There’s been a bunch of interest out there on the wild, wild, world of web about election security. For example, today we have this article, that says 14 states have requested funding from congress to shore up the security of their elections… and this one, that says New York is conducting drills of their election process to see how vulnerable it is.
Hey, New York, I can save you a bunch of money: it’s vulnerable.
This is only what I pulled out of today’s headlines, but there’s been a ton of recent coverage about it the past few weeks. There are two things that strike me about this. 1) timing and 2) the efficacy of these requests in the first place.
First, the timing. Meaning, how late it is in the process that they’re trying to fix this. That’s of course assuming that the plan is to defend the midterms, which most of these articles seem to imply they’re trying to do. Like, it’s been two years since the “cyber atomic bomb” thing I was talking about the other day… and a good year since the US Intelligence report (January 2017) about Russian intentions and methods for subverting elections. So WTH have people been doing in the meantime? Frankly, until states started asking for money, I sort of assumed that some “serious secret squirrel shiz” was going on behind the scenes and we just didn’t know about it. But I guess that’s not the case.
The second thing that strikes me, and the reason I’m writing about it today, is the laughable asymmetry involved in expecting a US municipality – or a state even – to defend against a full blown nation-state class adversary. It’s patently ridiculous. On the one hand, you have an actor with multiple billion dollars of investments in offensive cyber capability, maintaining a stockpile of undisclosed 0day exploits, one or more sophisticated escalation harness, with access to cutting-edge techniques, near-limitless funds, and employing hundreds of dedicated engineers working day and night. On the other you have, say, Boise Idaho…
…or Manchester New Hampshire (go Fisher Cats) or really any other entity that might be . Compare that to a traditional military campaign. Would we assume that the asymmetry didn’t matter there? For example, you’ve heard of the movie “The Russians are Coming” (the one where the people in a small town off Maine think the Russians have come to invade them)? How realistic would it be, if that were in fact really happening, that Maine would have the resources to actually defend against a Russian invasion? That’s why that movie is a comedy. The plot of Red Dawn aside, it’s pretty unlikely in a traditional military context that the David & Goliath story plays out where the little guy wins — unless there is some serious paradigm changing stuff that goes on.
So why do we assume that funneling money to states for “election security” is even useful at all? No matter how much a state or local government does — or how much they spend — it’ll still be woefully asymmetric until and unless you have a similar power to help with defense. The US election system is not currently structured in such a way to allow this to happen – meaning, allowing federal resources to be used to help bolster a state or location election process. Could it happen? Sure. Will it? Unlikely.
Even then though, recall that defense is always harder than offense in security. So even assuming that those resources were brought to bear, it’d still be dicey…