#64 – Bruce Schneier on how insecure electronic voting could break the United States — and surveillance without tyranny

November 3 2020, 10:32PM: CNN, NBC, and FOX report that Donald Trump has narrowly won Florida, and with it, re-election.

November 3 2020, 11:46PM: The NY Times and Wall Street Journal report that some group has successfully hacked electronic voting systems across the country, including Florida. The malware has spread to tens of thousands of machines and deletes any record of its activity, so the returning officer of Florida concedes they actually have no idea who won the state — and don't see how they can figure it out.

What on Earth happens next?

Today’s guest — world-renowned computer security expert Bruce Schneier — thinks this scenario is plausible, and the ensuing chaos would sow so much distrust that half the country would never accept the election result.

Unfortunately the US has no recovery system for a situation like this, unlike parliamentary democracies, which can just rerun the election a few weeks later.

• Links to learn more, summary and full transcript.
• Motivating article: Information security careers for global catastrophic risk reduction by Zabel and Muehlhauser

The Constitution says the state legislature decides, and they can do so however they like; one tied local election in Texas was settled by playing a hand of poker.

Elections serve two purposes. The first is the obvious one: to pick a winner. The second, but equally important, is to convince the loser to go along with it — which is why hacks often focus on convincing the losing side that the election wasn't fair.

Schneier thinks there's a need to agree how this situation should be handled before something like it happens, and America falls into severe infighting as everyone tries to turn the situation to their political advantage.

And to fix our voting systems, we urgently need two things: a voter-verifiable paper ballot and risk-limiting audits.

According to Schneier, computer security experts look at current electronic voting machines and can barely believe their eyes. But voting machine designers never understand the security weakness of what they're designing, because they have a bureaucrat's rather than a hacker's mindset.

The ideal computer security expert walks into a shop and thinks, "You know, here's how I would shoplift." They automatically see where the cameras are, whether there are alarms, and where the security guards aren't watching.

In this episode we discuss this hacker mindset, and how to use a career in security to protect democracy and guard dangerous secrets from people who shouldn't get access to them.

We also cover:
• How can we have surveillance of dangerous actors, without falling back into authoritarianism?
• When if ever should information about weaknesses in society's security be kept secret?
• How secure are nuclear weapons systems around the world?
• How worried should we be about deep-fakes?
• Schneier’s critiques of blockchain technology
• How technologists should be vital in shaping policy
• What are the most consequential computer security problems today?
• Could a career in information security be very useful for reducing global catastrophic risks?
• And more.

Chapters:

• Rob’s intro (00:00:00)
• Bruce’s Codex talk (00:02:23)
• The interview begins (00:15:42)
• What is Bruce working on at the moment? (00:16:35)
• How technologists could be vital in shaping policy (00:18:52)
• Most consequential computer security problems today (00:24:12)
• How secure are nuclear weapons systems around the world? (00:34:41)
• Stuxnet and NotPetya (00:42:29)
• Messing with democracy (00:44:44)
• How worried should we be about deepfakes? (00:50:02)
• The similarities between hacking computers and potentially hacking biology in the future (00:55:08)
• Bruce’s critiques of crypto (01:00:05)
• What are some of the most kind of widely-held but incorrect beliefs among computer security people? (01:03:04)
• The hacking mindset (01:05:35)
• Voting machines (01:09:22)
• How secretive should people be about potentially harmful information? (01:16:48)
• Could a career in information security be very useful for reducing global catastrophic risks? (01:21:46)
• How to develop the skills needed in computer security (01:33:44)
• Ubiquitous surveillance (01:52:46)
• Why is Bruce optimistic? (02:05:28)
• Rob’s outro (02:06:43)

The 80,000 Hours Podcast is produced by Keiran Harris.