Fijian Election Office staff (from right) Losalini Kalouniwaqa and Meresiana Namata assisting members othe public at Rups Mall Nakasi in Nasinu. Picture: JONA KONATACI

Why are our computer systems so complex and so insecure? Dullien of Google’s project Zero gives some insight – which I refer to here – but then I add my input based on decades of experience.

You would think they’d be a simple solution, but it’s a general phenomenon about all our computers: There are many layers between the application software that implements an electoral function (for example) and the transistors inside the computers that ultimately carry out computations.

These layers include the election application itself (e.g., for voter registration or vote tabulation); the user interface (UI); the application runtime system; the operating system (e.g., Linux or Windows); the system bootloader (e.g., BIOS or UEFI); the microprocessor firmware (e.g., Intel Management Engine); disk drive firmware; system-on-chip firmware; and the microprocessor’s microcode.

For this reason, it is difficult to know for certain whether a system has been compromised by malware or at what level.

One might inspect the applicationlayer software and confirm that it is present on the system’s hard drive, but any one of the layers listed above, if hacked, may substitute a fraudulent application layer (e.g., votecounting software) at the time that the application is supposed to run.

As a result, there is no technical mechanism that can ensure that every layer in the system is unaltered and thus no technical mechanism that can ensure that a computer application will produce accurate results. So, computers are insecure because they have so many complex layers.

But that doesn’t explain why there are so many layers, and why those layers are so complex–even for what “should be a simple thing” like counting up votes.

Recently I came across a really good explanation: a keynote talk by Thomas Dullien entitled Security, Moore’s law, and the anomaly of cheap complexity at CyCon 2018, the 10th International Conference on Cyber Conflict, organised by NATO.

As Dullien explains, A modern 2018-vintage CPU contains a thousand times more transistors than a 1989-vintage microprocessor.

Peripherals (GPUs, NICs, etc.) are objectively getting more complicated at a superlinear rate.

In his experience as a cybersecurity expert, the only thing that ever yielded real security gains was controlling complexity.

His talk examines the relationship between complexity and failure of security, and discusses the underlying forces that drive both.

Transistors-per-chip is still increasing every year; there are three new CPUs per human per year.

Device manufacturers are now developing their software even before the new hardware is released.

Insecurity in computing is growing faster than security is improving. It is the anomaly of cheap complexity.

For most of human history, a more complex device was more expensive to build than a simpler device.

This is not the case in modern computing. It is often more cost-effective to take a very complicated device, and make it simulate simplicity, than to make a simpler device.

This is because of economies of scale: complex general-purpose CPUs are cheap. And in recent years, memory is cheap.

I recall days when there was a black market for memory chips as they’d cost couple of hundred dollars each. On the other hand, custom-designed, simpler, application-specific devices, which could in principle be much more secure, are very expensive.

This is driven by two fundamental principles in computing: Universal computation, meaning that any computer can simulate any other; and Moore’s law, predicting that each year the number of transistors on a chip will grow exponentially.

ARM Cortex-M0 CPUs cost a couple of dollars, though they are more powerful than some supercomputers of the 20th century.

The same is true in the software layers. A (huge and complex) generalpurpose operating system is free, but a simpler, custom-designed; perhaps more secure OS would be very expensive to build. Or as Dullien asks, “how did this research code someone wrote in two weeks 20 years ago end up in a billion devices?”

Then he discusses hardware supply-chain issues: “Do I have to trust my CPU vendor?” He discusses remote-management infrastructures (such as the “Intel Management Engine” referred to above): “In the real world, ‘possession’ usually implies control.

In IT, possession and control are decoupled. Can I establish with certainty who is in control of a given device?” He says, “single bitflips can make a machine spin out of control, and the attacker can carefully control the escalating error to his advantage.”

(Indeed, I’ve studied that issue myself in my electronic engineering days!) Dullien quotes the science-fiction author Robert A. Heinlein: “How does one design an electric motor? Would you attach a bathtub to it, simply because one was available? Would a bouquet of flowers help? A heap of rocks? No, you would use just those elements necessary to its purpose and make it no larger than needed — and you would incorporate safety factors. Function controls design.”

Heinlein, The Moon Is A Harsh Mistress and adds, “Software makes adding bathtubs, bouquets of flowers, and rocks, almost free. So that’s what we get.”

We see this in the tourism industry where the cost of adding options and value becomes almost negligent once the initial sunk cost is met i.e. airline costs and marketing to attract visitors. Dullien concludes his talk by saying, “when I showed the first draft of this talk to some coworkers they said, ‘you really need to end on a more optimistic note’.”

So Dullien gives optimism a try, discussing possible advances in cybersecurity research; but still he gives us only a 10 per cent chance that society can get this right. I think he is rather pessimistic as the pandemic and remote work from home changed much of the paradigm to focus on cybersecurity up front.

It would still be a 50/50 chance in my opinion but mostly due to human factors.

Postscript: I continue to make mention of voting machines as computers of this kind. Does their inherent insecurity mean that we cannot use them for counting votes? No.

The consensus of electionsecurity experts, as presented in the US National Academies study back in 2020, is: we should use optical-scan voting machines to count paper ballots, because those computers, when they are not hacked, are much more accurate than humans.

But we must protect against bugs, against misconfigurations, against hacking, by always performing risk-limiting audits, by hand, of an appropriate sample of the paper ballots that the voters marked themselves.

This includes having the ballot papers available for verification for a decent period of time post-election.

To be fair I’m not familiar with the Fiji Electoral Act’s precise policy and procedure on this so this is just my opinion for your information only.

As some wisecrack observed: ‘The difference between a democracy and a dictatorship is that in a democracy you vote first and take orders later; in a dictatorship you don’t have to waste your time voting.…’ God bless you all and stay safe in both digital and physical worlds.

Copyright © 2022 Fiji Times Limited. All Rights Reserved.

Copyright © 2022 Fiji Times Limited. All Rights Reserved.