The December 2022 issue of IEEE Spectrum is here!

Close bar

The Security Challenges of Online Voting Have Not Gone Away

Cybersecurity researchers warn that online voting is not yet safe—and may never be

4 min read
Do the perceived benefits of online voting outweigh the risks?
Photo: iStockphoto

Online voting is sometimes heralded as a solution to all our election headaches. Proponents claim it eliminates hassle, provides better verification for voters and auditors, and may even increase voter turnout. In reality, it’s not a panacea, and certainly not ready for use in U.S. elections.

Recent events have illustrated the complex problem of voting in the presence of a state-level attacker, and online voting will make U.S. elections more vulnerable to foreign interference. In just the past year, we have seen Russian hackers exfiltrate information from the Democratic National Committee and probe voter databases for vulnerabilities, prompting the U.S. government to formally accuse Russia of hacking.

In light of those events, the U.S. Department of Homeland Security may soon classify voting systems as critical infrastructure, underscoring the significant cybersecurity risks facing American elections. Internet voting would paint an even more attractive target on the ballot box for Russian adversaries with a record of attempting to disrupt elections through online attacks.

In the face of such an adversary, the few online voting trials that have been carried out in the U.S. do not inspire confidence. In 2010, Washington, D.C. ran a pilot of an online voting system and invited security experts to try to breach the system. Hackers changed all the votes in fewer than 48 hours. The 2016 Utah GOP Caucus included an online voting option that was rife with procedural mistakes that prevented an estimated 10,000 Utahns from using the system.

Online voting has also been conducted during live elections in places like Estonia, Norway, and Australia. It is hard to know the degree of security attained in these elections, because vendors and officials have no incentive to disclose suspected breaches. However, independent researchers discovered vulnerabilities in both the 2015 New South Wales online election and in Estonia’s system in a 2013 study. Among the problems that were discovered: exploitable vulnerabilities in the connections between voters’ computers and election servers, as well as procedural and architectural weaknesses that could allow state-level attackers like Russia to manipulate entire elections.

Voting is an unusually difficult security problem, because officials must guarantee a correct result while simultaneously ensuring that voters’ choices remain private—and all without  being able to trust any individual participants to act impartially. Furthermore, the election has to produce a result on election day, and we cannot delay voting or rerun the election if the system comes under attack. These requirements mean that traditional online security techniques, like those used to protect banking and commerce, are insufficient for elections.

Today, the vast majority of secure Internet communication takes place using Transport Layer Security (TLS), a cryptographic protocol in which vulnerabilities continue to be found. Three times in the past two years, researchers uncovered TLS flaws that could compromise up to one-third of popular sites. If an online voting system were among the susceptible sites, attackers might be able to intercept votes, discover how individuals voted, prevent votes from being cast, or even change votes.

For another sobering example of what might go wrong with online voting, look no further than the Mirai botnet attack which just last month interrupted access to many of the Web’s most popular sites. Had the target been an online election, large portions of the country would have been unable to vote.

Even if the election servers and communication channels are secure, online elections rely critically on the security of the devices voters use to vote. That’s a problem, because up to 30 percent of computers in the U.S. are already infected with malicious software, and malware could prevent ballots from being transmitted or replace them with entirely different votes.

Beyond these obstacles, an online voting system needs to securely authenticate voters’ identities. In Estonia—a country less populous than 41 U.S. states—this is accomplished using cryptographic chips embedded in every citizen’s national ID card which they scan using a card reader that they can attach to their laptops. We have no similar infrastructure in the United States, and a significant number of eligible voters lack any form of government-issued identification.

Overcoming these security challenges remains an area of active research. Computer scientists have proposed promising techniques for securing online elections based on advanced cryptography. It would let voters confirm that their votes were properly counted, without indicating to anyone else exactly how they voted. However, no technique has yet been demonstrated to be both practical enough for use by real voters and sufficient to protect against a well-resourced nation-state. There even remains considerable controversy amongst security and privacy researchers about what it means for an online election to be secure.

Even ignoring the security risks, the benefits of Internet voting are less certain than was once believed. Evidence from Estonia—including 1.5 percent rise in overall voter turnout due to online voting—suggests that most voters would have cast ballots even without Internet voting. Internet voting seems to primarily make voting easier for those who vote already. What is certain is that online voting would make it easier for external players to tamper with elections.

In light of the uncertain benefits of voting online, it is crucial that we in the United States not rush to entrust our democracy to it. Some of the most difficult unsolved problems in computer security stand in the way: authenticating remote users, protecting home computers from malware, safeguarding online communication, preventing denial-of-service attacks, and protecting critical infrastructure from nation-state attackers. These challenges are among the most exciting and important in computer science and engineering—and many are striving to address them—but it may be decades, if ever, before they are solved to the level that we can vote online with confidence.

Robert Cunningham is chair of the IEEE Cybersecurity Initiative. Matthew Bernhard is a second-year computer science Ph.D student focused on security issues at the University of Michigan and tweets from @umbernhardJ. Alex Halderman is a professor of computer science and engineering at the University of Michigan and director of Michigan's Center for Computer Security and Society.

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less
{"imageShortcodeIds":[]}