iVote meets Saltzer and Schroeder

02/05/2015 — Leave a comment

iVote_Logo

The best defence of a secure system is openness

Ensuring the security of high consequence systems rests fundamentally upon the organisation that sustains that system. Thus organisational dysfunction can and does manifest itself as an inability to deal with security in an effective fashion. To that end the ‘shoot the messenger’ approach of the NSW Electoral Commission to reports of security flaws in the iVote electronic voting system does not bode well for that organisation’s ability to deal with such challenges.

One generally accepted principle of cybersecurity (NIST 2008) is that security should not depend on the secrecy of the implementation or its components, e.g. the software. In fact this principal of openness is so important that it makes it onto Saltzer and Schroeder’s Design Principles of Information Protection. There are several very good reasons for this the first is that it’s simply not realistic to expect that one can maintain secrecy over any system that is widely distributed. Instead security should rely on more easily protected keys or passwords. By separating the protection mechanisms from keys in this way the protection mechanisms can be scrutinised and reviewed in an open and rigorous fashion without concern about inadvertently comprising security. The final and perhaps best reason to adopt an open design approach is one of trust, it’s hard to place one’s trust in a system when the argument boils down to ‘trust us’, and if users or stakeholders don’t trust a system then they’re unlikely to use it (1).

In counterpoint the NSW Electoral Commission’s approach has been to conduct the development behind a veil of secrecy, with the threat of criminal sanctions imposed on anyone revealing details of the source code. Unfortunately this is not an unusual response, it’s one that’s dogged the field of military cryptology for many years, see the work of Baran (1964) for an early discussion of the problem. But while the military might be able to live with such problems, a lack of trust in the voting system is a much more serious problem. Firstly because it de-values peoples franchise, that is if we doubt that our votes will be honestly counted then this de-values the act of voting itself. Secondly, as the lost votes scandal in West Australia during the last federal election has shown, the erosion of trust in the democratic institutions so caused is disproportionate to the ‘on paper’ severity that any risk analysis might indicate.

So how well did the Commission’s security through secrecy approach work?

Well before the 2015 NSW election the public were assured that the system was ‘…completely secret. It’s fully encrypted and safeguarded, it can’t be tampered with.” This bullish position was on the basis of the conduct of several security analyses (2) and the use of an ‘independent’ security consultants (3), so on paper at least so far so good. However during the election a pair of independent researchers, performed an uninvited security analysis of the system and found that it was vulnerable to attack. They also found (and demonstrated) that this vulnerability allowed an attacker to co-opt browsers and tamper with votes. Just for stamps they went onto identify ways in which the independent verification channel could be circumvented to either steal votes or compromise privacy (4). Having found theses vulnerabilities they notified CERT, who in turn notified the Commission, but by then the election had been running for 5 days and 60,000 votes had been cast.

The NSW Electoral Commission’s corporate response to these security problems was itself illuminating, having fixed the vulnerability, they went into damage control mode, releasing a statement that this considered this vulnerability as much a risk as a postman stealing a ballot, and accusing Haldermann and Teague of being ‘activists’ and ‘troublemakers’ implying they had even tried to wreck the Estonian evoting system (5). What must really gall the Commission is that the work of these desperate international criminals was actually funded by the US government under NSF grants. This sort of after the fact blaming the message is strongly indicative of corporate ‘groupthink’, all in all not a good look for the Commission, and not terribly reassuring.

So what are we to make of all this?

Well first the Internet is inherently insecure, if you want a background on why this is so then you need to understand the problem of Linguistic Security, see Starving the Turing Beast for an introduction. Trying to implement a secure voting system in this sort of inherently exploitable environment is well, very, very, very difficult (6). Apart from companies who sell online voting software there’s very few voices out there who are saying that secure and anonymous internet voting is actually achievable. In these circumstances the rush to extend electronic voting to voters who find themselves greater than 20km from a polling station is undoubtedly premature (7).

The second is that the Commission and by extension the government seem to be completely tone deaf on this issue. Comments by the Commission in their press release that “…is as real as a malicious postman replacing a postal vote” and engaging in ad hominem attacks are indicative of an organisation that is engaging in groupthink rather than addressing cyber-threats in a credible fashion. This sort of off key organisational response is another reason why security should not rely on secrecy, in such closed worlds it’s all too easy for normalisation of deviance to subvert basic common sense. Regardless of whether the system was patched or not, I have a sneaking suspicion that many within the NSW Electoral Commission bunker still believe that “..it can’t be tampered with”.

Thirdly the Commission simply has not done it’s due diligence when it comes to risk assessment. What they’ve clearly failed to realise is that a higher duty of care is expected of them when they implement an internet voting system as opposed to the traditional paper and postal ballot. This may not be fair but the Commission needs to realise the asymmetric difference between the risk of a postal worker loosing a ballot and the risk of an electronic balloting system being invalidated or tampered with deliberately by some third party (8). The Commission also needs to understand that the risk is not just about the loss of ‘x’ ballots but as I pointed out at the start of this post as much about the reputation for integrity the Commission has. Reputations are very easy to loose and almost impossible to get back when lost, engaging in denial, secrecy and obsfucation of issues really does not help.

Edmund Teller once remarked, “the best weapon of a democracy is openness”, the same might be said for it’s voting systems.

Notes

1.  The International Foundation for Electoral Systems places transparency, public confidence, and true independent certification at the top of list of critical success factors for e-voting.

2. For a summary of the approach see the NSW EC’s security implementation statement.

3. I’d suggest that the Commission might think about asking for their money back. I’d also point out that independent does not mean a company that has a direct financial relationship with it’s client and an interest therefore in the successful outcome of the project. This is a lesson that has been learned the hard way in the safety community, see the Haddon Cave enquiry into the Nimrod disaster and the role of the independent safety assessor.

4. This allows the voter to confirm that their vote as stored is the way they expected. However this is an optional system and so picking up tampering relies on the voter actually checking.

5. See this link for more information on the Estonian election.

6. We can also thank the NSA and other intelligence agencies for opposing the use of high grade encryption, thanks guys, thanks.

7. I grew up in the country, so I’m absolutely gob smacked by this one. If you’re 20 km or more away you get in your car and drive, good grief. This is clearly mission creep of the first water. 🙂

8. One example threat scenario might be a state actor (think North Korea) deliberately sabotaging a number of strategic votes not to affect the outcome of the election directly but so that after the election is closed the attack can be leaked to the media thereby throwing into doubt all the remaining electronic ballots. Another threat scenario would be a protracted DoS attack on the electronic voting site during the last days of the election (when most people vote).

References

Baran, P., Security, secrecy, and tamper-free considerationsOn Distributed Communications, no. 9, Rand Corp. Tech. Rep. RM-3765-PR,  (I-A3, III-B), 1964.

Haldermann, J.A, Teague, V., The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election, Retrieved 2 May 2015

NIST 2008, Guide to General Server Security, National Institute of Standards and Technology. July 2008. Retrieved 2 May 2015.

No Comments

Be the first to start the conversation!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s