The Central Role Of Authentication In Threats To, And Defenses For Modern Democracies

The US State of West Virginia are thinking through the next generation of electoral politics. Cybersecurity, let alone the cybersecurity of a democracy, has suddenly risen to the top of the agenda in light of the “election hacking” of 2016.

While the true effect of foreign hacking on the 2016 election has yet to be determined, between the hacking of the DNC and the compromise of voting machines in 21 states, there are few that can resist the fact that cybersecurity is now a critical concern for democracy. 

While the Mueller probe continues, governments - local and national, are thinking about how to defend against threats not to their computer systems, but democracy itself. 

Answers might not be forthcoming, but West Virginia is asking the right questions. In July, the state’s county clerks came together to learn about the security threats that electoral authorities face every single day. 

One of the more notable lessons of the day was simply changing passwords regularly, which many attendees didn't know they actually had to do. One clerk told press “it's a concern that we haven't been changing passwords all along. You know you get that password, and you're familiar with it and you use it more, especially in voter registration.”

If electronic voting is to become an everyday part of modern democracies, then strong authentication - of electoral offices as well as voters - will be the lynchpin of its success. A US Vote foundation report, released in 2015, highlighted, frankly, that “weak authentication mechanisms will not suffice. If an attacker has the technical means to impersonate one voter, he can generally automate and amplify his methods to impersonate thousands of voters with very little additional effort.”

West Virginia voting authorities are attempting to at least partially address this problem by testing out a new app - Voatz - which will be used by West Virginian service people stationed abroad during the 2018 midterm elections. 

Users will be authenticated biometrically with a selfie that is then matched against a state ID. When Election Day comes, they will then be prompted for some other means of biometric authentication, after which the app apparently uses Blockchain to record the votes and sends them to electoral authorities, who print the ballots out. 

This could be a real step forward for electoral politics, a field which has only really woken up to cyber threats in the last two years. While the app promises much, whether it can deliver the kind of security such an event would demand is a different question entirely.

Voatz has not yet been certified by the Electoral Assistance Commission and security experts have slammed the app, labelling the concept of mobile voting currently unworkable and the app promises to be fraudulent. 

However secure the Voatz app is, the security of that voters’ data is only as secure as their handset. If malware were to make its way onto that phone, then their votes and identity could be compromised.

Furthermore, if someone were to merely snatch the phone from a voters hand at the right time, then they could alter that person's vote. Blockchain might be able to help securely record the vote, but it can’t account completely for the identity behind that remote ballot. 

Voatz and the broader state of electoral security is far from perfect, but developments like these show that people are thinking about it, and focusing on the problems around authentication which are so central not just to voting, but to eGovernment as a whole. 

Elsewhere, there have been greater results. The Estonian voters use their unique government issued e-id as a digital signature to authenticate their identity and cast their ballot. Partly because of this, there have apparently been no major security issues over eight elections.

As the world’s most advanced digital democracy, Estonian online voting has afforded voters strong identity protection and the ability to vote remotely, where the physical act - through disability or location - might have prevented them from doing so. As of 2017, 30% of citizens now use online voting to cast their ballots. 

Governments around the world are working their way towards online voting as a way to maximize engagement and bring elections into the 21st century. A number have already rolled out limited versions and a recent UK government report has stated that it wants online voting as an option by 2020. 

The last couple of years have revealed just how sensitive even a technologically advanced democracy can be. In the near future digital elections will make their way further into the world’s democracies, and secure authentication will be the question around which of those developments succeed or fail. On this precipice of innovation, West Virginia’s example shows not just the risks but maybe some remedies too.

What’s Hot on Infosecurity Magazine?