{"id":781,"date":"2018-06-05T14:46:19","date_gmt":"2018-06-05T14:46:19","guid":{"rendered":"https:\/\/securitycurve.com\/?p=781"},"modified":"2018-06-05T14:46:19","modified_gmt":"2018-06-05T14:46:19","slug":"election-security-asymmetry-need-another-way","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=781","title":{"rendered":"Election security asymmetry: need another way"},"content":{"rendered":"

There’s been a bunch of interest out there on the wild, wild, world of web about election security.\u00a0 For example, today we have this article, that says 14 states have requested funding from congress to shore up the security of their elections<\/a>… and this one, that says New York is conducting drills of their election process<\/a> to see how vulnerable it is.<\/p>\n

Hey, New York, I can save you a bunch of money: it’s vulnerable.<\/p>\n

This is only what I pulled out of today’s headlines, but there’s been a ton of recent coverage about it the past few weeks.\u00a0 There are two things that strike me about this.\u00a0 1) timing and 2) the efficacy of these requests in the first place.<\/p>\n

First, the timing.\u00a0 Meaning, how late it is in the process that they’re trying to fix this.\u00a0 That’s of course assuming that the plan is to defend the midterms, which most of these articles seem to imply they’re trying to do.\u00a0 Like, it’s been two years since the “cyber atomic bomb” thing<\/a>\u00a0I was talking about the other day… and a good year since the US Intelligence report (January 2017<\/a>) about Russian intentions and methods for subverting elections.\u00a0 So WTH have people been doing in the meantime?\u00a0 Frankly, until states started asking for money, I sort of assumed that some “serious secret squirrel shiz” was going on behind the scenes and we just didn’t know about it.\u00a0 But I guess that’s not the case.<\/p>\n

The second thing that strikes me, and the reason I’m writing about it today, is the laughable asymmetry involved in expecting a US municipality – or a state even – to defend against a full blown nation-state class adversary.\u00a0 It’s patently ridiculous.\u00a0 On the one hand, you have an actor with multiple billion dollars of investments in offensive cyber capability, maintaining a stockpile of undisclosed 0day exploits, one or more sophisticated escalation harness, with access to cutting-edge techniques, near-limitless funds, and employing hundreds of dedicated engineers working day and night.\u00a0 On the other you have, say, Boise Idaho…<\/p>\n

…or Manchester New Hampshire (go Fisher Cats<\/a>) or really any other entity that might be .\u00a0 \u00a0Compare that to a traditional military campaign.\u00a0 Would we assume that the asymmetry didn’t matter there?\u00a0 For example, you’ve heard of the movie “The Russians are Coming<\/a>” (the one where the people in a small town off Maine think the Russians have come to invade them)?\u00a0 How realistic would it be, if that were in fact really happening, that Maine would have the resources to actually defend against a Russian invasion?\u00a0 That’s why that movie is a comedy.\u00a0 The plot of Red Dawn<\/a> aside, it’s pretty unlikely in a traditional military context that the David & Goliath story plays out where the little guy wins — unless there is some serious paradigm changing stuff that goes on.<\/p>\n

So why do we assume that funneling money to states for “election security” is even useful at all?\u00a0 No matter how much a state or local government does — or how much they spend — it’ll still be woefully asymmetric until and unless you have a similar power to help with defense.\u00a0 The US election system is not currently structured in such a way to allow this to happen – meaning, allowing federal resources to be used to help bolster a state or location election process.\u00a0 Could it happen?\u00a0 Sure.\u00a0 Will it?\u00a0 Unlikely.<\/p>\n

Even then though, recall that defense is always harder than offense in security.\u00a0 So even assuming that those resources were brought to bear, it’d still be dicey…<\/p>\n","protected":false},"excerpt":{"rendered":"

There’s been a bunch of interest out there on the wild, wild, world of web about election security.\u00a0 For example, today we have this article, that says 14 states have requested funding from congress to shore up the security of their elections… and this one, that says New York is conducting drills of their election […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[46],"class_list":["post-781","post","type-post","status-publish","format-standard","hentry","category-security","tag-elections"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=781"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/781\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}