UALR cybersecurity students research methods to keep digital voting safe from hacking

Three students from the University of Arkansas at Little Rock participated in an international cybersecurity challenge to come up with a strategy to keep digital voting safe from hackers.  UALR team members included Connor Young, a first-year integrated computing doctoral student from Springdale, Arkansas, Hector Fernandez, a senior majoring in computer science from North Little Rock, and Yanyan Li, a fourth-year integrated computing doctoral student from China. Nineteen teams from business schools around the world competed in the Kaspersky Lab Cybersecurity Case Study Competition, hosted by The Economist’s Which MBA? website in December 2016. Kaspersky Lab is a global cybersecurity company founded in 1997 whose security solutions and services protect businesses, critical infrastructure, governments and consumers around the globe. Recognizing that digital voting is likely the next frontier in democracy, the competition challenged teams to guarantee the anonymity of online voters, while preventing voter fraud, voting under duress, the release of early results, and allowing people to verify the results of the election.   “The competition was very interesting and I was very impressed with the submissions,” said Eugene Kaspersky, chairman and CEO of Kaspersky Lab. “The challenges of cybersecurity mean the next generation of experts face a changing frontier – there will be plenty of things to work on and securing digital voting systems for national elections is just one example.” “If cybercriminals exploited one small vulnerability, it could potentially change the course of a nation’s history, and these young scholars are bringing us one step closer to making secure digital voting a reality,” Kaspersky said. The teams competed for a $10,000 top prize. New York University, which proposed a “permissioned blockchain” configuration, was declared the winner. A central authority admits voting machines to the network before the start of the election, followed by voting machines acting autonomously to build a public, distributed ledger of votes. In addition to addressing threats to the integrity of the system, the plan allows voters to tell if their individual vote was counted.

UALR’s plan to protect digital voting

UALR’s plan to secure digital voting relied on three main components: a voter application, a registration server, and voting servers. First, voters log on to the voting app and provide voter identification, which is verified by the registration server. The registration server then provides the voter with a ballot. Voters are further protected with the use of an additional password. “In our designed system, each vote is signed with a voter’s address, the ballot it is associated with, and the registration server address,” Li said. “If somebody wants to fake another’s vote, our system will find out because the signature will be different. It is like using private/public key encryption, where we assume the private key is always kept secret and is only known to the user himself.” Votes are sent to the voting server, which updates information using blockchain technology, which allows information to be distributed to multiple databases. This allows the information to be protected from data breaches at a single location. To prevent election results from being released early, the team would divide the decryption key into pieces and distribute them to political candidates. Only when all pieces of the decryption key are united would the results be revealed. “At the end of the election, each candidate turns in his or her piece of the key, the key is reassembled, and the votes can be decrypted,” Fernandez said. “It is only at that point that the winner can be known. And because the decryption key is then shared with all the ledger holders, anybody who holds a ledger can verify independently the vote totals.” In the end, the election results can be verified by anyone. “All votes can be publicly visible without revealing voter identity, meaning that anybody could count the votes to determine who won and verify the legitimacy of the election,” Young said. Other participating universities included California State Polytechnic University, Champlain College Online, City University of New York, DePaul University, Drexel University, Edinburgh Napier University, Florida Institute of Technology, George Mason University, Maryland Cybersecurity Center, New York University, Newcastle University, Northeastern University, Plymouth University, Rutgers Graduate School, Saint Peter’s University, University College London, University of Maryland, and Queen’s University Belfast. To view the UALR team’s competition video, visit the website. In the upper right photo, UALR cybersecurity team members, from left to right, included Yanyan Li, Connor Young, and Hector Fernandez.