The Fiji Times » Complex systems and elections
Why are our IT systems so complex and insecure? Dullien from Google’s Project Zero provides an overview – which I refer to here – but then add my contribution based on decades of experience.
You’d think that would be a simple solution, but it’s a general phenomenon on all our computers: there are many layers between the application software that implements an electoral function (for example) and the transistors inside the computers that ultimately perform calculations.
These layers include the election application itself (for example, for voter registration or vote tabulation); the user interface (UI); the application’s execution system; the operating system (for example, Linux or Windows); system boot loader (for example, BIOS or UEFI); microprocessor firmware (for example, Intel Management Engine); disk drive firmware; on-chip system firmware; and microprocessor firmware.
For this reason, it is difficult to know for sure if a system has been compromised by malware or at what level.
One can inspect the application layer software and confirm that it is present on the system’s hard drive, but any of the layers listed above, if hacked, can replace a fraudulent application layer (e.g. vote counting software) at the time the application is supposed to run.
Therefore, there is no technical mechanism that can guarantee that every layer of the system remains unchanged and therefore no technical mechanism that can guarantee that a computer application will produce accurate results. Thus, computers are not secure because they have many complex layers.
But that doesn’t explain why there are so many layers, and why those layers are so complex, even for what “should be a simple thing” like counting votes.
Recently, I came across a very good explanation: a keynote speech by Thomas Dullien titled Security, Moore’s law, and the anomaly of cheap complexity at CyCon 2018, the 10th International Conference on Cyber Conflict, hosted by NATO.
As Dullien explains, a modern 2018 vintage processor contains a thousand times more transistors than a vintage 1989 microprocessor.
Peripherals (GPUs, NICs, etc.) objectively get more complicated at a super linear rate.
In his experience as a cybersecurity expert, the only thing that ever brought real security gains was complexity control.
His talk examines the relationship between complexity and security failure, and discusses the underlying forces that drive both.
The number of transistors per chip continues to increase every year; there are three new processors per human per year.
Device manufacturers are now developing their software even before new hardware is released.
IT insecurity is growing faster than security is improving. This is the anomaly of cheap complexity.
For most of human history, a more complex device was more expensive to build than a simpler device.
This is not the case in modern computing. It is often more cost effective to take a very complicated device and have it simulate simplicity than to make a simpler device.
This is due to economies of scale: complex general-purpose processors are cheap. And for a few years now, memory has been cheap.
I remember the days when there was a black market for memory chips because they cost a few hundred dollars each. On the other hand, custom-designed, simpler and application-specific devices, which could in principle be much safer, are very expensive.
This is guided by two fundamental principles in computer science: universal computation, which means that any computer can simulate any other; and Moore’s Law, predicting that each year the number of transistors on a chip will increase exponentially.
ARM Cortex-M0 processors cost a few dollars, although they were more powerful than some 20th century supercomputers.
It is the same in the software layers. A general-purpose operating system (huge and complex) is free, but simpler, custom-built; maybe a more secure operating system would be very expensive to build. Or as Dullien asks, “how did that research code that someone wrote in two weeks 20 years ago end up in a billion devices?”
Then he tackles hardware supply chain issues: “Should I trust my CPU vendor?” He discusses remote management infrastructures (such as the “Intel Management Engine” mentioned above): “In the real world, ‘ownership’ generally implies control.
In computing, ownership and control are decoupled. Can I establish with certainty who controls a given device? He says, “a single bitflips can send a machine out of control, and the attacker can carefully control the error escalation to his advantage.”
(Indeed, I studied this question myself in my electronic engineering days!) Dullien quotes science fiction author Robert A. Heinlein: “How do you design an electric motor? Would you attach a tub to it, just because one was available? Would a bouquet of flowers help? A pile of stones? No, you would only use the elements necessary for its purpose and not make it larger than necessary – and you would build in safety factors. The function controls the design.
Heinlein, The Moon Is A Harsh Mistress and adds, “The software makes adding tubs, flower bouquets, and rocks almost free. So that’s what we get.
We see this in the tourism industry where the cost of adding options and value becomes almost negligible once the initial sunk cost is reached i.e. airline costs and marketing to attract visitors. Dullien concludes his speech by saying: “When I showed the first draft of this speech to some colleagues, they said: ‘you really need to end on a more optimistic note’.”
So Dullien tries optimism, discussing possible advances in cybersecurity research; but it still only gives us a 10% chance that the company will succeed. I think he’s pretty pessimistic because the pandemic and remote work from home has shifted a lot of the paradigm to focus on cybersecurity from the start.
It would still be a 50/50 chance in my opinion, but mostly due to human factors.
Postscript: I continue to refer to voting machines as computers of this type. Does their inherent insecurity mean we can’t use them to count votes? No.
The consensus of election security experts, as presented in the 2020 US National Academies study, is that we should use optical scanning voting machines to count paper ballots because these computers , when not hacked, are much more accurate than humans.
But we must protect ourselves against bugs, against configuration errors, against hacking, by always carrying out risk-limiting audits, by hand, of an appropriate sample of the paper ballots that voters have marked themselves.
This includes having ballots available for verification for a decent amount of time after the election.
To be fair, I don’t know the specific policy and procedure of Fiji Elections Law on this, so this is just my opinion for your information only.
As one scholar noted: “The difference between a democracy and a dictatorship is that in a democracy you vote first and take control later; in a dictatorship, you don’t have to waste your time voting.…’ God bless you all and stay safe in the digital and physical worlds.
- ILAITIA B. TUISAWAU is a private cybersecurity consultant. The opinions expressed in this article are his own and are not necessarily shared by this newspaper. Mr. Tuisawau can be contacted at [email protected]