Elections, Executive Orders, and CyberOperations

This is a post I originally wrote on Wordpress back in December of 2020, well before learning of Mike Lindell's PCAPs. The topic on my mind was how to use the blockchain to secure voting

(Originally published December 2020 over on Wordpress.)

It is early 2018, and President Trump has issued a directive: election integrity is inarguably a national security issue for the United States, and you, as a hypothetical cyber command professional, are tasked with coming up with a strategy to make sure our election systems are protected from interference by foreign or other adversaries.

To put some teeth behind things, Trump recently issued an Executive Order, dated September 12, 2018, imposing sanctions in the event foreign interference on our election process is detected. It's quite an interesting EO, one that a Sun Tzu tactician like President Donald J. Trump would come up with. His adversaries always underestimate him.

Anyhow, as a cyber-security professional tasked with this enormous problem, you survey the situation: America has thousands of digital voting machines from a variety of vendors; there are tabulator PCs and servers at precincts, counties, and states that are internet-connected, use insecure USB drives, and are potentially vulnerable; voting machines are not supposed to be connected to the internet during election times, but they are, whether by accident or nefarious intent; and public tests conducted through the years have exposed just how vulnerable these voting machines and servers can be.

Even the Democrats were making a big issue out of this four years ago, although curiously, in late 2020, they are magically confident that everything is impervious to hacking.

So you face quite a challenge; to top it all off, you don't have the time or the means to enforce proper cyber security compliance by patching the potentially faulty software in thousands of machines that you don't have have physical custody or authority over; nor do you have the staff or resources to re-train tens of thousands of people in proper digital device security protocols. And furthermore, you don't want to tip off your adversaries that you are working hard to secure those systems: because that will cause them to work harder to find new and more difficult to detect and fix software vulnerabilities. So what strategies are available to you to solve this problem?

Well, consider this: read 10 USC, Section 394. Subtitle A, Part 1, Chapter 19, which is available via uscode.house.gov. This law explicitly authorizes the military to conduct clandestine cyber-domain military activities, "including in response to malicious cyber activity carried out against the United States or a United States person by a foreign power."

And now consider a few other facts that will become more clear later on. In recent years, the blockchain concept has become very popular as Bitcoin, Ethereum and the like draw attention to digital currencies.

What is a blockchain, exactly? Simply put, it is a cryptographically secure "digital public ledger", to which you can commit transactions (spending of bitcoins, for example) while also attaching messages to each "spend transaction". (in a future post, I'll talk about how blockchain can, and should be used to securely conduct future elections. It is the perfect answer to our election integrity needs.)

Once the spend transaction is committed, it is written to the blockchain for everyone in the world to see, and it is essentially permanent and unalterable. The unalterability is the foundation of cryptocurrencies; it is this feature that prevents you from "spending your coin twice" and defrauding people. The protocol and public ledger essentially guarantee that you can only spend "coins" that you have in your "wallet" once, and once transferred to the recipient, those coins can't be "pulled back."

Now, the "message" that accompanies the "spend" can be, but doesn't have to be publicly readable; it could be an encrypted block of text decipherable only to you, the person who created it at the time you spent your "token" or coin. But being attached to the blockchain transaction, you can prove later on that whatever the message was (after you decrypt it) it has been there on the public ledger tightly sealed up the whole time, in "permanent ink." The public can see that its there and see the data comprising it, but they cannot decode it; only you can.

So back to our problem: you have to do something to secure (or at least audit) the election hardware in thousands of locations across 50 states that is vulnerable to digital cyberattack; you can't directly touch all of the machines; you can't train the people who are using them; and you can't tip off your adversaries.

So you devise an offensive plan of attack: since you know the "bad guys" will be trying to hack the voting systems, you hack the machines first. What you do is install, using your own secret computer viruses, some special "remote monitoring" software that covertly keeps track of what is going on in these servers and voting machines (including watching for the bad guys to remotely control them) and then you save evidence that you discover in a form that can pass muster in a courtroom: you immediately write the evidence you collect to the blockchain, encrypting it as you go so that only you (and later, the courts) can read the evidence messages.


Maybe you record information about who the bad guys were (where on the internet they came from), or what they did, or... perhaps you take snapshots of vote totals from various hard drives on the machines, and save them for later analysis.

You do a "white hat" hack of your own voting systems, in order to trap the "black hat" bad guys, by installing your own "malware" first, in a offensive forward attack. And then you preserve all of your evidence in an iron-clad, unalterable cryptographic vault on the blockchain.

Hmm. Is this legal? It appears from 10 USC Section 394, Subtitle A, Part 1, Chapter 19... that it could very well be. And it may be the only possible solution you could come up with, given the constraints of time, people, and budget and also given the swiss cheese of vulnerabilities that exist on the voting machine battlefield.

If you had tapped me, in 2018, to solve this problem, that's what I would have done.