Podcast Episode 120: They Email Ballots, Don’t They?

In this week’s episode (#120): more than 100,000 U.S. voters submitted their ballots in the last presidential election via email in 2016. Despite that: hardly any attention has been paid to the security of email and online voting systems used by 32 states.  Also: anxiety about hacking of the midterm elections put the spotlight on state IT systems – particularly Secretary of States offices. But what is the state of state security? We’ll speak with Srini Subramanian of Deloitte about that company’s latest survey of State CISOs!

Vote by email? What a great idea!

It might be the election insecurity scandal you never heard of. In 2016, more than 100,000 voters across the globe, many of them U.S. service members, voted in federal state and local elections by email or using an online voting portal.

If emailing a ballot to a random address sounds like a sketchy way to vote, that’s because it is. Online voting options in 32 states have been subject to hardly any scrutiny by computer security experts or regulators, despite warnings about the inherent risks of such systems.

See also: As Election Threats Mount, Voting Machine Hacks are a Distraction

Jeremy Epstein, Association for Computing Machinery

In our first segment of the podcast, we’re joined by Jeremy Epstein of the Association for Computing Machinery (or ACM) and co-author of a recent report: Email and Internet Voting: The Overlooked threat To Election Security.

The report, conducted by ACM, Common Cause, R Street and the National Election Defense Coalition advises that states that offer vote by email or online voting options to abandon them pending “a major technological breakthrough or fundamental change to the nature of the Internet.”

The report also recommends a number of stop-gap security measures that can help limit the risk of voting by email – advice that Epstein likened to advising would be drunk drivers to refrain from driving “really drunk.”

“This is pervasive and a lot of it is quite risky,” he told me. “The technologies being used are developed in most cases by private companies with no standards. And there’s no certification or validation by any meaningful organization.”

State elections officials and Secretary of States offices often lack cyber security expertise to push back on vendors and insist on better security. However, even if they did it might not make a difference: the email system is inherently insecure. 

You might also listen to this podcast: Episode 96: State Elections Officials on Front Line against Russian Hackers

In this interview, Epstein tells us that experiments with email voting go back more than two decades – and that warnings about the security of such systems have gone right along with those experiments. Twenty years later, Epstein said, the fundamental risks haven’t changed, including malware, hacks of email voting systems, phishing and man in the middle attacks.

The State of State Insecurity

The midterm elections shone the spotlight on the security (and insecurity) of state IT networks, especially those connected to vote collection and tabulation. But all the news is not bad when it comes to Information Technology at the State Government. A new report out by the firm Deloitte finds that state level CISOs are well established within state governments and, more than ever, have the ear of chief executives like governors as well as legislators.

Srini Subramanian
is a Principal in Deloitte’s Risk and Financial Advisory Group and the State Government Sector Leader

But challenges remain. In our second segment, we speak with Srini Subramanian of Deloitte’s Risk and Financial Advisory Practice. In this interview, Sabrimanian says that states are goldmines of valuable data for cyber criminals and nation states -tracking their citizens from birth through death. They also share that data across agencies and between states and the federal government – making them a “target rich environment.”

As states have modernized their IT systems, they have incurred a wide range of new risks, he tells me: a trend that will only accelerate with the advent of the Internet of Things. In this podcast, Srini and I talk about the findings of the 2018 Deloitte-NASCIO Cybersecurity Study, which was released in October.