To be truly effective, efforts to secure our elections must go beyond upgrading or replacing election equipment and look at the voting process as a whole, according to a new white paper from the Center for Advanced Communications Policy at the Georgia Institute of Technology.
In the paper, Revisioning the U.S. Elections Process: Voting Security and Election Technology, CACP researchers say the United States should develop strong, voluntary national standards for the design, assessment, and management of voting systems that address cybersecurity concerns as part of a broader multilevel integrity, security, and threat-reduction strategy.
“Such a systems-based, multifactor approach not only monitors and assesses the various security failure points but has a wider scope that addresses other factors in the electoral process that include the issues of privacy, ability to participate (e.g. accessibility and usability considerations) as well as transparency, and confidence in the electoral institutions,” lead author Paul M.A. Baker wrote in the report.
Baker is senior director of research and strategic innovation at CACP.
Voluntary Model Would be Similar to Wi-Fi, Bluetooth Certifications
In the paper, CACP concludes that a new, cost-effective approach would encourage vendors to certify their systems through a voluntary independent review process utilizing comprehensive national standards analogous to those that govern the implementation of Wi-Fi and Bluetooth.
The review process would employ a standardized model called the General Model for Voting System Security (GMVS). The model includes recognized risks and threats to candidate voting systems, and would be used to evaluate voting systems.
Ideally, such a model, part of a larger, Independent Assessment Framework (IAF) under development by CACP, would cover other aspects of the electoral process, including procurement, staffing, vendor management, ballot security, privacy issues, and other factors.
“The idea is that the security assessment model could be applied by any organization that does appropriate evaluation and assessment of technological risk and security,” Baker said.
The approach would provide U.S. cities, counties, and states with objective, standards-based assessments of the security profile of proposed voting solutions, saving lawmakers and elections officials time, money, and confusion, and also helping ensure renewed confidence in voting systems.
“If we were to adopt a standard security and risk assessment model, it could have a significant impact on helping election officials cut through the flood of often conflicting, highly technical information that is damaging the credibility of election technology,” he said.
Voting Technology is Just Part of the Puzzle
The researchers note that cybersecurity concerns and arguments over the types of voting technologies—touchscreen versus ballot-marking versus fully paper systems, for instance —have taken center stage in recent discussions of election security.
Such an approach oversimplifies the complexities of election security, as significant problems also occur elsewhere—particularly in design and implementation of voting processes in general, the CACP report finds. These kinds of issues are not necessarily resolved by choosing a different voting system or format, but by actually making sure the security of a system fully addresses a wide range of threats, Baker said.
“Regardless of the initial arguable conceptual pros and cons regarding ballot scanners and touchscreen-based voting, the main security concerns result from systems that were designed and implemented without a sufficiently comprehensive definition of security, in all its dimensions,” Baker writes in the paper.
Development of a reference voting system security model is under way, with CACP and researchers at the Georgia Tech Research Institute (GTRI) contributing to the work. It is expected to be complete in mid-June.
The elections integrity research project was supported by funding from voting systems vendor Smartmatic.
The analysis and proposed model draw on existing strengths at Georgia Tech, including GTRI’s Cybersecurity, Information Protection, and Hardware Evaluation Research Laboratory and CACP’s ongoing work in assessing voting technology usability. The Center also has written several policy papers on the accessibility and usability of U.S. voting technologies for people with disabilities, older voters, and non-native English speakers.
The Center focuses on key issues that influence the development, implementation and adoption of cutting-edge communications technologies.
It works to analyze policy issues and identify areas of opportunity for innovation, and frequently produces regulatory filings to help inform and shape the policy debate.
Research areas include wireless communications and platforms, accessible technology design and use for people with disabilities, emergency alerts and communications, higher education policy and evaluation, STEM education and workforce development, new communications modes such as social media and online participatory platforms, and the cultural impact of technology shifts.