Cybersecurity and voting
With the current state of the pandemic, the business operations have vastly changed from a year ago. One area of change has been voting. Previous to this turn of events, voters had the opportunity to vote in person, or send in their ballots. While this has not been problematic in the past, technology has provided an additional option. E-voting is being researched and used in limited circumstances. The first significant, notable usage was in Iowa for their democratic caucus. While this was used for their caucus and not the vote, this provided a test on how it could or could not work. This has been termed a disaster, with good reason. In 2020 this was attempted with an epic fail. Per reports, the app was not tested properly, did not properly function, and placed the spotlight on what could go wrong-spectacularly.
After this epic fail, one would think a company whose primary business is e-voting would accept any viable assistance from responsible, reputable cybersecurity pentesting companies. The final report or deliverable would provide a roadmap to ensure, as much as possible, there were minimal issues, and the issues that were encountered are not critical. This assistance would provide an assurance or work to ensure the spotlight does not show on the e-voting business in a negative aspect.
Well, this is not always the case. Voatz is in the business of creating e-voting software. The company wants the CFAA (Computer Fraud and Abuse Act, commonly used as a threat against cybersecurity researchers) to be broadly interpreted so anyone (i.e. cybersecurity researchers) who violate the Terms & Conditions (T&C), which no one really reads, to face federal criminal charges. The loose application would allow for wider prosecution and allow the businesses more avenues to dissuade anyone, including those without malicious intent, from being transparent about their oversights. This effectually would have most in the industry with their head in the sand.
Possibly what brought this to the forefront, among their own lack of cybersecurity focus, was MIT researchers discovered many flaws in their e-voting software. The very software we depend on for our elections, which can’t be redone without a massive amount of work, expense, and a significant amount of global ridicule and embarrassment. To attempt and put this in a positive frame somehow, Voatz hired their own cybersecurity researchers, whose research arrived at nearly the same conclusion. In short, the Voatz software is holier than Easter Sunday.
In closing, in cybersecurity as with most things, the more eyes on the objective the better. Also, the responsible thing to do with a product or service is to test it until the cybersecurity vulnerabilities are at a minimum and manageable, which does not appear to have occurred here.