Now I have your attention, we can discuss the NSA and Ed Snowden in a bit. Let’s start with an Editorial:
Protecting Against Russian Cyber Risks is Insufficient. The attention on Cybersecurity, election hacking and Russian interference is good. There are cyber risks and Russia is capable. We should improve our cybersecurity across the board, including elections. Every vote should be backed up by a, so called, voter verified paper ballot. Yet that is far from sufficient.
Cyber risks do not come from Russia alone; do not come from nation states alone; they come from hackers and political actors of all persuasions and motivations. There are also insider attacks, attacks from political actors, and their sympathizers. There is also the risk of error.
We focus too much on preventing attacks and errors, neglecting the equally important areas of detection and recovery. Ultimately prevention, at best, will always be an incomplete, never ending process. Detention and recovery means protecting paper ballots and actually using them. Using them means following up elections with sufficient post-election audits and recounts. Post-election audits with sufficient chance of detecting errors, expanding those audits when errors indicate that the apparent winners may be incorrect, expanding those audits ultimately, when necessary to full recounts. Audits should include process audits to assure that registration lists and voters checked in were accurate enough to guarantee the election was fair. When all else fails, being ready to rerun critically flawed elections.
Snowden and the NSA
This is not about what Ed Snowden did, but how he did it. Snowden was able, because as a single contractor, he had the keys to the kingdom! All the cyber expertise of the NSA came down to one individual who had the information and the capability to expose everything. The motive and opportunity. He could just have easily have gummed up the works of the entire NSA system. Most systems have such people – they know the technology and are key to keeping it working. We need them. The system needs them. How many are there? Likely a lot more than we think. In the NSA, every critical support person with access to the NSA system. Not just with password access to the official system: Also any one who supports the underlying software and hardware systems: application software, compilers, operating systems, mainframes, servers, routers, the network/phone system.
Every election office has those people and vulnerabilities. Every election official who has access to voting machines and memory cards over their lifetime. The contractors who program the memory cards. Postal employees, shippers, and contractors charged with the mail or package delivery of memory cards. The person in the mail room in town hall. How safe is the storage of the machines, memory cards, and paper ballots? How safe is town hall on weekends and overnight? Who is responsible for managing the town network and computers? Who are all the contractors in town hall? Or employed by the voting machine maintenance vendor? Are your election officials and town staff able to do what the NSA could not?
If you don’t believe this, trust me. I have been there in the bowels of a large company and working for small software companies supporting large companies and government agencies. Consider Chelsea Manning a single specialist at a computer in a war zone. Manning needed no technical expertise. None is required to program memory cards or clandestinely provide access to or conspire with those with expertise.
