Right now, voter trust is at a troubling low. A recent Associated Press poll noted that only 44% of Americans have a “great deal” or “quite a bit” of confidence that the 2024 vote count will be accurate. With only a few months left until the United States elections alongside 60 more countries, 2024 is becoming a pivotal year for election security awareness worldwide. Rightfully so, as cybersecurity researchers are already tracking activity from foreign influence and nation-state groups. The software supply chain will undoubtedly become a key target for malicious actors in this historic election year. Having the right tools and context in place to know what’s in certain software will be more essential than ever to help fortify election security software.
A potential scandal to upend voter confidence could take any number of forms, but in the cybersecurity industry, the thinking inevitably turns to the technological aspect of a possible cyberattack. High profile catastrophes (like the attack on SolarWinds) have made clear that our software is highly vulnerable — and the technology used to conduct elections is far from immune to these concerns.
In this context, the integrity of software supply chains becomes more important than ever. In the past this has been likened to the software supply chain to a kind of recipe: it refers to the ingredients that make up software. The software used by elections commissions across the country is made up of a number of component parts — both open-source and third-party — and any of these can have a significant impact on the final product’s quality. The systems relied on for a smooth elections process are all built out of these diverse assemblages — and for this reason are all at risk. If one of these component parts is vulnerable, it could have a dire impact on voting processes system-wide.
The vulnerability of the software supply chain
The U.S. has seen more change to its voting systems in the last two decades than it had in the previous century. Well into the 90s, according to the MIT Election Data and Science Lab, mechanical lever machines and hand-counted paper ballots were still the norm, and a tenth of Americans were still using hand-counted paper as late as 2004. Today, only a small handful of counties still use hand-counted paper ballots, and software-based scanning systems are the norm coast to coast.
This software has obvious advantages: it makes counting votes simpler and more convenient, and — conducted properly — can actually increase the accuracy of the vote count. But it also presents substantial risks. Like most software, election software is largely built out of open source components — i.e., software created and maintained through open collaboration, with source code available for anyone to use. Recent research shows that 82% of open-source software components are susceptible to vulnerabilities, security issues, code quality or maintainability concerns. Which is to say that — without stringent supply chain protocols in place — every organization is at risk.
Some sense of this risk is evident from a recent presentation at DEF CON Voting Village 2023. Per Ashlee Bengee at Spiceworks, the presentation involved a state election organization assessing one of its third-party software application providers. What they found was troubling: while the application code was high-quality overall, it was nonetheless determined that one of the open-source libraries it relied on, core-js, was maintained by a nation-state threat actor. Further, a separate library used by the application had links to internet top-level-domains (TLDs) connected to foreign applications.
Advancing election security
It is important to stress that no evidence points that elections have been compromised: in fact, committees within the Department of Homeland Security said in the aftermath of the 2020 election that it had been “the most secure in American history.” To a large degree, concerns about election security are a matter of perception divorced from factual reality, which in turn affects public trust. Nonetheless, the risk of potential compromise is very real, and all it takes is one small breach to set off waves of distrust throughout the entire system.
So: what does integrity look like in an election software context?
For one thing, it means strengthening the emphasis on software quality. Teams should be in place to evaluate code quality, security posture, vulnerabilities and supplier reputation. As important: the software supply chain needs to be fortified. This is the key preventative measure and software bills of materials (SBOMs) are the crucial solution. By necessity, every software project presents a tangled web of dependencies; a quality SBOM can standardize, organize, and document this process, so that potentially destructive vulnerabilities don’t fall through the cracks. The federal government itself has already recognized the urgency of these measures, with President Biden’s Executive Order (EO) 14028 tasking multiple agencies with enhancing cybersecurity and maintaining the integrity of the software supply chain.
To provide peace of mind to voters, these processes need to be transparent. To quell increasing concerns around election integrity, the ability to point to exactly how the process is safeguarded is necessary. Software attestation serves as another crucial safeguard. It provides the assurance that the software deployed is exactly what was constructed, and that this construction is a direct product of the source code. It verifies the integrity of the components in software. This process establishes a comprehensive and verified chain of trust.
This isn’t to say that any of this is easy. Addressing vulnerabilities discovered through the SBOM process and software attestation requires time and resources. In voting as in life, 100% invincibility is impossible — and that applies to both paper ballots and digital voting systems. The point is to create a culture of accountability. Software providers may not feel like they’re operating at the very tip of the spear in the fight against election disinformation — but they are, and they need to shape their processes accordingly.