This project explores process composition tools as applied to elections, concentrating particularly on mail-in and Internet voting. This includes exploration of how to compose systems from pre-analyzed process components, how to analyze the vulnerability of these systems to attacks, and how to guarantee that important security properties are ensured for the resulting composed system. The underlying processes represent aspects of national and local elections, their composition produces an election process, and analysis of the composition gives insight into potential errors or attacks on the election.
Elections are human-intensive processes, processes that directly involve humans in important decision-making and coordination activities, including their interactions with hardware and software components. Providing an approach for formally reasoning about human participation extends current security work. The project also breaks new ground by exploring process-based approaches for modeling and defending against attacks.
The project works closely with government agencies at both the national and local levels to provide in-depth realistic evaluation of results.
Election officials in the U.S. can directly employ the results of this work to make U.S. election processes more verifiably secure, simpler, and easier to change as new technologies, laws, and regulations are imposed. Moreover the technologies developed in this project can be used in most human-intensive processes that have critical security concerns.
Much computer science research into elections has focused on the computer systems and cryptographic protocols used to, or proposed to, conduct elections. Less attention has been paid to the overall process of holding an election in which those systems or protocols are used. The goal of this project was to extend an application of a formal methodology called iterative process improvement technology to analyze the privacy, security, and reliability of election processes. Process improvement technology has been used to model and analyze the election processes of Yolo County, CA and Marin County, CA. The two models that were developed were very similar -- not surprising, as both election processes are governed by the same set of laws, those of the state of California. However, certain elements were different, notably where the votes are counted (at the precinct using precinct-count optical scanners (PCOS) or at Election Central using optical scanners). Even within the two jurisdictions, absentee ballots (called "vote by mail" or VBM ballots) are handled using procedures different than ballots voted at a precinct. This suggests that we can identify components that differ between the models, and develop "pluggable modules" or submodels that can be "plugged into" a general model. So we capture the common parts of the model, and then add in the appropriate specialized modules that capture different parts of the process being modeled. We developed such modules for parts of the vote-by-mail process and integrated it into the full process model. The benefits of such an approach, aside from the technical ones of elegance and ease of modeling similar processes, lie in the ability to analyze how a change in the process affects the ways in which the task(s) in the substituted model can fail causing the process to fail. So, for example, if a law changes how vote by mail ballots are handled, the new process for handling them can be modeled and then plugged into the model of the existing process. Then we define the hazards (failures), and use automated techniques to develop fault trees describing the effects of these failures upon the election process. We can then determine ow to add additional controls or tasks to enable rapid detection of the failures, and compensate for them. An interesting aspect to this work involves the insider threat. First, we examine the tasks that can fail to cause a hazard to occur. Then we look at the agents who could cause these tasks to fail. In this way, we can identify the entities that can cause the process to fail. Further, when the model is instantiated, we can compare the people carrying out the process to the entities that can cause the process to fail. If one person carries out the job of two entities, for example, then that one person can cause the failures that either (or both) entities can cause. This work suggests that more exploration of this aspect of the insider problem may prove fruitful. The domain of elections seems to be one in which new threats beget new defenses, which beget newer threats and defenses in a continuing spiral. Indeed, concerns about elections only seem to be growing as new features such as early voting, electronic poll books, and electronic vote recording and counting mechanisms are introduced. Many of these threats arise not from the technology itself, but from its use and its place in the overall election process. In taking a holistic view of election processes, this project developed a framework of structure and reasoning within which approaches to improving the conduct of elections can be evaluated and improved. In this way, the project is playing a part in understanding and improving the elections underlying our representative form of government.
