Federal security officials determined that the last election was secure, but cyber threats continue to evolve and election doubters have seized upon even simple equipment glitches and operational hiccups — like a printer mishap — to question results.
Open source software projects publish their source code under licenses that allow anyone to review and use it. Typically, volunteers develop and propose code modifications, like bug fixes and new features, to be considered for incorporation into the software.
This transparency into the code could dispel rumors, by showing doubters exactly how the processes work, according to Greg Miller, co-founder and chief operating officer of OSET Institute, an open source election technology research and development nonprofit.
“Generally, in an open source project, more people have access to view the code, which can lead to the discovery of vulnerabilities in the code sooner,” San Francisco stated in a 2018 assessment on the feasibility of the city creating its own open source voting system.
But malicious actors can view the code just like anyone else, and these projects must be ready.
Depending on how the open source projects manage bug reporting, ill-intentioned parties may be able to learn about issues before mitigations are fully implemented, wrote DARPA Information Innovation Office program manager Dr. Sergey Bratus. Malicious actors also could seek to infiltrate the community around the projects or sabotage the code.
Researchers, nonprofits, several counties and others have explored open source election solutions over the past decades. They’ve seen this as a way to introduce new ideas and features not currently available from commercial systems, add transparency and potentially reduce governments’ expenses.
Uptake has been limited, however. For example, Travis County, Texas, completed design of its STAR-Vote project in 2017 but was unable to get a vendor to produce it. Prime III — a university professor-developed accessible voting system released as open source in 2015 — is today only used in one county, despite successful performances in several jurisdictions.
Proprietary software still dominates the market, although some open source projects continue to push forward.
As they do, they’ll need to tackle questions over the best approach to safely launching and maintaining the projects and whether such offerings can gain traction.
Part one of this two-part series looks at the security concerns and practices at play in open source election projects, while part two examines what it may take for governments and vendors to adopt the offerings.
THE SECURITY DEBATE
Is open source more — or less — secure?
That is a question the U.S. military research branch, DARPA, is currently trying to answer.
Its SocialCyber program aims to examine threats to open source projects, which may be cyber or social in nature. Bad actors might attempt to insert back doors into the software, use influence campaigns to manipulate the communities that maintain the projects or even take over leadership of those communities, per MIT Review. And open source projects that rely on only a handful of contributors could theoretically collapse if one or two drop out.
“The DoD’s [Department of Defense’s] use of OSS [open source software] saves cost, increases maintainability and attracts developer talent, but also creates an unprecedented attack surface, in which many trusted software parts and paths are exposed to hostile manipulation,” wrote DARPA’s Bratus.
COMMUNITY GOVERNANCE
Different governance structures manage different open source communities, and choosing the right one can tamp down on risks of contributor defection or would-be saboteurs.
Many open source election software projects look to avoid relying entirely on the energy and interest of volunteers and emphasize carefully vetting their work.
The City and County of San Francisco
San Francisco has been exploring replacing its electronic voting machines with an open source solution. Its 2018 feasibility assessment weighs various approaches and suggests the city and hired contractors build the initial code. The city would only later look to the open source community for new feature contributions, after a “workable offering gets off the ground” and after the city has fostered a community around the project that has “been proven to be engaged and reliable.”
The city could partner with an existing open source voting group and should hire an open source program manager to “focus on evangelism to grow the community, communication with the community and community structure and operations,” the assessment proposed. A separate professional could focus on considering and incorporating community contributions and creating documentation.
OSET Institute
OSET, too, has paid professionals overseeing its projects, to keep them on track and maintained. The organization also follows a risk management framework based on NIST standards for vetting both contributed code and code being publicly released.
And its work isn’t entirely in the public eye: about a third of the institute’s work is publicly available on GitHub, where anyone can submit contributions for consideration. The rest of the work, however, takes place in a private, “far more controlled” developer environment, Miller told Government Technology.
Would-be contributors must pass a vetting process that includes an FBI background check before they can get involved in any of the projects that could be used for election administration. Tools for activities like checking one’s voting registration status, meanwhile, require less clearance.
That high barrier to entry is unusual for the open source community, but necessary if government is to trust the offerings, Miller said. The organization has encountered threats in the past.
“On more than one occasion, we have had a developer who was making great contributions to the code base turn out to be somebody that the FBI informed us was not an individual that we should be working with,” he said. In one case, a participant was found to be “shuttling information abroad.” In another, the FBI discovered that a paid engineer had misrepresented their location and was accepting payments in a sanctioned country.
“I was brought in to the FBI. And I was shown who the person actually is,” Miller said. “It was jolting.”
Los Angeles County
Los Angeles County built its voting system using open source codebases and is seeking approval to release the system as open source, County Registrar Dean Logan told GovTech.
Should Los Angeles County publish its code, it intends to keep tabs on who engages. Those seeking to view or propose changes to the code would need to submit a “simple online application” form listing details like the person or entity’s name and reason for accessing the code, per the most recent “Preliminary Conditional Implementation Plan.” A team would review the requests, verify the user and make a record of their application information.
Another protective measure against malicious actors: California’s security and certification framework for voting systems “require[s] us, prior to any election, to escrow our code and also to certify a hash version of the software that we're using in the election with the Secretary of State, so they can match it against the code that's in escrow.” Logan said. “There is documentation and transparency to demonstrate that there hasn't been anything malicious introduced into the code since it was certified and tested. And that, while people might have access to view the codebase itself, they don't have access to get in and make changes to the code — at least not to the version of the code that's being used in the active elections.”
ElectionGuard
DARPA’s Bratus warned that projects’ policies around how bugs are reported could present further risks.
“For OSS projects that take the stance of not publicly distinguishing between exploitable bugs and functional bugs, adversaries may glean critical information before mitigations are completed, and interfere with the mitigations,” Bratus wrote.
Microsoft-sponsored open source software development kit (SDK) ElectionGuard addresses such concerns. The project site asks the community to report only “performance or feature bugs” in public GitHub comments and to follow separate restrictions for reporting discovered security vulnerabilities.
TRANSPARENCY V. RUMORS
Election denialism flourishes when the public doesn’t know what’s going on, said OSET’s Miller. Open source provides transparency to counter such fears.
“The goal of the voting system is not to convince the winner that they've won. The goal of a voting system is to convince the loser and their supporters that they've lost fair and square,” Miller said. Switching from proprietary software to open source is trading “a black box” for “a glass box.”
“As long as you have opacity or obsolescence, you give fuel — you give oxygen — to the deniers to make the argument that the system can't be trusted,” Miller said.
But open source projects must still be ready in case rumors pop up. For example, they should be prepared to communicate in case a bug discovery gets blown out of proportion, said L.A. County’s Logan.
Bad actors may try to “create a perception of vulnerability, or a perception of a security risk, that may or may not exist,” Logan said. “But once somebody puts that out there, it puts us in a defensive stance, which could create issues of public trust and confidence in the voting system.”
Dana DeBeauvoir is a member of OSET Institute’s board of directors and previously led the creation of STAR-Vote in her former role as Travis County Clerk.
Politicians and the general public at times cast doubt even on third-party audits of election systems. But making a system both open source and auditable can change that dynamic by putting so many eyes on the process that its results are harder to dispute, DeBeauvoir said.
“If it wasn’t your auditor, your friend, doing the audit, then nobody believed you,” DeBeauvoir said. But with open source, “if 1,000 eyes are all seeing the same thing, then it's a little hard to say that there's something wrong with it, or that it's hiding some Trojan problem or that it's inadequate, or incompetent in some way … a reasonable person could not question it.”
INNOVATING SECURITY FEATURES
Miller believes nonprofit open source projects like his OSET Institute are well-positioned to introduce new approaches that reflect updated thinking on cybersecurity and physical security.
For example, his company is preparing to pilot a voting registration database security system. The system tracks changes to voter rolls in a distributed ledger, to provide an immutable record that can be checked against claims of problems, such as duplicate votes and votes by dead people.
Miller said open source groups have greater freedom to invest in exploring new election administration ideas than do commercial vendors, because the latter are too constrained by the need to quickly demonstrate returns on investment and meet other commercial pressures.
“Innovation thrives unbridled, in the absence of restrictive commercial mandates,” Miller said.
Still, financial concerns are inescapable, especially for open source projects that avoid full reliance on volunteers. OSET Institute, for example, needs to raise millions of dollars to enable finishing and certifying its in-the-works open source software framework in time for the 2026 elections, Miller said.
And designing a secure offering is only one piece of the puzzle. Getting it used is a whole other question.
Jurisdictions need to be prepared to download and use the open source offerings or vendors need to take up the open source code and provide it to jurisdictions in a ready-to-go way.
Dr. Juan Gilbert is chair of the University of Florida’s Computer and Information Science and Engineering Department and first developed Prime III in 2003, before releasing it as open source in 2015.
But Gilbert said that the security debate around open source is “irrelevant. You don't even get to that conversation,” he told GovTech.
In his experience, even if the software works well, vendors haven’t been eager to embrace it and, too often, other factors have discouraged jurisdictions directly using the open source offerings.
What challenges can hold back jurisdictions from engaging with open source projects, what are the chances vendors will pick up these offerings and can open source tech still improve the election landscape, even if they don’t get made?
Stay tuned for Part 2.
