[Image via NIST]
This week’s issue of electionlineWeekly features the latest of Mindy Moretti’s now-famous “exit interviews” – this time with Josh Franklin, who may not be well-known to casual observers of American elections but is recognized as a key player by hard-core electiongeeks nationwide. He’s also one of the more interesting people in the field, which shines through in this conversation:
Joshua M Franklin has worked with election technology at the state and federal government for over a decade.
He worked at the Kennesaw State University Center for Election Systems during college, and shortly after graduating. Joshua was then recruited to work at the U.S. Election Assistance Commission gathering hands-on experience with a variety of voting technologies.
For three and a half years he managed federal certification efforts alongside election officials, labs, and manufacturers across the country.
Post-EAC, Joshua worked as an IT Security Engineer at the National Institute of Standards and Technology (NIST) focusing on cellular and electronic voting security. At NIST, Joshua co-chaired the Election Cybersecurity Working Group, and was the principal author for the security portions of the next generation of federal voting system standards.
Joshua recently became a Senior Cybersecurity Engineer at the Center for Internet Security (CIS) where he will be continuing his work in elections.
You’ve worked in the public sector for quite a while now, how come you are making the leap into the “private” sector now?
Other than a few glorious years gracing the lifeguard chairs of the Atlanta suburbs with my alabaster tan, I’ve essentially always been a state or federal employee.
I’ve accrued 10 years of federal service, and 10 seems like a nice round number. It was time to make a change. I am legitimately curious how the other half lives. Actually, looking at the statistics on this, maybe how the other ~98 percent of the US population lives. There’s a reasonable argument to be made that I’m just dipping my toe into the water by moving to an NGO.
What’s the biggest change you have seen in election security since you started?
A couple things I guess: software independence, meaningful election audits, and the Babadook that was 2016. When I moseyed on into the Kennesaw State University Center for Election System’s (CES’s) office in 2004, the country was engaged in a massive debate over “paper or plastic.” There were HBO documentaries, books, and a deluge of news articles on the merits of fully electronic machines versus paper-based ones. I spent hours sorting through hundreds of public comments on this subject for the 2005 Voluntary Voting System Guidelines (VVSG) at CES. And now, although the issue isn’t entirely settled, many states have simply transitioned to paper-based systems or are planning to. Kim Brace has a wonderful set of maps showing the change in voting equipment since 2000 that I use to illustrate this concept to folks learning the field of elections.
Audits are another interesting change in election security since 2004. Audits are critical for detecting problems in elections – both accidental and malicious. Yet there’s any number of ways to perform an election audit, and various states and jurisdictions will look to audit different aspects of the election process in unique ways. Yet sometimes two states will refer to dissimilar audits with the same term! Risk-limiting audits seem to be a unifying, cost-effective way to audit the result of the election. And I know election officials like getting bang for their buck! It’s been awesome, in the truest sense of the word, to see election officials and the security community work together on something in a proactive manner. Shout out to all the jurisdictions, election integrity groups, and academics going through the pain of bringing theory to reality. You’re the best of us.
Everything changed in 2016. Although security has always been an important facet of U.S. elections, 2016 is the year where things went from “what if” to “what now”? [emphasis added – DMCj] I believe 2016 will be a turning point in election security; hopefully only for the better. (And I can’t wait to read the book that we’re all in!) But as a community, we need to keep on it, and it can’t just be lip service. That means learning cybersecurity best practices, teaching others, and putting what we learn into practice. Consistently. Finally, we need to keep fighting for resources specifically earmarked for election cybersecurity and then using them effectively.
We hear a lot about what’s happening in the public sector on cybersecurity–and how election officials can take simple steps to reduce their risk–but what else is happening in the sector that folks might not know about but should?
The NIST Cybersecurity Framework (CSF) is a wonderful example of this. I think that framework does a wonderful job of helping folks to hone onto the cybersecurity issues that affect them, without having to be a cybersecurity expert. A new version of the CSF was recently released, and I think folks should keep an eye on it and consider how it might be applicable to elections.
While it’s not entirely public sector, academia is certainly adjacent, and Dr. Alex Halderman’s Securing Digital Democracy course offered through Coursera is a wonderful hidden gem that everyone might not know about. It’s a great FREE way of refreshing yourself on some cybersecurity basics focused on elections, and can act as a foundation for learning more advanced cybersecurity concepts.
In the same vein, some election officials might know the work that the Center for Democracy and Technology (CDT) has been doing with the Center for Technology & Civic Life (CTCL), but possibly not everyone does! These organizations have been working to create Cybersecurity 101 courses specifically geared towards election officials. No fluff, just what you need. This includes a series of cybersecurity guides focused on cyber-hygiene issues like password usage and auditing. I’d be remiss to not mention the astounding work that the Center for Internet Security (CIS) is doing in the election security space. Check out their handbook if you’ve missed it!
You are clearly interested in mobile technology–we hear you have quite a collection of old phones!–but should we be focusing on mobile devices as a potential area of vulnerability?
Sadly, I’ve donated my phone collection to NIST.
In my opinion, mobile devices are already used throughout elections. Many states have used tablets for their electronic pollbooks since the mid-aughts. That’s well before the iPad. Yet any sufficiently complex computing platform is going to have unknown software, firmware, and hardware vulnerabilities that can be exploited. Mobile devices tend to complicate this issue by having an always-on internet connection (i.e., cellular) and they are specifically engineered to easily share information with other devices. From a cybersecurity perspective, this ain’t great. But that doesn’t mean we shouldn’t use them at all. I think there’s a number of situations where properly configured mobile devices will be used, or are already being used in the field of elections.
Should voters be concerned that their personal information is at risk from election hacking, and not just election outcomes?
Most certainly. The Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) were breached between 2015 – 2016 and the Republican data firm Deep Root Analytics was breached in 2017. Illinois voters experienced a massive voter data breach in 2017. At the DEF CON Voting Village last year, a memory card was found containing voter registration information from a real jurisdiction. All of this occurred in just the past few years. This is a real issue that I think we should take a step back from to contemplate how the entire elections ecosystem handles the data voters entrust to us. In many states voters have no say on whether or not their voter information is provided to candidates and/or parties. We need to be worthy stewards of the data voters are compelled to provide to us.
What one step should all election officials take to improve their security posture?
Get better at authentication. It doesn’t matter if it’s an election management system, an SSH account on a .gov website hosting election results, or a personal email account. Folks should be using strong, unique passwords for all the computers and devices in their lives. Two factor authentication should be employed for any critical system, and honestly, any system that makes it easy to use a second factor should prolly have a second factor. Look to a password manager to remove the burden of memorization (but not for critical election passwords!!). I also have to mention this XKCD cartoon on password strength or the cybersecurity community would have my head.
What role if any should blockchain play in elections?
I’ll ask the third-rail question…do you think Internet voting will ever be a viable option?
Of course, it’s just not “someday” yet. The number of years between the first manned aircraft and the first manned spaceflight was less than a human lifetime. According to Star Trek we’re supposed to be able to travel at light speed by 2063! I have the utmost confidence in the human race’s ability to solve difficult problems through technology. But as of right now, it’s still exceedingly difficult for any organization to keep a system secure while connected to the internet. It doesn’t matter if it’s a governmental world power or a large technology company. But that doesn’t mean that we need to stop investigating and researching the topic altogether. I’m going to be mad at everyone if I can’t vote from some device or implant while simultaneously working the polls at 80 years old. As an aside, as an elderly man working the polls, I plan to cause a lot of hilarity for voters.
If you could create the perfect election system, what would it look like?
I don’t think it’d look like anything. I would just think about my preference, and it would be securely recorded and reported. But brain-computer interfaces still have a long way to go, and I’m not planning on being a beta tester for that tech… Although I am worried that this would lead to the episode of The Orville (Majority Rule) where everyone voted on everything all the time. It was honestly more dystopian than the Black Mirror episode on voting (Nosedive). This is required watching for election geeks by the way.
When you fell off the barstool at Bobby Vans, were you more embarrassed than hurt?
As the piece indicates, Josh isn’t going far … and the community will not only get to benefit from his expertise but continue to enjoy his unique outlook. Thanks as always to Mindy for this series, and trust me – where Josh Franklin is concerned, you’re gonna want to stay tuned!