back to article Cyber-stability wonks add election-ware to ‘civilised nations won’t hack this’ standard

The Global Commission on the Stability of Cyberspace (GCSC) has called for an end to cyber-attacks on electoral infrastructure. The GCSC works to develop “norms” of behaviour it hopes governments and others will adopt in order to leave internet infrastructure untouched during conflict. The body believes that as the internet is …

  1. Mayday
    Stop

    OK, so they asked nicely

    So this means that all the nasties will stop?

    Sure it will!

    1. veti Silver badge

      Re: OK, so they asked nicely

      So long as some of the nasties stop, that's still a win.

      Think of it like chemical weapons. Most civilised countries have stopped using those, at least most of the time. There are exceptions, but it's still a net improvement over the position 100 years ago.

      1. Mayday

        Re: OK, so they asked nicely

        I agree with you (hence upvote).

        However there are a couple of differences with the chemical weapons comparison. One is that chemical retaliation can be avoided with both parties agreeing to the treaty and also chemical weapons need to be manually loaded into a delivery system (ie bombs, artillery shells) much "hacking" can (not necessarily does) have a degree of automation about it.

        Lastly, these are really just nice suggestions made by some group as opposed to a defined treaty.

        1. Robert Helpmann??
          Facepalm

          Re: OK, so they asked nicely

          I noticed that non-state actors were included in the mix.... So they are basically making a list for terrorists to follow when figuring out where to hit the rest of the world hardest. The point of this sort of agreement depends on states being signatories. How many non-states have signed the Geneva Conventions? As far as I can tell, maybe one and it very much wants recognition.

          1. Voland's right hand Silver badge

            Re: OK, so they asked nicely

            How many non-states have signed the Geneva Conventions?

            There are states that have not like North Korea.

            Similarly there are states which have signed it, but have decided NOT to ratify it so in effect their signature is null and void. The last annex on the annual OCPW report lists these. The list (states which have refused to ratify after a signature) is not widely advertised which is not surprising as it has ONE entry in it. Israel.

            Make you own conclusions on that any way you like it (IMHO this has the distinct smell of Dimona all over again).

            As far as non-states, the current conflict in Syria demonstrates that states signing it is rather irrelevant in this day and age. Specifically, the OPCW has had 100+ reports of incidents and 6 invitations to examine evidence of chemical attacks by non-state actors in 2017 (in their report). It did not attend EVEN ONE. At the same time it found resources to attend to 3 incidents by the regime. The numbers are out of the annual report of the Fact Finding mission on Syria available on their web site as a PDF. So if we continue the analogy with chemical weapons to elections, non-state actors like Fox, SCL, CA, etc can "influence" elections with impunity. They will not be even investigated.

            1. strum

              Re: OK, so they asked nicely

              >the current conflict in Syria demonstrates that states signing it is rather irrelevant in this day and age.

              No it doesn't - any more than a murder means that the law against murder is irrelevant.

          2. DavCrav

            Re: OK, so they asked nicely

            "I noticed that non-state actors were included in the mix.... So they are basically making a list for terrorists to follow when figuring out where to hit the rest of the world hardest."

            One consequence of this would be that non-state actors hacking proscribed infrastructure would become terrorists rather than hackers.

        2. strum

          Re: OK, so they asked nicely

          >Lastly, these are really just nice suggestions made by some group as opposed to a defined treaty.

          There already is a defined treaty (read the article). The aim is to extend and refine these agreements into a new treaty, over time.

    2. Mark 85

      Re: OK, so they asked nicely

      Well.... they did ask nicely. Job done and it's tea time. There won't be any more hacking now since the commission has spoken. I'm thinking they're the only ones who might believe this. I wonder if they'd be interested in a buying a bridge? It's one owner and has a nice view of the river.

  2. Milton

    The self-created problem, easily solved

    "As more countries opt to digitise their election machinery, the risks and vulnerabilities associated with such infrastructure increase manifold, as does the prospect of a major, offensive cyber operation"

    Which leaves the solution staring us in the face: do not allow e-voting for significant elections. Just because we can do this doesn't mean we should. It may ultimately be cheaper to move to e-voting; more convenient; give faster results; fill the pockets of the manufacturers of these machines: none of which is a good enough reason to have Vlad The Emailer install his preferred presidential candidate—or even simply to undermine confidence in the electoral system.

    If the UK, a heavily populated country, can conduct a highly trusted paper-based ballot system resistant to interference, there is no reason whatever why other well-regulated nations cannot do so as well. The UK's postal voting system, for those unable to cast a personal vote on the day, works well enough, and the many independent eyes watching a physical count are a solid force for honesty. Even an MP's hundred-vote winning margin is accepted in this country, after a recount.

    The problem with a goodwill-based approach as suggested in the article is that (a) politicians cannot be trusted to keep their word, ever, and (b) it isn't just politicians, their corrupt cronies, their armed forces or even their intelligence agencies who may interfere: it could almost as easily be the brilliant Fat Guy In Mom's Trailer in Louisiana; or the equivalent droog in Bumfuckgrad, Byelorussia.

    The makers of voting machines have tirelessly and consistently told us their devices are 100% secure (well, they would saythat, wouldn't they?) and repeatedly been shown to be plain wrong. No knowledgeable person believes that any non-trivial computing device can be rendered perfectly secure.

    Why take this enormous, literally critical risk with national security ... when we Just. Don't. Have. To?

    1. Voland's right hand Silver badge

      Re: The self-created problem, easily solved

      do not allow e-voting

      Election counting (which is the primary target for vote rigging) has been electronic in most countries around the world since the mid-80-es.

      The analysis, however has not gone beyond basic cross reference so if you rig the transmit of the results you can pretty much own the elections in most countries.

      I am aware of only one country which has gone beyond cross-reference and bought proper anomalous voting pattern analysis and "suspect voter fraud analysis" plugins to their counting system. I even know whom they bought it from (it is a well known shop which writes AI+statistics based fraud prevention for banking, transaction systems, etc).

      The country is Canada by the way. There may be others, but stuff like this is usually not widely advertised.

      1. Stork Silver badge

        Re: The self-created problem, easily solved

        I am not sure what you mean by electronic counting. In Denmark it certainly wasn't before 92 when I first left, there was a manual count (with reps of political organisations participating) and the result of every polling place published in national newspapers - then the ones present could check.

        Perhaps backwards, but takes a lot of effort to fake.

        1. Anonymous Coward
          Anonymous Coward

          Re: The self-created problem, easily solved

          I think a lot of people outside the US don't understand how our elections are conducted, and why we can't use paper ballots and manually count them that evening. Elections are conducted by the states, and assigned to the counties, which divides them into precincts. You don't get a ballot for president with a few choices, you get a ballot for president, a congressman and then a whole host of state, county and city positions ranging from governor (though most states do those in years like 2018 where there aren't presidential elections) to state water commissioner, election/approval of judges in some states, county board of supervisors, auditor, treasurer and so forth, city council, probably even animal control officers in some places. Then you might have a number of measures on the state and local levels to approve or disapprove.

          Another problem is the size of precincts, which tend to be pretty large in the cities. To no one's surprise, the largest ones are in predominantly black areas in big cities (especially in swing states like Florida) because it acts as another way to suppress their vote by making them wait in long lines to vote. Where I live I have never had to wait in line for more than two minutes, and haven't ever seen or heard of lines that extend outside the polling place where bad weather will also help suppress the vote in overly large precincts.

          The ballot where I am is typically a 10x17" sheet of paper, with two columns of items on both sides. You really think people can accurately count all that stuff by hand at night after they've been volunteering at the precinct since probably 7am or so, especially in the really large precincts? This is the "paper ballot" I get, which as far as I know is pretty standard for the US, which I feed into one of those bubble scanner machines to electronically score. Now sure, some of would suggest the US could have a different election day for president/congress and make hand counting easier, but I don't think that's necessary.

          Even if you want to use fully automated touch screen machines to vote, so long as it produces a paper trail and the voter is encouraged to check it before putting it into the ballot box then you have no problem. Electronic distribution and counting of votes so you can quickly announce the results as demanded by the media is fine, provided you later verify that electronic tally by inviting representatives of political parties to participate in a mandatory recount the next day.

          They count things up, and send their totals in to be posted on a website with all the other totals nationally, and automatically added up and shown alongside the electronic tallies. As with Stork's Denmark example, those present at the precinct could check the web site to make sure the recount tallies reported are what they recounted.

          If there's a discrepancy of a few votes here and there that don't change the result, no worries, but obviously you'd have processes to deal with close results where maybe the discrepancy matters as well as precincts where the discrepancy is large and something obviously went wrong somewhere.

          Personally I would only require manual recount of a few percent of randomly selected precincts (the sample size and procedure for randomly selecting precincts determined by a panel of statisticians) and so long as they are all within a reasonable statistical margin, you consider it good (unless there's a challenge that requires a full recount, but the party asking for the recount should pay for it unless the result is within some small margin statisticians will also determine) If the few percent count isn't within a reasonable margin then you conduct a full recount automatically paid for by the state, and any statistically significant deviations are thoroughly investigated and remedied.

          1. ArrZarr Silver badge

            Re: The self-created problem, easily solved

            And yet elections in the US were carried out before the invention of the computer, by using telephones.

            And yet elections in the US were carried out before the invention of the telephone by using telegrams.

            And yet elections in the US were carried out before the invention of the telegram by using horses.

            1. Anonymous Coward
              Anonymous Coward

              Re: The self-created problem, easily solved

              Sure, but they didn't have ballots nearly as long in the horse & buggy days, nor were people so concerned about finding out who won quite so immediately.

              Given the lack of trust in the election process by some, both deliberately sown by Trump as well as residual cynicism from the 2000 debacle, a result that took several days to report would probably be seen as signs of "the fix is in" by a not insignificant portion of voters (at least by those whose candidate lost) That can't be good for a democracy. Not saying "fast is better than accurate" but taking measures to insure accuracy while still being fast is better than either fast or accurate alone.

      2. Claptrap314 Silver badge

        Re: The self-created problem, easily solved

        The rule in Texas was that a certain number of randomly selected precincts would have their results hand-checked on the presumption that this would be catch larger operations. And for close results, hand recounts of the entire thing were not that rare.

        Assuming you have ballots to count.

  3. Destroy All Monsters Silver badge
    Paris Hilton

    Optional

    > Bad Vlad won't care

    So has election-ware even ever been hacked by Bad Vlad?

    Curious minds not hooked into the US propaganda machine want to know etc.

    > But this puts voting infrastructure on par with DNS and BGP

    I dunno. It's mostly closed source created by lowest-bid programmers and sol dear, possibly running Windows Embedded, and unaudited because "muh trade secrets". So not the same at all.

    1. Voland's right hand Silver badge

      Re: Optional

      unaudited because "muh trade secrets"

      Unaudited is the least of the problems. In 99% of countries and jurisdictions there is no official test cases and there is no test suite - this is left to the contractor.

    2. Anonymous Coward
      Anonymous Coward

      Re: Optional

      If you assume everything coming out of the US is propaganda then I guess you'll ignore this, but the FBI said they found clear evidence of successful penetration of election computers by Russians in a number of states. All was pre-election, and none affected the actual voting machines (which probably says more about the fact that since they're only used once a year, aren't going to be left plugged in and networked 24x7x365 than it does the security of those machines)

      Probably the only thing they got from this was the voter registration rolls in some states, which would include name, address, birthdate, last four of SSN or driver's license number, and political affiliation (or 'independent') If they managed to get themselves a copy of the information from the Equifax breach they have all that and more, except for the political affiliation which is probably not hard to guess based on one's address and the other information in the Equifax breach that would determine income, occupation, type of car driven and so forth.

      Just because the breach didn't allow them to change results, doesn't mean we shouldn't be doing a hell of a lot more to prevent another breach, and other countries shouldn't be wary.

  4. Michael H.F. Wilkinson Silver badge
    Facepalm

    Sounds like a useful declaration

    just like that one from Munich, way back when

  5. Martin Gregorie

    ..but some states don't care

    If you want a good analysis of how not to run elections, read "Re: Securing Elections (RISKS-30.69)" by

    Mark E. Smith. Here's a link:

    http://catless.ncl.ac.uk/Risks/30.70#subj36

    It makes interesting, if depressing reading. I was surprised to learn that surveys have shown that the typical US voter thinks that voting, i.e. filling in and submitting a ballot, is important but, having done so, really doesn't care whether his vote is counted or not. Doing his democratic duty is apparently all that matters. I'm left wondering how many other countries voters think like this and sincerely hope the answer is NONE.

    1. ArrZarr Silver badge
      Unhappy

      Re: ..but some states don't care

      I vote because I feel like I'm supposed to but am resigned to the fact that it actually didn't matter. Does that count?

  6. Anonymous Coward
    Terminator

    The global commission on the stability of cyberspace

    The Global Commission on the Stability of Cyberspace (GCSC), never heard of them.

    "Microsoft, the Internet Society and the governments of The Netherlands, France and Singapore have all funded the group."

    Ah, so a public relations effort. The problem would mostly go away if at least one of the above disconnected themselves from the Internet. Going on their website the 'Internet Society' is major into diversity and 'innovative licensing'.

    "The Global Commission on the Stability of Cyberspace (GCSC) has called for an end to cyber-attacks on electoral infrastructure".

    Who in their right minds connect their electoral infrastructure directly to the Internet. Has no one informed the GCSC that computers are being hacked over the Internet.

    All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state

    This isn't funny considering the numerous victims of such 'relations'.

    "The GCSC knows that those will be considered nought but noble words by some nations and non-state actors, who will carry on hacking regardless"

    I knew it, it was those commie Russian bastards all along, the ones that gave Trump the election through Facebook adverts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon