With the current state of the
pandemic, the business operations have vastly changed from a year ago. One area
of change has been voting. Previous to this turn of events, voters had the
opportunity to vote in person, or send in their ballots. While this has not
been problematic in the past, technology has provided an additional option.
E-voting is being researched and used in limited circumstances. The first
significant, notable usage was in Iowa for their democratic caucus. While this was used for their caucus and not the vote, this provided a test on how it
could or could not work. This has been termed a disaster, with good reason. In
2020 this was attempted with an epic fail. Per reports, the app was not tested
properly, did not properly function, and placed the spotlight on what could go
wrong-spectacularly.
After
this epic fail, one would think a company whose primary business is e-voting
would accept any viable assistance from responsible, reputable cybersecurity
pentesting companies. The final report or deliverable would provide a roadmap
to ensure, as much as possible, there were minimal issues, and the issues that
were encountered are not critical. This assistance would provide an assurance
or work to ensure the spotlight does not show on the e-voting business in a
negative aspect.
Well
this is not always the case. Voatz is in the business of creating e-voting
software. The company wants the CFAA (Computer Fraud and Abuse Act, commonly
used as a threat against cybersecurity researchers) to be broadly interpreted
so anyone (i.e. cybersecurity researchers) who violate the Terms &
Conditions (T&C), which no one really reads, to face federal criminal
charges. The loose application would allow for wider prosecution and allow the
businesses more avenues to dissuade anyone, including those without malicious
intent, from being transparent about their oversights. This effectually would
have most in the industry with their head in the sand.
Possibly
what brought this to the forefront, among their own lack of cybersecurity
focus, was MIT researchers discovered many flaws in their e-voting software. The
very software we depend on for our elections, which can’t be redone without a
massive amount of work, expense, and a significant amount of global ridicule
and embarrassment. To attempt and put this in a positive frame somehow, Voatz
hired their own cybersecurity researchers, whose research arrived at nearly the
same conclusion. In short, the Voatz software is holier than Easter Sunday.
In
closing, in cybersecurity as with most things, the more eyes on the objective
the better. Also, the responsible thing to do with a product or service is to
test it until the cybersecurity vulnerabilities are at a minimum and manageable,
which does not appear to have occurred here.
No comments:
Post a Comment