What if this system could be hacked? "That's one of the biggest objections in my mind"

[dsernst]

A number of smart people have brought this up. Need to address this formally.

[dsernst]

Even more appropriate in light of all the talk in news right now about Russian hacking influencing US Presidential Elections.

• 2016-09-12, CBS: "How Russian hackers could disrupt the U.S. election"
• 2016-10-07, NYTimes: "U.S. Says Russia Directed Hacks to Influence Elections"
• 2016-10-11, BBC: "Why the US fears Russia is hacking its presidential election"
• 2016-10-12: CNN: "Feds believe Russians hacked Florida election-systems vendor"
• 2016-10-14 The Guardian: "Entire US political system ‘under attack’ by Russian hacking, experts warn"

[dsernst]

Could make comparisons to finance systems. As Henry said in "Why hasn't voting changed?":

Money is another technology where it's become much easier. We don't bring cash to the bank each time we get paid. We have checks and ATM. We can manage our bank accounts through a website or on our phones, and when we go to a store we can pay with a plastic card.

If it's possible to manage our life savings through computers, can't we digitize our voting?

Also worth pointing out that the stock markets etc are entirely digital.

---

It's important to have strong security and backup plans for both our financial systems and democratic systems. These points aren't to minimize that, just to think about it clearly.

• The financial sphere probably has many many times as much of an impact on any individual's day-to-day life, and yet it was still able to make the jump to digital.
• Another big difference: if an attacker gains hold of your bank account, they could empty out your savings one and done. But if an attacker gains hold of your democracy account, they would only have influence while they're within the system. Once the breach is detected and corrected, the damage is contained. And any unauthorized votes that were made could be retroactively nullified.

[dsernst]

Another important impact is for privacy: not good if attackers learn individuals' info that was meant to be private, like voting habits and voter registration.

• Important to learn from past mistakes like the 2015 discovery of a hack on the federal Office of Personnel Management, which compromised personally identifiable information of over 20 million people.
• Even the NSA, thought to be the foremost expert on cyber security, appears to have had a system compromised. 2016-08-18, MIT Technology Review "Computing Security Experts Agree: The NSA Was Hacked"

Very important lesson is the less we store, the less is at risk.

• [ ] Will need to develop sound policies about minimizing data retention, e.g. deleting voting records after they're no longer necessary, so less is at risk.

[dsernst]

The privacy concerns are related to Path to Decentralization, because as there's less of a dependence on a private DB, there's less private data at risk.

• Still keep in mind the lessons from the $60m DAO hack, $292m from Mt. Gox, and $65m from Bitfinex, etc :astonished:

[dsernst]

One option to reduce risk is to isolate the backends for voter registration from voting on legislation.

[dsernst]

Need to distinguish between hacks on the application that compromise the backend infrastructure vs hacks on the user (e.g. phishing, keylogger, compromised email) that are limited to compromising just that user.

Both are important to protect against, of course, but they have different consequences and different defenses.

Application

Consequences:

• Tons of very sensitive personal info is leaked: voter registration info, voting records
• Voting integrity is compromised. Legitimacy of legislation becomes suspect
• Attackers gain control over individual voters' accounts
• Attackers could impersonate the platform
• Huge loss of trust for the platform

Attack Vectors:

Defenses listed as sub-points

• Hardware physically breached.
  • All hardware's physical security audited.
  • Alerts set up if compromised.
  • Dead man's switch?
• Administrative credentials compromised.
  • Policies of tight credential access.
  • Admin's hardware ensured secure from software and physical compromise.
  • Rotated credentials.
• Vulnerabilities in application software.
  • Institute strong code-review policies
  • Commision white-hat penetration testing
  • Establish bug bounty program
  • Use more secure languages
• Vulnerabilities in underlying tech stack software.
  • Use mature software
  • Stay on top of updates
  • Minimize other software dependencies
• Software as a Service vendor goes rogue
  • Limit use of SaaS. Bring software onsite.
  • Assume and plan for the worst.

User

Consequences:

• Voter's vote is stolen
• Voter's delegatees could inherit an unrepresentative vote
• Voter's registration info & voting record privacy is compromised

Attack Vectors:

Defenses listed as sub-points

• Phishing
  • 2-factor auth
  • Detect & alert for anomalous login attempts
• User's hardware seized
  • Require hardware level authentication to log in (e.g. TouchID when opening app)
  • 2-factor auth
  • Process for user to report hardware missing
  • Detect & alert for anomalous login attempts
• User's hardware compromised through software (e.g. keylogger)
  • 2-factor auth
  • Detect & alert for anomalous login attempts
• User's email compromised
  • 2-factor auth
  • Process for user to securely change their email
  • Detect & alert for anomalous login attempts