As many of you are aware, we are dealing with a world that is somewhat divided due to multiple ongoing political issues. As an American, I can tell you that this is certainly true in the United States and perhaps worldwide.
In the last few years, many have changed their viewpoints based on biased information over hard evidence. Facts and data seem less important to many, who base their opinions on curated bits of information with which they can draw any conclusion. Okay, now I don’t want to make this about politics, but I do want to point out how this general attitude can affect the world of data and cybersecurity as well.
Let’s backtrack to the mid-2000s when I spent a lot of time dealing with cybersecurity legislation in Washington, D.C. One of the most interesting conversations I can remember is one I had with some members of the US Treasury. I learned quite a few interesting pieces of information from that discussion.
One of the discussions centered around banks getting hacked and money being taken from the banks by enterprising hackers. I remember them telling me that the banks in the US, regardless of how much they put into securing their infrastructures (and they have very healthy cybersecurity budgets), still manage to lose billions of dollars per year due to cyber attacks.
As it turns out, when that happens, the US Treasury just reimburses them for their losses. As I discovered, the US Treasury is not as concerned about billions of dollars being stolen as they are about the general public (at a global level) losing faith in the entire financial system. If people feel they can no longer trust the financial system to protect their “numbers” and make them whole, the system collapses. Moreover, with the advent of cryptocurrency and the subsequent proliferation of such, traditional financial systems are even more concerned with ensuring that we continue to trust and believe in established systems and networks.
Okay, so where am I going with this? Let’s consider the midterm elections in the USA, which were very politically charged. In the last few major elections in the USA, there have been those that have challenged the integrity of the results. This has occurred on both sides of the heated political battleground, with some citing specific cybersecurity issues that could be construed to indicate that fraud is possible. In all cases, we have not seen any results being overturned due to discovered issues. However, that may not always be the case in the future. Time will tell, and things could become interesting.
Now in a world where something like hard evidence may or may not matter to those forming their own “factual” opinions, it may not be necessary to prove beyond a shadow of a doubt that something like election fraud has occurred. No, not at all, dear reader. In a world where the oracles of “facts” can be friends on Facebook or TikTok accounts with lots of followers, the mere presence of known cybersecurity vulnerabilities, which can be proven much more easily than evidence of compromise, may be enough to conclude that fraud has occurred. After all, in a world of hyperactive social media, “We don’t need no stinkin’ evidence!”
This dramatically raises the bar when it comes to both discovering and addressing vulnerabilities on networks. It is much easier to make a case for alleged fraud if one can show that the network in question is open to such attacks. Again, only time will tell, but it's hard to argue that this is a real possibility.
Let’s look at elections and how they are tallied. If you look at this entry in Wikipedia, you can find a list of nations that allow or disallow electronic voting. You will find that some do allow electronic voting, and some (quite a few actually) do not allow electronic voting. Notably, Finland tried to prototype electronic voting in 2018 and scrapped it, concluding that, among other challenges, security was an issue that has yet to be overcome. Simply put, the integrity of votes on hand-counted paper ballots is more reliable. Physical evidence is still hard to beat.
This is markedly different from the US, where electronic voting has been in place for quite a few years now and has been plagued by challenges since its inception. Now the cybersecurity challenges are perhaps more critically important than ever because it seems that people are willing to conclude election integrity based on what some may deem are the most specious of “facts.” It is not at all uncommon to hear something like, “my friend’s mother works at an election place and told him that someone hacked the systems and so and so and so…” The modern world of social media has a way of turning this into something that can charge up people to the point of riots.
Now let us look at facts. When looking at electronic voting systems, we can certainly consider that close examination of the systems and networks could likely reveal cybersecurity vulnerabilities that could be exploited to hack such systems and alter the vote, or block it entirely. It seems reasonable to conclude that if such vulnerabilities exist and can be verified, then it can be deduced that there is a very real possibility that the integrity of such systems can - and perhaps should - be questioned.
So that brings me to the Schrödinger's cat part of the discussion. One very common way to argue that the integrity of a system need not be questioned is to simply avoid “looking in the box.” Based on the tenets of Schrödinger's cat, if the box is not opened, the cat can be both alive and dead, and based on the lack of further evidence, one can reasonably conclude that both are correct.
However, in the real world, only one of the statements is correct. When we consider the election systems, either the integrity of the vote is indeed in place and can be trusted, or it is not and cannot be trusted. I would conclude such information are likely part of the reason why some nations have decided to forego the implementation of electronic voting systems. It simply is too difficult to ensure integrity, particularly with systems that are likely to have one or multiple exploitable vulnerabilities.
So the United States should consider this as they continue to move forward in the quest to digitize everything, including voting. It seems reasonable to conclude that if the US, and other nations that rely on digital systems for information that shape the political climate, wish to count on this information to derive conclusions, then such systems need to be constantly monitored for the very real possibility that cybersecurity vulnerabilities may negatively impact integrity, even without a compromise.
In modern times information and misinformation have a much greater impact on how people behave. Managing vulnerabilities has many facets to it, and it's not always just about the concrete issue with specific system. Let’s at least try to avoid fueling bad behavior.