Unpublished Guidelines Show The DHS Is Steering States Away From Insecure Internet Voting Options

from the good-move dept

The DHS has come out against internet voting. Sort of.

If there's anything less secure than electronic voting, it's internet voting. The temptation is to provide voters with more options if the pandemic continues to keep voters home. But guidelines from the DHS's redundantly-named Cybersecurity and Infrastructure Security Agency (CISA) say this risks the integrity of those votes by opening them up to attackers.

The eight-page document, obtained by the Guardian, pulls no punches in calling the casting of ballots over the internet a “high-risk” endeavor that would allow attackers to alter votes and results “at scale” and compromise the integrity of elections. The guidelines advise states to avoid it altogether or restrict it to voters who have no other means of casting a ballot.

No state is currently offering online-only voting, but the option used to collect votes from US citizens overseas is still pretty risky. The DHS doesn't consider the electronic delivery of ballots to be inherently insecure, but CISA's report points out attackers could intercept ballots en route and alter them by removing candidates' names, for example. Returning them electronically obviously poses the same risks: interception and alteration.

The worst option is the one no state has been willing to deploy… yet: online voting. The report says this method poses the highest risk of attack. Putting the whole thing online could compromise the security of the vote and voters, remove the secrecy that surrounds the public voting process, and potentially lead to wide-scale alteration or destruction of votes.

The only thing surprising about the DHS's guidance is that it exists at all. While concerns continue to mount about election security, the DHS has remained mostly silent, allowing the private sector and local governments to address these issues in their own way. This silence has continued despite the host of issues raised during the 2016 presidential elections. This is making some election integrity experts happy.

“Clear, explicit guidance from DHS that internet voting is not secure or trustworthy is long, long overdue,” says Susan Greenhalgh, the senior adviser on election security for the watchdog group Free Speech For People. “It has failed for four years to codify and publish that guidance in an effort to avoid antagonizing some state officials.”

But, as the Guardian points out, the DHS has not officially broken its silence about election security issues. The document obtained by the Guardian was not publicly released by the DHS. The document can't be found on CISA's site and no DHS official has commented on the document itself. So, while it's good guidance that brings common sense to internet-based voting, it doesn't appear to reflect the public face of the DHS's election security efforts.

Hopefully, this guidance has at least made its way to state governments even if the general public hasn't been entrusted with it. The guidelines will make electronic collection of voter information and votes slightly more secure and dissuade those unprepared to follow these steps from opting for riskier voting methods while dealing with the unforeseeable complications of a global pandemic.

Filed Under: cisa, cybersecurity, dhs, election voting, internet voting

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Ehud Gavron (profile), 12 May 2020 @ 12:24pm

    10th Am?

    When it suits the US Federal Government they happily say "I'm not responsible" and "It's up to the States" and other such things.

    When it suits them they happily say "Here are the guidelines you must follow... to open your state... to have voting... etc."

    DHS and the Feds could take a role in fixing an election system that has been broken long before "hanging chads" (that was 20 years ago) but instead they've insisted it's up to states, counties, parishes, cities, etc.

    Yet here they are shown to have drawn up guidelines ... about a "problem" they aren't solving, merely indicating what should NOT be done.

    Security researcher Bruce Schneier has said it best. We need a paper trail -- and it doesn't have to be on paper. Internet voting would be fine if it was

    • secure [your connection cannot be intercepted in the clear]
    • authenticated [only you can cast YOUR vote and only once]
    • verifiable [at ANY time you can verify your vote was cast for the candidate(s)/position(s) you chose]

    There's no incentive on the part of any of the players who make money, including the jurisdictions "leasing the machines", Premier Election Solutions (formerly Diebold, to be easily confused with the same company who just had their ATM backend hacked), etc.

    Until the US moves from a "you grease my pocket, I buy from you your inferior product and then complain if the result isn't what I wanted" system, nothing will improve.

    Donny voted by mail.

    Me, I just want my "I voted" sticker so I can shame the kids on my lawn.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.