The 2020 U.S. Presidential elections are still 16 months away, but we’re here to jar you out of your summer reverie to give you an update on the current election security landscape and how it relates to identity. The past few weeks have brought some major headlines around this issue, both from the Hill, where proposed federal election security measures have failed to gain traction in the Senate, and from Vegas, where DEF CON 2019 displayed the vulnerability of currently deployed voting machines this past weekend.
Election security is one of the most formidable challenges the identity community faces. Ensuring that the right votes are cast and recorded by the right people is a monumental verification task that has deep ramifications for the longevity of the U.S. democratic system. Let’s take a quick look at where we’ve been, where we are now, and what we’re looking for in the run-up to November 2020.
What’s the threat?
When asked about whether Russia would continue efforts to influence U.S. elections in his testimony last month, Robert Mueller had a simple answer: “they’re doing it as we sit here.” The Senate Intelligence Committee released a report in mid-July indicating that Russian hackers had specifically targeted voting systems in all 50 states during the 2016 presidential election although there’s no evidence thus far that votes had been changed.
Despite this, there are persistent reports of flaws in existing voting systems. Motherboard last week discovered that voting machines in 10 states had been connected to the internet without the knowledge of election officials, creating an opening for unauthorized access. Hackers at DEF CON’s annual Voting Village found critical vulnerabilities in existing voting infrastructure. “These systems crash at your Walmart scanning your groceries. And we’re using those systems here to protect our democracy, which is a little bit unsettling,” one attendee said.
Securing voting machines is a particularly vexing problem. The systems themselves are often procured and maintained on a county-by-county basis, pushing the risk to local officials. At this point, the ideal machine would be gapped from the internet, create an auditable paper trail, and involve an identity verification scan to ensure the ballot’s validity. Not all counties have the budget or political will to move in that direction. If you’re interested in a full breakdown, Politico has a great county-by-county voting system survey that’s worth your time.
We spend a lot of time talking about the future of digital identity and e-governance, but right now, the near-term future of U.S. election security is paper-based.
What’s going on now?
On the tech front, the big story is DARPA’s $10 million voting machine. In March, the organization contracted with Galois to produce the next generation of secure voting infrastructure. The project prioritized the development of open-source hardware and software that could be easily adopted by local officials. You can find a more complete rundown of how the system works here.
DARPA and Galois were slated to take their prototype out for a spin this past weekend at DEF CON, but things didn’t go quite as expected. The machines had connectivity issues with the validation scanners and weren’t functional until the last day of the conference. Galois is planning to bring a more fully-realized system back to DEF CON 2020, but the clock is ticking for any of that progress to be applied to 2020 security efforts.
On the policy side, things on the Hill are contentious (surprise!). Most recently, the Securing America’s Federal Elections (SAFE) Act was passed by the Democratic-majority House in June, but the bill has yet to see a vote in the Senate. The legislation would make paper backup ballots a federal requirement and provide cybersecurity funding for voting infrastructure nationwide. Republicans have contended that the bill represents a significant federal overreach of state authority over elections, and so far no competing bills have seen the floor.
Democratic lawmakers have not taken that quietly, and many made personal appearances at DEF CON. Senator Ron Wyden (D-OR) keynoted the event, and Reps. Eric Swalwell (D-CA), Ted Lieu (D-CA), and Jim Langevin (D-RI) all made appearances reiterating how critical federal action is for voting security.
“The overwhelming interest we are seeing from government leaders demonstrates that securing our democracy is a national security priority and we need policy solutions that address the concerns brought to light each year by this Village,” said Harri Hursti, co-founder of the conference’s Voting Village.
The Digital Identity Opportunity
As much as we like to dream about the future of e-voting and mobile platform deployments, the near-term reality is still grounded in paper. Moving forward, however, the private sector has an increasingly crucial role to play in ensuring that elections remain secure. Last month, for example, the Federal Election Commission ruled that political campaigns could receive discounted cybersecurity services from private tech and security companies. DEF CON this year was the beginning of what we expect to be a growing trend in policymaker outreach to the identity and security communities over the coming months.
The digital identity opportunity here is in public-private dialogue. Demand for enhanced election security, both in terms of voting infrastructure and campaign protection, is acute and will continue to grow. Cybersecurity providers should explore public sector as an increasingly attractive market segment both in advance of 2020 elections and beyond.