Incident: USPS Blockchain-Based Mobile Voting System Failure Analysis

Published Date: 2021-12-13

Postmortem Analysis
Timeline 1. The software failure incident of the U.S. Postal Service's blockchain-based mobile phone voting system happened in 2019 [122041].
System 1. Blockchain-based mobile phone voting system [122041]
Responsible Organization 1. The U.S. Postal Service [122041]
Impacted Organization 1. The U.S. Postal Service [122041]
Software Causes 1. Vulnerabilities to hacking identified by cybersecurity researchers at the University of Colorado at Colorado Springs during a mock election [122041] 2. Lack of protection against various hacking techniques such as impersonation, system attacks, information flooding, and privacy breaches [122041] 3. Inability to verify the accuracy of votes due to the system's susceptibility to corruption and faking of votes [122041] 4. Concerns raised by cybersecurity advocates and election officials regarding the insecurity of mobile or online voting systems [122041]
Non-software Causes 1. Lack of transparency in the project, leading to concerns about conspiracy theories and public faith in the democratic process [122041]. 2. The project being conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure [122041]. 3. The secrecy surrounding the Postal Service's mobile voting project, which alarmed election security officials and advocates [122041]. 4. The lack of physical record of the vote and no way for voters to verify their ballots were recorded accurately in mobile voting systems [122041].
Impacts 1. The software failure incident involving the U.S. Postal Service's blockchain-based mobile voting system had the impact of raising concerns among election security officials and advocates about potential conspiracy theories and a degradation of public faith in the democratic process [122041]. 2. The incident led to a lack of transparency and communication, as senior officials involved in election security, such as Matt Masterson, were unaware of the Postal Service program, highlighting a failure in information sharing and collaboration [122041]. 3. The failure of the mobile voting system to address vulnerabilities and protect against hacking techniques, as identified by cybersecurity researchers, demonstrated the potential risks associated with online voting systems, further emphasizing the importance of secure election processes [122041]. 4. The incident highlighted the challenges and risks associated with mobile or online voting, with concerns raised by cybersecurity advocates and election officials about the security implications of such voting methods, including the lack of physical record verification and susceptibility to malicious software attacks [122041].
Preventions 1. Transparency in the project: If the U.S. Postal Service had been transparent about their blockchain-based mobile voting system project and involved federal agencies more closely focused on elections, such as the Cybersecurity and Infrastructure Security Agency, the vulnerabilities could have been identified and addressed earlier [122041]. 2. Prioritizing security over convenience: Instead of focusing solely on making voting more convenient through mobile voting systems, prioritizing the security of the voting process could have prevented the software failure incident [122041]. 3. Conducting thorough security assessments: Performing comprehensive security assessments, like the one conducted by cybersecurity researchers at the University of Colorado at Colorado Springs, could have revealed the vulnerabilities in the system before any live election deployment [122041].
Fixes 1. Implementing transparency in any election-related software projects to ensure that findings and results are shared with the public and relevant officials [122041]. 2. Prioritizing the use of paper ballots for voting to provide a physical record that voters can verify and auditors can double-check [122041]. 3. Avoiding the use of mobile or online voting systems due to their inherent security risks and lack of physical verification [122041]. 4. Conducting thorough cybersecurity assessments and testing before deploying any voting software to identify and address vulnerabilities [122041]. 5. Involving federal agencies focused on elections in the development and testing of voting systems to ensure security and integrity [122041].
References 1. Cybersecurity researchers at the University of Colorado at Colorado Springs [Article 122041] 2. Matt Masterson, former senior adviser to the Cybersecurity and Infrastructure Security Agency [Article 122041] 3. Susan Greenhalgh, senior adviser on election security for Free Speech for People [Article 122041] 4. Federal agencies including the FBI and CISA [Article 122041] 5. Former postmaster general Megan Brennan [Article 122041] 6. Tammy Patrick, senior adviser at Democracy Fund and former federal compliance officer at the Maricopa County, Ariz., elections department [Article 122041] 7. Shawn M. Emery, cybersecurity researcher and PhD candidate [Article 122041] 8. Sen. Ron Wyden (D-Ore.) [Article 122041] 9. Massachusetts Institute of Technology (MIT) [Article 122041]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the blockchain-based mobile voting system developed by the U.S. Postal Service is an example of a software failure incident happening within the same organization. The Postal Service pursued the project to build the system but ultimately abandoned it in 2019 after cybersecurity researchers found vulnerabilities during a mock election [122041]. (b) The incident also serves as a cautionary example for other organizations considering similar projects involving mobile or online voting systems. The Federal agencies, including the FBI and CISA, assessed that mobile voting systems carried high risks to the confidentiality, integrity, and availability of voted ballots [122041]. Additionally, cybersecurity advocates and election officials have long warned about the security risks associated with mobile or online voting, emphasizing the lack of physical records and verification mechanisms [122041].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase: The failure in the design phase of the software system was evident in the development of a blockchain-based mobile phone voting system by the U.S. Postal Service. The system was found to be vulnerable to hacking during a test conducted by cybersecurity researchers at the University of Colorado at Colorado Springs. The researchers identified numerous ways in which the system could be compromised, including impersonating voters, attacking the blockchain system, flooding the system with information, and undermining voters' privacy and the secrecy of the ballot [122041]. (b) The software failure incident related to the operation phase: The failure in the operation phase of the software system was due to the implementation of a mobile voting system that lacked security measures to protect against various hacking techniques. The University of Colorado researchers were able to successfully perform hacks during a mock election, highlighting the vulnerabilities of the system. The system allowed people to cast votes on an Internet-connected mobile app, but it did not adequately protect against hackers who could fake or corrupt votes, compromise the system, overwhelm it with information, or undermine voters' privacy [122041].
Boundary (Internal/External) within_system (a) The software failure incident related to the U.S. Postal Service's blockchain-based mobile voting system can be categorized as within_system. The failure was primarily due to vulnerabilities within the system itself, as highlighted by cybersecurity researchers who found numerous ways the system was vulnerable to hacking during a mock election [122041]. The system's design flaws, such as the inability to protect against impersonation, attacks on the blockchain system, overwhelming the system with information, and compromising voter privacy, were internal issues that led to the failure of the voting system.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The software failure incident in this case was primarily due to vulnerabilities in the blockchain-based mobile phone voting system that was tested by cybersecurity researchers at the University of Colorado at Colorado Springs. The researchers identified numerous ways in which the system was vulnerable to hacking, including impersonating voters, attacking the blockchain system, flooding the system with information, and compromising voters' privacy and ballot secrecy [122041]. (b) The software failure incident occurring due to human actions: The failure in this case can also be attributed to human actions, particularly the decision-making process within the U.S. Postal Service to pursue and test a blockchain-based mobile voting system without proper transparency and involvement of federal agencies focused on elections. The lack of transparency and secrecy surrounding the project raised concerns among election security officials and advocates, leading to fears of sparking conspiracy theories and undermining public faith in the democratic process. Additionally, the decision to conduct research into the security of blockchain online voting but then hide the results from the public and officials for over two years can be seen as a human action contributing to the failure [122041].
Dimension (Hardware/Software) software (a) The software failure incident did not occur due to hardware issues. The incident was related to the development and testing of a blockchain-based mobile phone voting system by the U.S. Postal Service, which was found to be vulnerable to hacking and security breaches [122041]. (b) The software failure incident occurred due to contributing factors that originated in software. The blockchain-based mobile phone voting system developed by the U.S. Postal Service was found to have numerous vulnerabilities that could be exploited by hackers, including ways to fake or corrupt votes, attack the blockchain system, overwhelm the system with information, and undermine voters' privacy and ballot secrecy. The software system was not secure and could be easily compromised, as demonstrated by cybersecurity researchers during a mock election [122041].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the U.S. Postal Service's blockchain-based mobile phone voting system can be categorized as malicious. The incident involved the development and testing of a system that was found to be vulnerable to hacking during a mock election conducted by cybersecurity researchers at the University of Colorado at Colorado Springs [122041]. The researchers were able to successfully impersonate voters, attack the blockchain system, flood the system with information, and undermine voters' privacy and the secrecy of the ballot. Additionally, the researchers were made to sign a nondisclosure agreement that prevented them from identifying the organization that built the prototype voting system, which was described as a U.S. government organization playing an important role in national elections [122041]. (b) The software failure incident can also be considered non-malicious in the sense that the U.S. Postal Service pursued the project to build and test a blockchain-based mobile phone voting system with the objective of exploring the potential of blockchain technology to strengthen digital transaction security and meet customers' needs [122041]. However, the system was ultimately abandoned in 2019 after it was found to be insecure and vulnerable to various hacking techniques. The incident highlights the risks associated with implementing new technologies without proper security measures and transparency in the election space.
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was related to poor_decisions. The U.S. Postal Service pursued a project to build and secretly test a blockchain-based mobile phone voting system, which was found to be vulnerable to hacking during a mock election. The project was conducted without the involvement of federal agencies more closely focused on elections, and the results were not shared with the public or officials for over two years, leading to concerns about transparency and public faith in the democratic process [122041].
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the case of the U.S. Postal Service's blockchain-based mobile phone voting system project. The project was pursued without the involvement of federal agencies more closely focused on elections, and the system was found to be vulnerable to hacking during a test conducted by cybersecurity researchers at the University of Colorado at Colorado Springs [122041]. The project was conducted secretly, without transparency, which is crucial in the election space, according to Matt Masterson, a former senior adviser to the Cybersecurity and Infrastructure Security Agency [122041]. The system's vulnerabilities, including ways hackers could fake or corrupt votes, were identified by researchers, indicating a lack of professional competence in ensuring the system's security [122041]. (b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article.
Duration temporary The software failure incident related to the U.S. Postal Service's blockchain-based mobile phone voting system was temporary. The system was never deployed in a live election and was abandoned in 2019 after cybersecurity researchers found numerous vulnerabilities during a mock election test [122041]. The failure was due to specific circumstances such as the system's vulnerability to hacking and the lack of transparency and involvement of federal agencies focused on elections.
Behaviour other (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident pertains to the abandonment of a blockchain-based mobile phone voting system by the U.S. Postal Service before the 2020 election due to vulnerabilities discovered during testing [122041]. (b) omission: The failure is not due to the system omitting to perform its intended functions at an instance(s). Instead, the decision to abandon the system was made after cybersecurity researchers found numerous ways in which it was vulnerable to hacking during a mock election test [122041]. (c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early. The system was never deployed in a live election and was abandoned in 2019 before the 2020 election due to security concerns [122041]. (d) value: The failure is not due to the system performing its intended functions incorrectly. The decision to abandon the blockchain-based mobile phone voting system was based on security vulnerabilities identified during testing, indicating that the system was not functioning as intended in terms of security [122041]. (e) byzantine: The failure is not characterized by the system behaving erroneously with inconsistent responses and interactions. The vulnerabilities identified in the system during testing were related to potential hacking risks and security flaws rather than inconsistent behavior [122041]. (f) other: The behavior of the software failure incident can be described as a decision to abandon the system due to security vulnerabilities and concerns raised during testing. The incident highlights the importance of transparency and security in election-related technology development [122041].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident related to the U.S. Postal Service's blockchain-based mobile phone voting system had consequences on property. The system, which was never deployed in a live election and was abandoned in 2019, was found to be vulnerable to hacking during a test conducted by cybersecurity researchers. The system allowed people to cast votes on an Internet-connected mobile app, and the votes were designed to be anonymous and recorded in multiple digital locations simultaneously. However, the University of Colorado researchers found numerous ways hackers could fake or corrupt votes, impersonate voters, attack the blockchain system, flood the system with information, and undermine voters' privacy and the secrecy of the ballot. This highlighted the potential impact on the security and integrity of people's data and the voting process [122041].
Domain government The failed system mentioned in the articles was intended to support the government industry. The U.S. Postal Service pursued a project to build a blockchain-based mobile phone voting system, which was later abandoned due to cybersecurity vulnerabilities [122041]. The project was conducted without the involvement of federal agencies focused on elections, and the secrecy surrounding it raised concerns among election security officials and advocates [122041]. The system aimed to address the management of ballots sent by mail, especially for military voters overseas, but it was never deployed in a live election [122041].

Sources

Back to List