Eduardo Correia, our Chief Technology Officer, shared his ideas for strong election security during a recent webinar organized by Transparencia Electoral called, “Cybersecurity in the Election Process.” Corriea was joined on the panel by experts Diego Subero, officer in the OAS Cyber Security Program, and Alberto Uez, an elections IT consultant.
Eduardo covered three perspectives Smartmatic uses when supporting election management bodies (EMBs) in defining a security strategy.
First, election security must be a comprehensive concept. It must have a holistic approach that covers all aspects of the election – not just the technology.
Second, security must be balanced, guaranteeing the operational continuity of all the election processes without hindering them. In addition to security, a balance must be struck between other success factors, such as accessibility and transparency.
Finally, security must be verifiable. The mechanisms that are in force in an election must be verifiable and auditable by independent third parties.
A Comprehensive Approach to Election Security
Speaking about security from a comprehensive perspective, Correia emphasized that EMBs should not focus exclusively on systems. “You have to see the election process as a whole, and be able to track all the interactions, actors, processes, and activities that take place before, during, and after the election. Based on that, you determine the risks and understand the potential threats. Then you create a security strategy that includes not only digital safeguards, but also procedural ones. Both aspects are essential and complement each other to strengthen the security of an election.”
One of the main threats he mentioned does not focus on system vulnerabilities, but rather process vulnerabilities. During the forum he also addressed disinformation and fake news, and how they sow doubt in the process. “Once you have a secure process at the system level, you will still need a communication strategy to effectively explain those safeguards and the transparency mechanisms that exist to verify them.”
Striking a Balance in Election Security
Smartmatic’s expert explained that balanced security must consider the environment of the host country. “It is paramount to understand how the proposed security mechanism will be used, not only at the systems level, but at the process and activity level. You can then determine where those safeguards should be implemented, and/or what they should be. All mechanisms that have a positive impact and don’t hinder it should be considered.”
According to Corriea, EMBs need to make security decisions based on the lowest common denominator. For example, real-time voter authentication requires live network connections at polling stations. If a large percentage of stations don’t have guaranteed connectivity, it could hinder the entire network of stations and cause problems for otherwise fully functional locations. This could compromise security.
Election commissions must implement a balanced scheme and carry out a cost-benefit analysis of each security control that they want to implement.
Correia reminded participants that, “to achieve that ideal balance, different variables must be considered: usability, accessibility, performance, and even costs.”
Security from a Verifiable Approach
“The last tranche is the last defense strategy,” Correia said, referring to Smartmatic’s defense-in-depth scheme and the use of a paper trail. Physical copies of data points are a good mechanism to enhance transparency by giving all stakeholders an easy-to-understand mechanism to validate the legitimacy of results.
He explained that this trace must also be integrated, since it must allow voters and independent bodies to audit the process. “No one needs to blindly rely on the EMB or the technology provider to ensure the system’s security. Auditability guarantees it can be done through third parties, such as experts, witnesses, observers, and political parties.”