Security Tip ST19-001 Best Practices for Securing Election Systems - an advisory from the US government - is fascinating for the things it leaves out, more than those few it includes.
At least five substantial omissions occurred to me literally as I was skim-reading the piece for the very first time:
- Physical security for voting systems and associated paraphernalia;
- Application design of voting software;
- Social media and voter coercion (the elephant in the room);
- Information risk management - a systematic approach to identify, evaluate and address the information risks as a whole (not just a few items seemingly plucked out of thin air);
- Assurance - clearly a crucial concern for elections, underpinning the entire democratic process (a raging herd of angry elephants here!).
Items 3, 4 and 5 on my little list concern the bigger picture. It's pointless securing the computer systems alone, even if that could be achieved which would take a lot more than is implied by this astonishingly basic advisory ("best practices" - yeah right!). Thanks in large measure to the US government, "cybersecurity" is a solid gold buzzword, despite decades of experience with information security. This advisory is a classic illustration of what happens when the cyber-blinkers are firmly applied.
So what's really going on here? Are the US government, DHS and CISA unbelievably naive? Do they really need to offer such basic advice in such an important area? Do they truly believe that 'notice and consent banners' are priority matters worth bringing to attention?
Or is this just more cyber-bling, another cynical attempt to divert attention from those bigger issues I mentioned? Does this advisory itself qualify as fake news, part of a political agenda to manipulate public opinion by placing the blame superficially on IT for issues that run much deeper?
Either way, I find this quite remarkable, astonishing even. I'm incredulous.