TGDC Meeting, July 2010 Security Considerations for Remote Electronic UOCAVA Voting Andrew Regenscheid National Institute of Standards and Technology DRAFT

TGDC Meeting, July 2010 Page 2 Overview Background on NIST UOCAVA Voting Work Threat Analysis on UOCAVA Voting Systems Information System Security Best Practices for UOCAVA Supporting Systems Security Best Practices for the Electronic Transmission of UOCAVA Election Materials Overview of Security Considerations for Remote Electronic UOCAVA Voting

TGDC Meeting, July 2010 Background - 1 NISTIR 7551: A Threat Analysis on UOCAVA Voting Systems Concluded that threats to electronic transmission of registration materials and blank ballots can be effectively mitigated with widely deployed technology Threats to electronic return of ballots more serious and challenging to overcome Multi-track approach Page 3

TGDC Meeting, July 2010 Background - 2 Registration/Ballot Return Developed two best practices documents Information System Security Best Practices for UOCAVA Supporting Systems Security Best Practices for the Electronic Transmission of UOCAVA Election Materials Ballot Return Research document framing important security issues for policymakers Security Considerations for Remote Electronic UOCAVA Voting Collaboration between NIST computer security and human factors experts Page 4

TGDC Meeting, July 2010 Page 5 Report Overview - 1 Security Considerations for Remote Electronic UOCAVA Voting Report identifies: Potential benefits Desirable security properties Major security threats Current and emerging technologies Open issues

TGDC Meeting, July 2010 Report Overview - 2 Organized by security goals Confidentiality Integrity Availability Identification and Authentication Page 6

TGDC Meeting, July 2010 Report Overview - 2 Potential Benefits Desirable Properties- Based on properties/requirements in SERVE documentation Internet voting Common Criteria Protection Profile Council of Europe standards Page 7

TGDC Meeting, July 2010 Report Overview - 3 Threats Identifies and describes major threats Based on threats identified in NISTIR 7551: A Threat Analysis on UOCAVA Voting Systems Current and Emerging Technologies Open Issues Page 8

TGDC Meeting, July 2010 Confidentiality - 1 Potential Benefits Strong technical ballot secrecy protections Some protection against unsophisticated coercion attacks Page 9

TGDC Meeting, July 2010 Confidentiality - 2 Desirable Properties Ballot secrecy Protect voter registration information Incoercability Minimal storage Limited communication Page 10

TGDC Meeting, July 2010 Page 11 Confidentiality - 3 Threats Violating ballot secrecy at election office Small-scale violations possible with mail-in/fax voting Large-scale violations possible with electronic methods Violating ballot secrecy in-transit Generally difficult with mail-in, fax, telephone voting Possible with unencrypted Web-based methods easy to protect Coercion Small scale attacks via mail-in voting Attacks scale better with electronic methods Client-side threats to /web voting

TGDC Meeting, July 2010 Page 12 Confidentiality - 4 Mitigations for Electronic Transmission Proper use of cryptography can provide strong protections for data in-transit against modification or interception Cryptography, access control mechanisms, and separation of duties can protect ballots at-rest, with some trust assumptions End-to-end cryptographic voting protocols can provide additional strong protections against modification on servers

TGDC Meeting, July 2010 Integrity - 1 Potential Benefits Authenticity of electronic records Strong integrity protections in-transit Page 13

TGDC Meeting, July 2010 Integrity - 2 Desirable Properties Data Integrity Accuracy Auditability Verifiability Traceability Recoverability Software Integrity Page 14

TGDC Meeting, July 2010 Page 15 Integrity -3 Threats Ballot modification after reception Procedural protections for mail-in/fax voting Variety of potential sophisticated large-scale attacks on electronic systems Ballot modification in-transit Generally difficult with mail-in, fax, telephone voting Possible with unencrypted Web-based methods easy to protect Software-based threats server-side Software-based threats client-side GTISC- 15% of US computers infected with botnet malware Malware kits available on the black-market for <$1000

TGDC Meeting, July 2010 Integrity - 4 Mitigations for Electronic Transmission Client side protections are very difficult These systems are typically outside control of election officials Antivirus/antiphishing software may not be present, update- to-date, or effective An area with continuous research and development Emerging technologies: Trusted computing and/or virtualization Kiosks can enforce protections Page 16

TGDC Meeting, July 2010 Availability - 1 Potential Benefits Timeliness of delivery Confirmation of receipt Flexibility of physical locaitons Page 17

TGDC Meeting, July 2010 Availability - 2 Desirable Properties Availability Reliability Recoverability Fault-Tolerance Fail-Safe Scalable Page 18

TGDC Meeting, July 2010 Page 19 Availability - 3 Threats Transit times Overseas mail delivery times vary (e.g., 7-12 days to Middle East) Electronic systems have significant advantages Denial of Service attacks Cyber attacks on e-commerce sites, Estonia (2007), Georgia (2008) Difficult to guard against, but easy to detect Client-side disruption Small-scale attacks with mail-in voting Large scale attacks possible with electronic methods (e.g., malware)

TGDC Meeting, July 2010 Availability - 4 Mitigations for Electronic Transmission Attacks on availability cannot be prevented, but can be made more difficult Redundancy and over-provisioning Coordinating with Internet service providers for filtering Emerging technology: Cloud computing DoS attacks difficult to prevent, but easy to detect

TGDC Meeting, July 2010 I&A - 1 Potential Benefits Automated authentication mechanisms Strong remote authentication Page 21

TGDC Meeting, July 2010 I&A - 2 Desirable Properties Voter/Administrator/Component I&A Non-transferable credentials Page 22

TGDC Meeting, July 2010 Page 23 I&A - 3 Threats Strength of authentication mechanisms Mail-in, fax, and rely on verification of hand signatures Stronger mechanisms available for web-based systems Credential Selling Same impact as vote selling Large-scale attacks possible depending on authentication mechanism (e.g., PIN, password) Phishing/Pharming Major threats to web-based systems 2008 Gartner report- 5 million victims Low-tech, but highly effective attack Malware attacks May allow theft of voters’ and administrators’ credentials Social engineering May result in theft of administrator credentials

TGDC Meeting, July 2010 I&A - 4 Mitigations for Electronic Transmission Strong authentication mechanisms exist PINs and passwords are cheap, but comparatively easy to steal One-time password devices require deployment of physical devices to voters Cryptographic authentication methods offer the strongest assurances, but may be expensive to deploy Smart Card Authentication Common Access Card already deployed to military personnel Lack of smart card readers on personally-owned computers Intended to be used by the 2004 SERVE project In-person authentication at supervised kiosks Page 24

TGDC Meeting, July 2010 Next Steps - 1 Best Practices documents Use security best practices as input to updating EAC UOCAVA Best Practices Must also bring in usability, accessibility, and election management best practices Page 25

TGDC Meeting, July 2010 Next Steps - 2 Security research documents Threats, mitigating security controls, and current/emerging technologies will serve as basis for draft risk management matrices NIST will work with the voting community to fill in remaining issues Page 26

TGDC Meeting, July 2010 Page 27 All documents will be available at: NIST UOCAVA Voting Documents