Microsoft demos end-to-end voting verification system ElectionGuard, code will be on GitHub
'Defending democracy' initiative to resist nation-state attacks
Microsoft has demonstrated its ElectionGuard electronic vote system at the Aspen Security Forum under way in Colorado and warned that nearly 10,000 of its customers have been targeted by nation-state attacks.
ElectionGuard aims to enable end-to-end verification of voting. Voters receive a tracking code and can check via a web portal that their vote has been counted, and, crucially, not altered. The portal does not show the content of the vote, protecting voter confidentiality. "It will not be possible to 'hack' the vote without detection," said Microsoft's Tom Burt, CVP of Customer Security and Trust, in a post about the company's latest efforts to counter threats against democracy.
The system uses homomorphic encryption to allow data to be used in computation while still encrypted.
The demo uses a Microsoft Surface tablet with an optional Xbox Adaptive Controller, an accessible input device originally created for gaming. A standard printer outputs a printed version of the vote which can be dropped into a ballot box, showing how the system can be used in combination with paper ballots.
Microsoft will not be making ElectionGuard systems, but is waving it at voting technology vendors. Burt said the company will work with suppliers of "more than half of the voting systems used in the United States today". It has now added two more to the list, Smartmatic and Clear Ballot.
The code for ElectionGuard will be open source and posted on GitHub later this summer.
While not directly related to voter fraud, Burt also said Microsoft's Threat Intelligence Center had detected nation-state attacks on nearly 10,000 customers. "About 84 per cent of these attacks targeted our enterprise customers, and about 16 per cent targeted consumer personal email accounts," he said.
Microsoft claims the majority of nation-state activity is from actors in Iran, North Korea and Russia, and has assigned codenames to them: Holmium and Mercury from Iran, Thallium from North Korea, and Yttrium and Strontium from Russia. The motives of these actors could be intelligence gathering as well as searching for ways to achieve political objectives.
The company also has a project called AccountGuard, which is designed to protect "customers in the political space". This works in conjunction with Office 365 and offers extra security checks and notifications as well as best practice security guidelines and a direct line to support.
AccountGuard was specifically opened up to the UK on October 2018. In order to qualify, you have to be among "candidates running for office; the campaign organisations of all elected politicians; political parties; technology vendors who primarily serve campaigns and committees; and certain charity and non-governmental organisations, such as bodies that organise the electoral process, involved in the democratic process," the post explained.
Tamper-proofing UK elections
Could ElectionGuard or something like it be taken up in the United Kingdom? We asked the Electoral Commission, which observed that any changes to the way elections are conducted have to be done through legislation – so don't hold your breath. The commission also considers that electoral fraud in the UK uncommon. You can see its report on the 2018 local elections here.
There is a bigger issue, though, to do with the vulnerability of voters to manipulation via social media or other means. In this case, the vote is valid but may be based on false information. The extent of funding for political campaigns is another issue and you will find plenty of instances of breaches on the Electoral Commissions site – likely to be the tip of a large and ugly iceberg.
"No single company can tackle these issues, and the need to protect democracy is more important than corporate competition," said Burt. Too right, but even with Microsoft's laudable efforts there is little cause for optimism. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Internet Explorer
- Kenna Security
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- Palo Alto Networks
- Patch Tuesday
- SQL Server
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360
- Zero trust