Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society. We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?

1. TurtleSec
@pati_gallardo
Turtle
Sec
@pati_gallardo

2. TurtleSec
@pati_gallardo 2
In 2017 I made a bit of fuss about
election security
Ok, fine, I made a lot of fuss
And, ok, yes, I didn’t stop

3. TurtleSec
@pati_gallardo 3
This year Norway finally made it
mandatory that one of the ballot
counts has to be manual
On Monday we will have our first
election with this in place

4. TurtleSec
@pati_gallardo 4
January 1st Norway's new
National Security Act went into
effect
It makes protecting the
democratic process a matter of
national security

5. TurtleSec
@pati_gallardo 5
Both of these events will have
profound effects on election
security in Norway.
But nothing new happened to
make elections less secure in
2017.

6. TurtleSec
@pati_gallardo 6
Except suddenly it
seemed much more
likely.

7. TurtleSec
@pati_gallardo 7The Turtle vs The Hare

8. TurtleSec
@pati_gallardo 8
The Turtle
63.1%
The Hare
36.9%

9. TurtleSec
@pati_gallardo@pati_gallardo
Who can you trust?
Who feeds you the data?

10. TurtleSec
@pati_gallardo
Elections
Trust and Critical Infrastructure
NDC TechTown 2019
Patricia Aas
Turtle
Sec

11. TurtleSec
@pati_gallardo
Patricia Aas - Trainer & Consultant
C++ Programmer, Application Security
Currently : TurtleSec
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science
Pronouns: she/her
@pati_gallardo
Turtle
Sec

12. TurtleSec
@pati_gallardo 12

13. TurtleSec
@pati_gallardo 13@pati_gallardo
Complex?

14. TurtleSec
@pati_gallardo@pati_gallardo
Is the Norwegian
Election System
complex?
14@pati_gallardo

15. TurtleSec
@pati_gallardo
No, not really.
15

16. TurtleSec
@pati_gallardo
“The testing is performed using a prototype
implementation in Java. Though the implementation
does not take into consideration security and
anonymity concerns, it is a full implementation of
the Electoral System.”
Evaluating the suitability of EML 4.0 for the Norwegian Electoral System : A prototype approach
Patricia Aas, Masters Thesis UiO, 2005
https://www.duo.uio.no/handle/10852/9298
16

17. TurtleSec
@pati_gallardo
What are these “security and
anonymity concerns”?
17

18. TurtleSec
@pati_gallardo
It’s complicated.
18

19. TurtleSec
@pati_gallardo 19@pati_gallardo
What are we
protecting?

20. TurtleSec
@pati_gallardo
Worst Case Scenario
An accepted, but manipulated
Election Result
20

21. TurtleSec
@pati_gallardo@pati_gallardo
What is the
Election Result?
21@pati_gallardo

22. TurtleSec
@pati_gallardo
The Election Result
is the distribution of the
mandates
22

23. TurtleSec
@pati_gallardo
An Election doesn’t have to be
flawless
as long as
The Election Result
is correct
23

24. TurtleSec
@pati_gallardo 24
The Turtle
63.1%
The Hare
36.9%

25. TurtleSec
@pati_gallardo 25@pati_gallardo
What is the Threat
Model?

26. TurtleSec
@pati_gallardo@pati_gallardo
What are you
afraid of?
26@pati_gallardo

27. TurtleSec
@pati_gallardo
Adding ballots
Removing ballots
Changing ballots
Reporting wrong counts
27

28. TurtleSec
@pati_gallardo
At its most extreme:
Preventing a coup
Keeping a democracy
28

29. TurtleSec
@pati_gallardo
Who are the Threat Actors in
Elections?
29

30. TurtleSec
@pati_gallardo
The most likely Threat Actor
Historically
Internationally
Is the sitting (local) government
30

31. TurtleSec
@pati_gallardo
Others include:
Foreign governments,
private companies, terrorists,
activists, lone wolfs
31

32. TurtleSec
@pati_gallardo
The most likely Threat Actor
in an election
is the sitting government
32

33. TurtleSec
@pati_gallardo
The same government
running the election
33

34. TurtleSec
@pati_gallardo
Two “acceptable” outcomes
1. A correct election
2. Prevented a rigged election
(hopefully correctable)¹
34¹ How feasible is a new election?

35. TurtleSec
@pati_gallardo 35@pati_gallardo
What about
Anonymity?

36. TurtleSec
@pati_gallardo@pati_gallardo
How does a
secret ballot play
into elections?
36@pati_gallardo

37. TurtleSec
@pati_gallardo
True democracy requires
the freedom to
Vote your conscience
37

38. TurtleSec
@pati_gallardo
Prevent coercion
Prevent vote selling
Prevent persecution
now or in the future
38
#goals

39. TurtleSec
@pati_gallardo
No.
The answer is not blockchain
39

40. TurtleSec
@pati_gallardo
Why?
40

41. TurtleSec
@pati_gallardo
To prevent persecution
You don’t want to connect a
vote to a person
41

42. TurtleSec
@pati_gallardo
To prevent coercion and vote selling
You don’t want a person to be able to
prove what they voted
42

43. TurtleSec
@pati_gallardo
And what put that vote on the
blockchain?
Who’s in charge of that?
How about chain of custody?
43

44. TurtleSec
@pati_gallardo 44@pati_gallardo
Man vs Machine

45. TurtleSec
@pati_gallardo@pati_gallardo
What?
You hate
computers?
45@pati_gallardo

46. TurtleSec
@pati_gallardo
Nah. I love computers.
But manual elections are hard to beat.
They’re just that good.
46

47. TurtleSec
@pati_gallardo
Isn’t manual counting slow?
47

48. TurtleSec
@pati_gallardo
Surprisingly, no.
It’s massively distributed.
48

49. TurtleSec
@pati_gallardo
Isn’t manual counting error prone?
49

50. TurtleSec
@pati_gallardo
Yes.
And no.
It’s complicated.
50

51. TurtleSec
@pati_gallardo
Norwegian risk model for
ballot counting errors
Manual vs Machine
51

52. TurtleSec
@pati_gallardo 52
1. Can it affect the Election Result?
2. Can it go undetected?
3. Can it discredit the Election Result?
4. Can it create more work?
Evaluating severity

53. TurtleSec
@pati_gallardo 53
1. Historically how common is it?
2. Is there a known threat?
Evaluating likelihood

54. TurtleSec
@pati_gallardo
54
Likelihood
Severity
Innocent
manual
Innocent
machine
Premeditated
manual
Premeditated
machine
Likelihood Innocent Premeditated
Manual High Low
Machine Low-Medium¹ Low
Severity Innocent Premeditated
Manual Low² Medium³
Machine Medium-High High
Risk diagram: Counting Errors (no Machine Count Audit)
¹ Bugs: Has happened many times irl
² Distributed proportionally on parties
³ Will almost certainly be detected, but cast doubt
and ballots are compromised

55. TurtleSec
@pati_gallardo 55@pati_gallardo
What is the
alternative?

56. TurtleSec
@pati_gallardo@pati_gallardo
Manual
elections?
56@pati_gallardo

57. TurtleSec
@pati_gallardo
Software independence¹
57¹ Ron Rivest (The R in RSA) and John P. Wack (NIST)

58. TurtleSec
@pati_gallardo 58
“A voting system is software-independent if
an undetected change or error in its software
cannot cause
an undetectable change or error in
an election outcome”
On the notion of “software-independence” in voting systems
http://people.csail.mit.edu/rivest/RivestWack-OnTheNotionOfSoftwareIndependenceInVotingSystems.pdf

59. TurtleSec
@pati_gallardo 59@pati_gallardo
Auditability

60. TurtleSec
@pati_gallardo
“Verify the election results,
not the voting system”
60
Rivest & Wack, On the notion of “software-independence” in voting systems

61. TurtleSec
@pati_gallardo
What is a “manual” election?
Paper ballots
Manual count¹
61¹ Keep computers for all parts that are auditable

62. TurtleSec
@pati_gallardo
Auditable elections
Paper ballots
Manual audit
62

63. TurtleSec
@pati_gallardo 63
Likelihood
Severity
Innocent
manual
Innocent
machine
Premeditated
manual
Premeditated
machine
Premeditated
machine
Innocent
machine
Risk diagram: Counting Errors (with Machine Count Audit)
An Audit will reveal
- Bugs
- Manipulations

64. TurtleSec
@pati_gallardo
What is an auditable
election?
64

65. TurtleSec
@pati_gallardo 65@pati_gallardo
Implementation

66. TurtleSec
@pati_gallardo
Norway 2019
Manual preliminary count¹
66¹ Ask me about this process sometime ;)

67. TurtleSec
@pati_gallardo
Norway has two counts:
Preliminary and Final
Results can be compared
67

68. TurtleSec
@pati_gallardo
Goal for many US researchers
Risk-Limiting Audits
68

69. TurtleSec
@pati_gallardo
What’s a Risk Limiting Audit?
A statistical model for manual
ballot sampling
69

70. TurtleSec
@pati_gallardo
“The Norwegian electoral system: a study of EVA
Skanning, implemented error detection mechanisms,
and applicability of risk-limiting audits”
Vilde Elise Samnøy Amundsen, Masters Thesis NTNU, 2019
Thesis Advisor: Patricia Aas
http://www.valgforum.no/wp-content/uploads/2019/02/Masteroppgave-Vilde-Amundsen.pdf
70

71. TurtleSec
@pati_gallardo
What was the problem in
Norway?
71

72. TurtleSec
@pati_gallardo
No audit.
72

73. TurtleSec
@pati_gallardo
Paper ballots are not enough
There has to be an audit
Performed by regular folks
73

74. TurtleSec
@pati_gallardo
Manually counted elections
have a built-in audit
People.
74

75. TurtleSec
@pati_gallardo
Manually counted elections can
also be rigged
But everyone knows they are
75

76. TurtleSec
@pati_gallardo
If an election is rigged
and nobody knows,
do you have a democracy?
76

77. TurtleSec
@pati_gallardo
No.
You’ve had a coup.
And you don’t even know it.
77

78. TurtleSec
@pati_gallardo@pati_gallardo
What could an attack on Critical
Infrastructure look like?

79. TurtleSec
@pati_gallardo 79
Countdown to Zero Day: Stuxnet and the Launch of the
World's First Digital Weapon, Kim Zetter
Attack on Siemens PLCs in centrifuges at an Iranian uranium enrichment plant
The diagnostic data was manipulated so it seemed like there was no error
Probably hundreds of centrifuges were destroyed
Stuxnet

80. TurtleSec
@pati_gallardo@pati_gallardo
What is modern life if not ruled by
Critical Infrastructure?

81. TurtleSec
@pati_gallardo 81
Modern society is a legacy system
Never designed, it evolved
Based on layers of dated technology
Containing massive technical debt
Lacks in holistic security analysis

82. TurtleSec
@pati_gallardo@pati_gallardo
Did something
happen to make
us less secure?

83. TurtleSec
@pati_gallardo@pati_gallardo
Or did it just suddenly feel more likely?

84. TurtleSec
@pati_gallardo@pati_gallardo
What lessons can
we learn from
the mistrust in
Election
Security?

85. TurtleSec
@pati_gallardo 85
Make diagnostics that don’t depend on computers
Be wary of single points of failure
Segment your infrastructure
Manual operations require physical presence, this is a feature
Figure out who are your most likely Threat Actors

86. TurtleSec
@pati_gallardo 86
On the other hand...

87. TurtleSec
@pati_gallardo 87
July 10th 2019
Ukrainian Secret
Service (SBU)
raided
South Ukraine
Nuclear Power Plant

88. TurtleSec
@pati_gallardo 88
¯_(ツ)_/¯

89. TurtleSec
@pati_gallardo
Best way to rig an election?
Internet voting.
89

90. TurtleSec
@pati_gallardo 90@pati_gallardo
Turtle
Sec

91. TurtleSec
@pati_gallardo 91
Høringssvar, Patricia Aas, TurtleSec, https://elections.no/2018/12/13/hoeringssvar_turtlesec.html
“Election Cybersecurity Progress Report”, Professor J. Alex Halderman (University of Michigan), https://youtu.be/U-184ssFce4
“Electronic Voting In 2018: Threat Or Menace”, Professor Matt Blaze, Joe Hall, Margaret MacAlpine, and Harri Hursti,
https://youtu.be/Lo3iibtVh6M
“Testimony of Prof. Matt Blaze”, Professor Matt Blaze (University of Pennsylvania),
https://oversight.house.gov/wp-content/uploads/2017/11/Blaze-UPenn-Statement-Voting-Machines-11-29.pdf
“Securing the Vote: Protecting American Democracy”, The National Academies of Sciences, Engineering, and Medicine,
https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy
“DEF CON 26 Voting Village Report”, Blaze, Braun, Hursti, Jefferson, MacAlpine, Moss,
https://defcon.org/images/defcon-26/DEF%20CON%2026%20voting%20village%20report.pdf
Resources