromised and the password is stolen or made public, all accounts using that same password are now open to to compromise. Adding a second factor — a one-time-use string, a token that generates numbers synchronized within an authentication server, or smart phone apps that manage secondary authentication steps — reduces the vulnerability to password guessing or password capture through social engineering, since the second factor for authenticating the user is intended to only be available to the true account owner. Universal Two-Factor (U2F) tokens and smart phone apps are becoming common and widely used. One-time passwords can still be phished with some difficulty, but U2F tokens and encrypted second-factor authentication apps cannot. (Short Message Service, or SMS — the simple form of text messages originally provided on cell phones and smart phones — is not a secure method for second-factor authentication and some suggest should not be used at all.)

Enabling this added account protection mechanism must be done before the password is stolen, however, otherwise the contents of the account can still be siphoned off before the owner of the account tries to lock it down again. It also needs to be cost-effective and easy to use.

Having this kind of protection available for all users of the system, having it be documented and required by policy, and requiring it for all access to the system (not just to personal email accounts) reduces significantly the ability for someone to gain unauthorized access to communications and stored data.

Segmentation of operations

The biggest risk to a campaign is perhaps the leak of high-level confidential documents and communications of top campaign officials. Documents may accidentally leak due to mis-routing email messages to unintended recipients, or by sharing them too widely by sending the files as email attachments to everyone in one large group email address or a huge recipients list. The general way large groups operate tend to operate is by putting everyone into one large group and share everything with everybody.

A commonly used technique for improving operational security is to compartmentalize communications, decreasing the number of individuals who have access to the information and reducing the attack surface to gain unauthorized access. A system that compartmentalizes groups and facilitates restrictions on who can upload/download files, who can send email to lists, who can learn the membership of the group, makes it harder to compromise the system. With compartmentalization or segregation, users can use their discretion to share with other individuals or smaller groups on a “need to know” basis.

While these restrictions do make things a little harder to use, the benefit from reducing the attack surface and making it easier to monitor and control access is worth the cost in the long run. Establishing best practices, providing training and documentation, and helping each other learn how to use the system will decrease the friction in daily operations. Segmentation of operations does not entirely mitigate the threat, however. Attackers will be driven to target those individuals who by their role are likely have access to all compartments, so close monitoring and operational security training is still necessary. Any system must facilitate all of these processes in order to adequately address the threat. Users must also be trained and disciplined in how they operate to get maximum benefit from these measures.

Documentation of operating plans, backup plans, recovery resources

In addition to documenting how to securely use the system, having prepared in advance the kind of operations documents and contingency plans recommended by Susan Greenhalgh improves the ability to respond when threats (or even simple human errors, weather events, etc.) occur at time-critical points in an election. A Public Working Group at National Institute of Standards and Technology is also focusing on checklists, guides, and standards for all phases of the election process. From their web page, “The [NIST] Voting Program focuses on the development of community-based guidelines, metrics, and guidelines that inform the development of the Election Assistance Commission’s (EAC) Voluntary Voting System Guidelines (VVSG).”

A secure portal system that facilitates information sharing, clean organization of documents, and the ability to focus content for the local jurisdiction, will help things run more smoothly and efficiently. Electronic versions of these checklists, guides, voter sign-in forms, and operating instructions, can all be pre-loaded into the system for availability when and if needed. Ensuring that polling places have uninterruptible power supplies, printers and sufficient paper, and logistics information (e.g., routes to nearest alternate polling places, office supply stores, etc.) are all part of preparation for resilient operation. (Of course the easiest solution to mitigate time-sensitive outages such as this is to simply extend the time period available for early voting to days or weeks, rather than just a single work day.)

Vetted volunteers can help here, decreasing the cost of producing and organizing this documentation. Using a crowd-sourcing model of producing documentation like this may even facilitate adoption of nation-wide standards.

Logging and monitoring access

A system administrator like Mr. Tamene at the DNC may notice, in the course of system administration duties, some odd things in system logs. It is unreasonable to expect that someone whose job is to keep the system running would also perform the kind of continuous monitoring of event logs, cross-referencing these logs with available threat intelligence feeds that could detect an intrusion, let alone to perform the post-hoc forensic analysis that would validate an intrusion. Those activities require application of specialized software and digital forensic and incident response (DFIR) expertise.

A distributed system that collects logs, aggregates and processes them, and supports inbound ingest of threat intelligence feeds using systems like CIF and/or MISP, could significantly improve the security posture, speed detection of intrusions, and enable regional or national responses in a more timely manner.

Avoiding the use of attachments

One of the oldest and most common social engineering attacks is sending a cleverly-crafted targeted email to an unsuspecting potential victim that tricks them into opening an attached document that contains malicious content, compromising their system to install remote access trojan (RAT) software. Once this software is installed, the system is accessible remotely and usable for stealing keystrokes or searching for documents.

By using a wiki for keeping internal notes, a secure file upload/download capability behind the second-factor authenticated portal front end, there is no need to send attachments in emails. This limits the exposure of sensitive documents, puts them in a location more easily monitored and secured, and with access logging capability. The threat of opening received attachments from an outside sender still exists, so this problem requires additional processes and training to mitigate. For example, with a little more effort/funding, virus scanning or sandbox analysis of files could be performed on upload to more quickly quarantine malicious content.

Establishing the integrity of documents

One of the interesting threats listed by Sulmeyer and Buchanan had to do with identifying and countering planted misinformation in stolen documents dumped to online sites:

Though it appears the documents from the Democratic Party were authentic, it would have been a challenge for the party to verify publicly the integrity, or lack thereof, if some documents were fake. In short, an actor could hack a targeted system, copy a large number of authentic documents, and then either manipulate those documents or add new ones with embarrassing — but untrue — information.

This technique, called “tainted leaks” is described in detail in a report by The Citizen Lab at the University of Toronto that, “illustrates how the twin strategies of phishing and tainted leaks are sometimes used in combination to infiltrate civil society targets, and to seed mistrust and disinformation.”

This problem can be lessened somewhat if sending documents as email attachments is not allowed and instead documents are uploaded to a file sharing repository where their integrity can be recorded and tracked. Let’s say that a spreadsheet containing donor lists and a strategy document in a word processing format are to be shared. As soon as they have been uploaded into a special location in a secure portal, a cryptographically strong hash (e.g., SHA-256) of the contents could be immediately produced and sent off to be saved on a logging server. A record allowing validation of the integrity of the content of these files at that moment in time would be available. If someone was later able to steal those files and upload them to a “leaks” site, it would be possible to more quickly identify altered documents and counter their pernicious effect. (Although with the speed of news cycles these days being so fast, the damage resulting from a tainted leak may occur and spread much faster than the ability to identify and refute the tainting. The Radiolab Breaking News podcast discussed earlier underscores this problem.)

Preservation of evidence/chain of custody

If a business has surveillance cameras outside their building that record video of who enters and leaves their facilities, and alarms on the doors and windows that alert and alarm if forced entry occurs, and have security guards at entrances who require ID and sign-in/sign-out for visiting the facility, there is plenty of evidence available to provide to law enforcement if a crime is suspected to have occurred. This metadata about who, what, where, when, and how is presented to law enforcement, they can do their job and investigate the suspected crime. If none of that metadata is available, however, the choice is to let law enforcement access the facility to try to find evidence from the interior of the building (a far more invasive thing to allow).

Using the same kind of cryptographic hash validation techniques described in the previous section, records of account login, failed and successful authentication events, network connections, etc. can be produced by each subsystem to record metadata regarding system access. If those logs are then collected and preserved on other systems, they can then be used for investigating suspected intrusions at a later date. With a little more effort, the logs could regularly be hashed and timestamped using blockchain techniques, publishing the blockchain to provide a public record of who produced the logs, when, and where. A hash of the contents does not expose the contents, but it (and a timestamp showing the data of creation) that can be validated months later is a pretty low cost and high quality form of proving chain of custody. If the content of the logs were encrypted before being timestamped, they are safely preserved and as soon as it is suspected that a crime has occurred by a hostile entity, the victim organization can report the crime along with the encrypted logs to law enforcement, who then needs only to provide a search warrant or subpoena to obtain the encryption key. This simplifies and eases reporting of crimes by victims, preserves privacy, and speeds investigation by law enforcement or national security counter-intelligence agents.

Out-of-band validation

The term “out-of-band validation” here means that if one form of communication is suspect, for example a possibly forged email, some other form of communication should be used to validate the authenticity of the suspect communication. Make a telephone call, switch to an instant messenger application, or possibly make an office visit to communicate face-to-face. When a suspected phishing email was received by the someone in the DNC, resulting in a suspected compromised email account, email should not be used to discuss the problem (since that communication channel itself is now potentially compromised.)

Mr. Tamene at the DNC should not have to be an expert in cyberattacks, but he should be in a position to work with trusted individuals who are (and who are not agents of the government). Mr. Tamene should have a way of differentiating a call from a federal law enforcement agent, a private sector expert in security working with his organization, or a prank caller.

Trust groups that include administrators and computer security experts can help get answers and advice in a crisis. A secure portal that includes information enabling multiple ways to reach someone — SMS, instant messaging ID, telephone numbers, physical mailing address, even short-wave license numbers! — and providing a list of references in the form of membership vouches registered in the system help someone perform their own “friend-of-a friend” validation of someone. (In this case, “friend-of-a-friend” means that each member of the system vouches for other members, creating a “network of trust” formed by the vouches. Transitivity of trust, in a system of this nature, is a good first approximation for validation of someone who shares a trust relationship with someone in the vetting network with whom you also share trust.) Wikis and file upload capabilities can provide additional contact information, code words, teleconference voice bridge numbers and PINs.

Confederated information sharing and monitoring

Because each county and state in the United States are independent bodies, they can be viewed as a confederation in terms of trust, meaning they operate as distributed and independent entities with little or no direct relationship that warrants free and unfettered sharing of private or sensitive information between them. That doesn’t mean that their membership in a common sector (SLTT government, in this case) prevents sharing of sensitive, but perhaps redacted, information about common threats. Such information sharing is common, and improves the ability to respond to those common threats.

Federated information sharing and monitoring

Political parties, which operate in a hierarchical and closed partisan manner, can be viewed as a federation in terms of trust. It could be possible for access logs to be shared from the county level up to the state level and perhaps even up the federal level (depending on availability of resources) where a higher degree of monitoring can take place. This improves the situational awareness of threats across state boundaries for detection purposes, and can also increase the pool of availability of potential evidence to pursue in the event of a nation-state level intrusion campaign. Knowing whose door knobs are being rattled across the entire country can help notify those entities so they can adjust their security posture, or provide an early warning of threats that may present themselves in the future.

Dissemination of alerts, etc., through private channels

A trusted communication platform with multiple groups or lists to which one can subscribe allows for as-needed broadcast information sharing. For example, a list for CISCP alerts, reports, and warnings could be used for automatic dissemination to subscribers, quickly spreading alerts to those who need them across the country. Other lists or groups specific to a state, region, or municipality could enable more fine-grained alerts on a local geographic basis.

Affordability in a scalable solution

Any solution that provides the capabilities necessary to narrow the gaps described earlier must be low cost to implement, low cost to operate, should be flexible enough to handle local requirements. At the same time, it must be standardized enough to take advantage of crowd-sourcing the production and sharing of general content from grass-roots volunteers as well as working in concert with local not-for-profit or commercial service providers, since it is unlikely that a single-vendor nationwide centralized service will work.

Implementing a sufficiently robust system of a hand-full of servers could be done using low-cost public cloud services, though placing the files on externally owned and operated servers has some physical and operational security considerations. Someone else’s computers hold the data, and the security of your systems is a function of how they secure their systems. Large corporations, like cloud service providers, follow one or more of many standards for physical security controls and undergo audits to verify conformance. The down side is, the contents of a service provider’s systems can be subject to subpoena using civil legal process, or search warrant under criminal legal process. On the other hand, implementing a private cloud using your own on-premise equipment has its own physical and operational security considerations. Now you are responsible for all of the physical security controls, power and network availability, and every other aspect of system and network administration.

Lastly, implementing and supporting the capabilities described here is relatively advanced in comparison to basic system administration, which argues for involvement of individuals with computer and network security expertise in the daily operations of the communications platform.

A model that can help conceptualize a solution here is a variation on the restaurant franchise model. Think about one group setting the standard for appliances, furnishings, orientation of the kitchen in relation to the eating area, the ingredient suppliers, and the dinnerware/flatware suppliers. Individual franchise operators can take advantage of the standardization to get their restaurant up and running with minimal and predictable startup and operational costs. They can take advantage of an established distribution channel and supply chain. Local ingredients and recipes can be tested and, if they prove successful, can be shared with other franchisees to see if they are similarly successful elsewhere. Open source software and crowd-sourcing content are great for this, though there is still overhead to be considered in scaling the model.

What do I want you to do?

I have spent the last three years on a Department of Homeland Security (DHS) contract project at the University of Washington to combine open source security tools for state, local, territorial, and tribal government entities to use for managing incident response trust groups and using security event logs to defend themselves. At the core of this system is a Trident trust group management and communication portal.

Example Trident portal login page

Together with the other technical components produced under this project as they exist today, all of the capabilities listed above can be implemented. With additional funding and some technically capable developers, further features and integration with commercial tools and managed security services/digital forensics and incident response (DFIR) services could enable nation-wide coverage at a reasonable cost.

Deciding to do nothing more than we are now is a decision: It is a decision to allow foreign manipulation of our country by governments that wish us harm.
Richard Clarke and Robert Knake

The software components are available as open source, designed to be low-cost to implement and to administer, and can be improved over time because they are open source. Anyone can pick it up and use it. (You can find links to documentation and source code at https://github.com/uw-dims/ and https://staff.washington.edu/dittrich/home/dims.html). Since I led the team, I am in the best position to move it forward. But the software won’t implement itself and I can’t will it into use or do it by myself (especially at the scale we’re talking about, in the short time left.) It will take many other experts like me, enthusiastic political party leaders, and serious funding to make it happen. Estimates of what was invested in troll farms, targeted ads on Facebook, Twitter, and Google, and processing the gigabytes of stolen party communications, etc., total millions of U.S. dollars. Countering that kind of investment in subverting the U.S. election process will take significant funding towards protecting it. One could argue that a 10:1 ratio of defensive spending to offensive spending is realistic. This asymmetry between the cost of attacking vs. defending is one of the reasons “cyber” is leveraged by criminals and nation states alike. The goal is not to produce an impenetrable system, which is impossible. The goal is to raise the level of difficulty in compromising the availability, integrity, and confidentiality of information and information systems by enabling better protection, detection, and response capabilities than were used in the 2016 cycle. Exactly how much it will take to implement what is describe here is hard to say until these ideas have been considered by the stakeholders who are targeted, the number of systems to be deployed and the degree of federation between them. But then, how much is it worth to preserve little “d” democracy?

Tweet by Representative Mike Rogers

The 2018 U.S. mid-term election cycle is about to get going and 2020 is just around the corner. There is near universal opinion from the U.S. intelligence community, private sector experts, and observers of Russian activities around the globe, that the influence operation executed during the 2016 U.S. election cycle is not only still ongoing but doesn’t look like it will stop. Given the way malware and cyber criminal activity on which it is based continues to grow in sophistication, is likely to be more sophisticated and broader next cycle. These problems are not unique the U.S. and in fact the Alliance for Securing Democracy of the German Marshall Fund has identified Russian interference in elections in up to 27 countries, and Citizen’s Lab has identified many other targets of “tainted leaks” operations that extend to civil society, so this message is aimed as much outside the U.S. as it is to political parties and elections administrators across the U.S.

You can help in many ways:

  • Forward these articles to someone you know who shares my desire to improve the resiliency of the electoral process as described above. Get in touch with me, or with one of the organizations involved in securing the 2018 election, to help move things forward.
  • Help identify sources of funding, or organizations who would be interested in supporting deployment of a system as described here.
  • Help identify or create a non-profit organization in your voting district to get involved in implementing, managing, and supporting an instance of the system described above. This includes programmers, site reliability engineers, people who understand operational security (OPSEC) techniques (e.g., the Surveillance Self Defense guides published by the Electronic Frontier Foundation) and can help others learn how to improve their security posture while getting their jobs done.
  • Get involved in assembling, writing, editing, and organizing the kind of documentation described by the Verified Voting Foundation and NIST to prepare for contingencies.
  • Call your legislators at both the state and federal levels and urge them to extend (not reduce) periods of early voting and simplify voter registration so that there is more time during an active election to identify problems with voter roles, or deal with disruptions to voter sign-in operations, ensuring that every U.S. citizen can cast their vote and trust their vote is counted.

Time is short before the 2018 election cycle gets into full swing. Setting up systems to provide the capabilities described here will take some time. The time to act is now.


Thanks to Cere Davis, Rik Farrow, Jim Poland and others for their comments and suggestions.

UPDATE: December 13, 2017 — A paragraph describing the letter from Senator Ron Wyden’s office to the White House was added.