Technical solutions won't stop the real threats to elections

Elections could be conducted more efficiently with electronic or even online voting, we're sometimes told. The integrity of elections could supposedly be guaranteed by using blockchain technology.

But a panel discussion in Canberra on Tuesday evening revealed that the people who look more closely at the integrity of elections worry about other things, things that technology can't fix.

The full electoral systems that support our democracies aren't just about the systems used to count votes, whether they're built of computers, or pencil and paper. They also include, amongst other things, the laws that decide who can and can't vote, the bureaucratic processes that manage those voter rolls, and what might be called the "free and open arena of ideas", where citizens can discuss the issues and form their views on how to vote.

Alleged Russian interference in the 2016 US presidential election was all about that arena of ideas. Attempts to subvert the voting process by technical means had "minimal" effect, according to John Felker, director of the National Cybersecurity and Communications Integration Center at the US Department of Homeland Security (DHS), and made no difference to the result.

"We did not detect any effect at all by what they did," Felker told ZDNet, even though US authorities reportedly saw Russian scanning of election systems, and there were "a couple of instances" where they entered election systems -- although they were mostly administration systems rather than those used for voting or counting.

"The other, the 'information operation' if you will, I think maybe had a little bit more effect, but that's still being sorted out," he said. "It's a difficult thing to measure."

This discussion on stopping the cyber threat to our elections was held at the Australian Strategic Policy Institute (ASPI). It looked at both Australian and US experiences.

There are significant differences between the two nations. Australia has compulsory voting, and the electoral systems are managed nationally and replicated by a handful of states. In the US, however, the Constitution gives the 50 states the responsibility to run their own systems, and they vary widely. Voting is voluntary, so just persuading people to vote is an important factor.

"We have some states that are quite homogeneous, in that they have an election commissioner for the state, and that state has chosen to create a system in which all of the physical manifestation of voting is the same. The machines are the same," Felker said.

"And then right next door to that state, you have another state in which there are a plethora of voting jurisdictions, down to almost a precinct level, and they do things differently in almost every one of them."

Securing all those systems is a complex task, but it isn't the federal government's role to control how they do that.

"Our job is to help defend those systems, particularly those systems that are electronic in nature, by providing them support in terms of technical advice, best practices, actually conducting red team efforts against those systems," Felker said.

Australian Electoral Commissioner Tom Rogers said that Australia has "the reverse". There's an expectation that no matter where you vote in Australia, everything looks the same, and the processes are the same. When things do go wrong on election day, "which they invariably do", the Australian Electoral Commission (AEC) is empowered to sort it out.

That doesn't mean the AEC is completely in control of election security, however.

"If it was a railway switching yard you used to see years ago with all those levers, and that's the security of the election, the AEC probably has its hands on two or three of those levers, and there are about 20 other agencies that have their hands on the other levers," Rogers said.

According to Gai Brodtmann, federal Labor MP for Canberra, and shadow assistant minister for Cyber Security and Defence, Australians tend to focus on the manual, paper-based parts of their voting systems. They don't think about the behind-the-scenes data processing, or the control and protection of the electoral information such as voter registration, and the cybersecurity they need.

"I think that they're in a way lulled into a false sense of confidence, because of this very manual approach that we have," Brodtmann said. She cited the federal election of 2013, when physical ballot paper went missing in Western Australia, forcing a fresh Senate election, and the Australian National Audit Office (ANAO) criticisms of the rapidly-developed counting system for the new Senate election rules in 2016.

Brodtmann has long argued that Australia needs to broaden its definition of "critical infrastructure" from the eight sectors defined in the national Cyber Security Strategy to include election systems, as the US does.

Rogers said the AEC has been "conscious of cybersecurity for many years", and is also aware of the "catastrophic consequences" of any failure.

"I sometimes joke that I'm the CEO of an analog agency when citizens have digital expectations. Sometimes that's not easy. We saw at the last election, the poll closes at 6.00pm, and by and large citizens want the result at 6.01pm," he said.

The clear consensus of panellists and audience members was that information operations, which are seen as the greater risk to elections, were best countered by a good education system where students are taught critical thinking skills, which then help people spot the so-called "fake news".

Personal experience in operating in the digital realm also helps.

The citizens of Estonia are particularly good at spotting fake news, according to Felker.

"One of the advantages that Estonia has is that almost everything that they do is done by cyber means. Everything. And they're small, so it's easier to manage the complexities of society," Felker said.

"The populace is so switched on to the plusses and minuses of that digital society that they are more attuned to pay attention, 'Maybe that's not so real'. In our country [the US], it's not that way. There's a lot of things that are not digital. There are a lot of people that [say]... 'Smartphone? What's that?'"

Asking platforms such as Facebook to police their services for fake news or illegitimate political messages carries risks.

"If you follow that same logic train, I think we would get into this debate about free speech. Just because you own the company, how can you say that I'm not allowed to speak on here? Everybody else can speak. And you get back into 'Who owns it?' and all that," Felker said.

Transparency is also a problem on digital platforms such as Facebook. As Felker put it, "We don't see the algorithm", so we don't know how the decisions about what we see are being made.

Future foreign state-actor interference in national elections is inevitable, according to Felker.

"There's always going to be a modicum of state-to-state debate, and pushing and shoving," he told ZDNet.

So it's nothing new, it's just happening in a new way?

"I think that's a fair assessment," Felker said.

Related Coverage

• US slaps new sanctions on Russia over NotPetya cyberattack, election meddling
• AEC 'satisfied' with security risks absorbed ahead of the 2016 election
• Tight deadlines lead AEC to ditch security compliance: ANAO
• The Australian government and the loose definition of IT projects 'working well'
• Australian Home Affairs thinks its IT is safe because it has a cybermoat
• Australian government cannot handle its own data securely, why give it yours?
• US election cybersecurity funding gets a boost of $380 million (TechRepublic)
• What to expect from cyber-attacks during an election year (TechRepublic)