Security is a critical element in elections. To deep dive this topic we interviewed Eduardo Correia, Smartmatic’s Chief Technology Officer. With almost two decades of experience in election cybersecurity and technology, Eduardo is well suited to answer important questions on this topic.
What do you see as the primary pillars of election technology security?
As I see it, there are four fundamental principles to good security and cybersecurity. Security must be comprehensive, balanced, organic and verifiable. Comprehensive means that it’s holistic. It takes a systems approach and considers all aspects of electronic, digital (cyber) and physical security together. It also includes the manufacturer’s operational and product-development security practices for their facilities and people. Balanced means that it’s developed with an eye toward device usability, performance during operation and cost – not just cost of security, but of the device or system as a whole. Organic means that the security is baked-in as part of the original product planning and development. It’s not bolted on; you don’t build a device and then try to figure out how to make it secure. This approach delivers better security and is less expensive in the long run. Verifiable means that the security can be objectively and independently validated.
We know that there are security standards, but beyond that, is security the same across the industry?
Not by a long shot! Think of security like soccer: the object is to win by scoring goals, but every team has its own strategy to put the ball in the net. Every company has its own approach to creating secure systems and working with teammates, such as election officials and suppliers. The goal is verifiably secure elections. We use a model that includes a security triad of process protocols — secure development, secure operations and internal verification – that are matrixed across six high-level security requirements: confidentiality, integrity, availability, access control, auditability and physical security. This ensures quality and consistency.
How does election technology enhance transparency?
When the process includes both paper and digital, you have parallel records that can be cross verified. But technology isn’t just parallel, it’s deeper than paper in that it creates multiple datapoints in the voting and tallying processes. Each one of these additional datapoints is a cross reference to validate the accuracy and authenticity of the vote. For example, the initialization report that’s generated on device startup confirms that there are zero votes in the system. You know you’re starting clean. It’s one more datapoint. Every datapoint is encrypted and has a digital signature to guarantee authenticity. There’s no way to substitute a datapoint or to add or subtract votes between datapoints.
What do you see coming down the road in terms of election security and cybersecurity?
Well, in the US the new VVSG guidelines will certainly be a big issue in the next few years. But more broadly, I think we’re going to see more emphasis on cybersecurity across whole networks and the entirety of all election infrastructure. I think you’ll also see many election organizations move cybersecurity off of the shoulders of election officials and administrators by hiring more dedicated IT/security experts. My company is continuing our work to bridge the gap between accessibility and security, ensuring that everyone will be able to vote privately and securely without being relegated to a “separate but equal” means of voting, which we all know are rarely equal.
Beyond secure technologies, what else should election officials look for in a technology partner?
The obvious answer here is a long history of both innovation and secure-performing products. But beyond that, it’s important that a technology provider is actively engaged in the larger security community. This helps them in several ways. It helps them keep up to date in a field that’s rapidly changing all the time. It lets them build relationships with experts outside of elections, so they can both give and receive advice to build and broaden their expertise. And finally, it lets them exchange resources to build their knowledge base.