August 17, 2018

How not to measure security

A recent paper published by Smartmatic, a vendor of voting systems, caught my attention.

The first thing is that it’s published by Springer, which typically publishes peer-reviewed articles – which this is not. This is a marketing piece. It’s disturbing that a respected imprint like Springer would get into the business of publishing vendor white papers. There’s no disclaimer that it’s not a peer-reviewed piece, or any other indication that it doesn’t follow Springer’s historical standards.

The second, and more important issue, is that the article could not possibly have passed peer review, given some of its claims. I won’t go into the controversies around voting systems (a nice summary of some of those issues can be found on the OSET blog), but rather focus on some of the security metrics claims.

The article states, “Well-designed, special-purpose [voting] systems reduce the possibility of results tampering and eliminate fraud. Security is increased by 10-1,000 times, depending on the level of automation.”

That would be nice. However, we have no agreed-upon way of measuring security of systems (other than cryptographic algorithms, within limits). So the only way this is meaningful is if it’s qualified and explained – which it isn’t. Other studies, such as one I participated in (Applying a Reusable Election Threat Model at the County Level), have tried to quantify the risk to voting systems – our study measured risk in terms of the number of people required to carry out the attack. So is Smartmatic’s study claiming that they can make an attack require 10 to 1000 more people, 10 to 1000 times more money, 10 to 1000 times more expertise (however that would be measured!), or something entirely different?

But the most outrageous statement in the article is this:

The important thing is that, when all of these methods [for providing voting system security] are combined, it becomes possible to calculate with mathematical precision the probability of the system being hacked in the available time, because an election usually happens in a few hours or at the most over a few days. (For example, for one of our average customers, the probability was 1×10-19. That is a point followed by 19 [sic] zeros and then 1). The probability is lower than that of a meteor hitting the earth and wiping us all out in the next few years—approximately 1×10-7 (Chemical Industry Education Centre, Risk-Ed n.d.)—hence it seems reasonable to use the term ‘unhackable’, to the chagrin of the purists and to my pleasure.

As noted previously, we don’t know how to measure much of anything in security, and we’re even less capable of measuring the results of combining technologies together (which sometimes makes things more secure, and other times less secure). The claim that putting multiple security measures together gives risk probabilities with “mathematical precision” is ludicrous. And calling any system “unhackable” is just ridiculous, as Oracle discovered some years ago when the marketing department claimed their products were “unhackable”. (For the record, my colleagues in engineering at Oracle said they were aghast at the slogan.)

As Ron Rivest said at a CITP symposium, if voting vendors have “solved the Internet security and cybersecurity problem, what are they doing implementing voting systems? They should be working with the Department of Defense or financial industry. These are not solved problems there.” If Smartmatic has a method for obtaining and measuring security with “mathematical precision” at the level of 1019, they should be selling trillions of dollars in technology or expertise to every company on the planet, and putting everyone else out of business.

I debated posting this blog entry, because it may bring more attention to a marketing piece that should be buried. But I hope that writing this will dissuade anyone who might be persuaded by Smartmatic’s unsupported claims that masquerade as science. And I hope that it may embarrass Springer into rethinking their policy of posting articles like this as if they were scientific.

Comments

  1. Thanks for writing about this. Smartmatic is an unscrupulous vendor that has sold tens of thousands of voting machines in my country (Philippines). The machines were defective, prone to overheating after just a few hours of use, unproven security, closed source, and is alleged to be amenable to tampering if the government asked. We have another national election next year and it seems they will use Smartmatic machines again.

  2. From the Springer’s description of the journal (http://link.springer.com/journal/12290):

    > European View is the policy journal of the Centre for European Studies, the official think tank of the European People’s Party. It is an intellectual platform for politicians, opinion makers and academics that tackles contemporary themes of European politics, focusing on one specific theme in each issue. The journal contributes to the debate on the most important fields of European and international politics. What makes the European View unique is its hybrid nature – its capacity to involve both esteemed academics and experts on the one hand, and high level politicians and decision makers on the other. Presidents and Prime ministers are regular visiting authors of the European View.

    What in this journal gives any pretence of peer review? Publishers and journals are very different entities; thus Elsevier does actually publish some good science as well as some demonstrably terrible journals.

    • Joanna Bryson says:

      Nothing in that description indicates that the journal accepts industrial promotion either. In an era when even academics pay to publish articles they can’t get by review, I think trying to hold individuals and other entities to valuing their reputation is a good fight worth fighting. Explaining what passes for authority (and to what extent —with what certainty) is one of the great challenges of our era of increasing communication and democratic control. Individual reputations —even trustworthy URLs—is one of the most accessible strategies.

  3. Hi there, i dont know if you have seen this “Hacking Democracy” Documentary yet, but they go into deeper detail on the nationwide polling system, Diebold produced, https://www.youtube.com/watch?v=-hNxBa6KENE&list=PL368B897618786ED1

  4. Almost every paragraph of the “paper” is a gross exaggeration or leaves out critical elements. For instance, Sustainablity says, “India used to cut down 280,000 trees and utilise huge amounts of energy and water to produce the paper ballots needed for each election. This cost to the environment was eliminated when elections were automated” This does not consider any costs for making or using electronic devices. Besides, Auditability says that “A well-designed automated election … produces multiple copies of every data point both in electronic and paper-based forms …” I don’t see how this can be resolved with the claim that the “cost to the environment was eliminated”.

    Both Auditability (“A well-designed automated election, by contrast, produces multiple copies of every data point both in electronic and paper-based forms, creating a very rich audit trail …”) and Integrity (“Multiple digital and paper copies of each element are created, which ensures that data is never lost, modified or destroyed.”) imply that many different kinds of copies, reports, or summaries are all over the place. I don’t see how Mugica can claim that no possible combination of these could ever leak information about votes.

    Everywhere is the assumption that (a) the software is, “by any practical definition of the words, foolproof and incapable of error” [“2001: A Space Odyssey”] and (b) the software doesn’t have back-doors or Trojans inserted by the Smartmatic or any of their suppliers, e.g., compilers, libraries, drivers, hardware, etc. Granted he does acknowledge that nobody should trust “the company building the system and its employees”, but he gives no details.

    The calculation may be based on assumptions of independent failure or no collusion. It could also be as simple a series of unreasonable estimates, like the “proof” of probable life on Mars: What is the chance of gram-negative bacteria on Mars? Lacking other information, let’s say 50%. What is the chance of moss on Mars? Again 50%. How about the chance of Zygomycota fungi? 50% We can continue with many life forms, then calculate that the chance of *none* of these is (1 – .5)^N = arbitrarily small probability. Thus the chance of no life on Mars is vanishingly small.

    I would love to see the details supporting any of his claims. They could be smarter than me.

    -paul-

  5. Ferdnand Sylva says:

    Jeremy, what do you think about the security and the reliability of Internet polls? Why aren’t there papers talking about them? I’m curious about it because corrupt governments have been trying to legitimate these voting systems for creating bills – specially bills that give them more power, and are against the interests of its people.

    • Jeremy Epstein says:

      The security and reliability of internet polls isn’t really studied (IMHO) because they’re so unreliable as to be worthless. As an example, there was a poll done a few years ago by the Louisville KY paper of whether internet voting is secure. Ironically, the poll itself was insecure (it relied on cookies to prevent multiple voting, which were easy to clear), and to make the point, some students stacked the poll using a bit of software. (See here and here for details; the result was that the newspaper removed the link to the poll from their site to avoid showing the stacked results, although if you have the link, which is included in the second article, it still works.)

      Even if no one hacks the poll, self-selected polling isn’t reliable, as it will get a highly inaccurate sample. For example, it’s far more likely to include younger and wealthier people (compared to the electorate as a whole). Political scientists, of whom I am not one, could provide far more information on this topic.

      Anyone relying on internet polls as guidance deserves what they get: Garbage In, Garbage Out.

  6. I discovered a good number of people will go with
    with your website and did a search about the matter.