Election security in a pandemic: Matt Blaze’s Black Hat 2020 keynote

Black Hat USA is one of the biggest events in the world of cybersecurity, bringing the infosec community together once a year for several days of trainings, briefings, and demos. Due to COVID-19, Black Hat 2020 went fully remote, and offered free access to some of the conference’s most important events. 

Matt Blaze gave an extremely relevant keynote entitled “Stress-Testing Democracy: Election Integrity During a Global Pandemic”. Blaze is cryptographer and professor of computer science who holds the McDevitt Chair in Computer Science and Law at Georgetown University. His work focuses on the security of systems at scale, and on the intersection of technology and public policy. In what follows, we’ll take you through the main points of his talk.

The problem of secure elections

Blaze began by reflecting on the relationship between technology, elections, and democracy. He points out that in order for people to have confidence in the outcome of elections, they need to have confidence in the mechanisms by which votes are recorded and tabulated — especially as those mechanisms become more complex, as in the case of voting machines and computer voting. But Blaze notes that it’s actually quite difficult to guarantee the security of elections, saying: “I’m a computer scientist who studies computer security, which is full of terribly hard problems. I don’t think I’ve ever encountered a problem that’s harder than the security and integrity of civil elections”. 

Part of this difficulty lies in the fact that democratic elections have two key requirements that are fundamentally contradictory: On the one hand, we want voting to be secret, and to allow citizens to cast their ballots anonymously; but on the other hand, we need the results of elections to be verifiable, such that voting can be audited after the fact if the need arises. In the United States, there are other challenges as well. There is a huge number of potential voters (around 230 million people are eligible to vote in the upcoming November elections), but the management of elections is largely decentralized, with small local governments operating thousands upon thousands of polling sites nationwide.

So how secure are the U.S. elections? Blaze says that while voting mechanisms in the US are pretty well hardened against traditional threats to the integrity of elections — things like ballot stuffing and miscounts — they may not be able to handle more modern threats such as interference and disruption caused by foreign adversaries. He also points out that there is ample reason to worry about direct attacks on voting systems, saying, “Every current voting system that’s been examined is terrible in some way, and probably exploitable”.

Making elections more secure

Many people have strong feelings about how to make elections more secure. But Blaze says that there are serious issues with the most common approaches to the problem. 

On one end of the spectrum, you have people who say that the only way to make elections truly secure and tamper-proof is to eliminate the role of software in voting altogether. But Blaze points out that this is easier said than done: Backend tallying relies heavily on software, even if votes are cast without it; and many related processes around elections, such as voter registration and reporting, are deeply reliant on software. Moreover, under a system in which every ballot is counted by hand, it’s not clear that human beings would do better than software at accurately tabulating votes at scale. A final concern is that eliminating software from the voting process could reduce accessibility for some voters.

On the other hand, you have people who want to solve election security problems with more technology, often appealing to ideas like blockchain voting. But there is little reason to think that a blockchain voting system would actually solve the overall issue of software vulnerabilities, because it would still be dependent on the integrity of the client software that writes the votes to the blockchain. Furthermore, there are a couple of reasons why blockchain technology, by its very nature, might not be a great fit for elections. First, while it’s good at detecting tampering, it isn’t really designed to prevent interference. And secondly, while blockchain tech’s decentralization is perfect for something like Bitcoin, it’s not nearly as appropriate for public elections, which aren’t meant to be decentralized: they’re specifically intended to be managed and run by civil authorities.

Blaze thinks that a middle ground approach is necessary in order to conduct secure, modern elections — and he points out that there’s some good news here: The 21st century has already provided us with the conceptual and analytical tools needed to get the job done. He singles out two recent breakthroughs in the field of election security: software independence and risk-limiting audits.

Software independence is a concept that can be used to design safe voting systems. It stipulates that any software used in a voting system must be implemented in such a way that an undetected software change (whether accidental or malicious) could never result in an undetectable change in the outcome of the election. Thus, software-independent voting systems are perfectly free to use software, but must be designed in such a way that the results they produce are auditable.

The second breakthrough that Blaze mentions is the risk-limiting audit. This is a statistical methodology by which election results can be verified. A risk-limiting audit involves carefully choosing and examining samplings of the results from optical-scan paper ballot voting machines. If done correctly, it’s a feasible way of establishing — with an extremely high degree of mathematical certainty — that the voting machines are reporting results accurately. In other words, as Blaze puts it, it allows you to feel confident that “your reported election results are the same results you’d get by hand-counting all the ballots — but without having to hand-count all the ballots”. 

COVID-19 as a game-changer

According to Blaze, there has been progress in implementing these two important ideas, and computer scientists like himself had started to feel cautiously optimistic about solving the problem of election security. But then, of course, COVID-19 hit — producing a host of new challenges.

He points out that because of the pandemic, there is likely to be an increase in voters who can’t vote in person, and that some local polling places may not be able to function at all. In addition, some voters may be displaced — perhaps even due to hospitalization or quarantine — and therefore unable to vote as they normally would. All of this is likely to place tremendous strain on the system of handling exceptions to the normal voting process: i.e., mail-in voting. 

The challenges of scaling up mail-in voting to the extent required by pandemic conditions are formidable. But Blaze believes that we can analyze the problem and determine the proper course of action by thinking in terms of systems and logistics.

He cites several key issues that will have to be addressed. To begin with, we need to bear in mind that the processing of mail-in ballots is extremely labor-intensive. In particular, it takes a great deal of time and effort to handle cases where there appears to be a mismatch between the required signature on the outer envelope of a mail-in ballot and the voter’s signature kept on file by election officials. This means that processing centers will likely need to recruit and train more personnel to handle the overflow. In addition, there are basic physical capacity issues to contend with: the printing, mailing, and storage of a large number of extra mail-in ballots; the capacity of the ballot-processing machines used to count the votes; and so on. 

So what should be done? Unfortunately, no one really knows what’s going to happen as we get closer to November: We may see a huge surge of requests for mail-in ballot packages, or there may be a large number of people who decide to go to the polls in person. And by the time we know how things will go, it will be too late to change course if we find we’ve been doing the wrong thing.

According to Blaze, this simply means that we need to prepare for a wide range of possible scenarios … some of which may not actually happen. If it turns out that most people don’t opt for mail-in voting, we may end up with warehouses full of unused paper ballots; alternatively, we may have thousands of bored poll workers sitting on their hands come election day if in-person turnout is low.

This complexity — and uncertainty — means that local election officials will need help if they’re to adequately prepare for Election Day. And while that help will need to come from several quarters, Blaze thinks that members of the infosec community, because of their expertise and because of the sorts of problems they’re used to working on, are uniquely well-suited to lend a hand. He ended his talk with what he termed a “call to arms”, urging his listeners to get in touch with their local election officials, and to engage with them, perhaps by volunteering to work at a polling place, to serve as a signature judge for mail-in voting, or to use their technical skills to provide IT support. Blaze closed his keynote on an optimistic note, saying, “We can do this. But we have to want to. And we have to all take responsibility for this”.