Threat Modeling Paper

In this assignment, you'll be engaging in a Threat Modeling exercise focused on the U.S. electoral system (or the electoral system of another nation of your choice). This is an individual assignment, though you are of course welcome to talk about the ideas you've been considering as long as you follow the honor code and cite appropriately if any ideas in your final paper originated from one of your classmates.

Describing the System

The first step in this threat modeling exercise is to describe the system. For each of the following threat model elements, brainstorm as many things of that type as you can. Apply the security mindset and be creative about what might be important in each category.

• Assets: What is of value here? What do stakeholders gain from this system's operation? What might attackers gain by compromising it?

• Stakeholders: Who cares about this system? Who is responsible for its operation? Who regulates it? Who benefits from it? Who might care about it working properly? What capabilities do various stakeholder groups possess (money? clout? expertise? technology? information?)? For each stakeholder or group of stakeholders, describe which assets they value and how much. Note that different stakeholders might value very different assets.

• Attackers: Who might want to compromise this system? Why? Which asset What capabilities do they have (money? clout? expertise? technology? information?)? For each potential attacker or type of attacker, describe which assets they value and how much.

• Vulnerabilities: What are the weaknesses of this system? Where is it out of date, unmonitored, understaffed, etc.? Where might it be vulnerable to attack?

• Threats: What kinds of attacks might an attacker use to exploit vulnerabilities and compromise assets? For each threat, say what capabilities are required to launch it, or what costs would be incurred by doing so. Be creative here -- lean into your paranoid side and apply the security mindset to invent as many threats, whether realistic or totally out there, as you can. You'll apply risk modeling next to narrow things down.

• Defenses: What kinds of defenses might be deployed? For each defense, state which threats it is meant to prevent or mitigate, or which vulnerabilities it is meant to patch. How would that defense disincentivize, prevent, reveal, or otherwise make less likely the threats you've discovered?

These resources on various aspects of the voting process may inspire elements of your threat model that you hadn't considered before:

• https://www.sos.state.co.us/pubs/elections/FAQs/VoterRegistrationData.html

• https://www.reuters.com/article/us-usa-election-voter-fraud-facts-explai/explainer-despite-trump-claims-voter-fraud-is-extremely-rare-here-is-how-u-s-states-keep-it-that-way-idUSKBN2601HG

• https://www.voanews.com/2020-usa-votes/how-widespread-voter-fraud-us

• https://www.brennancenter.org/our-work/research-reports/purges-growing-threat-right-vote

• https://www.nytimes.com/interactive/2020/09/23/upshot/mail-ballots-states-disqualification.html

Analyzing Defenses

In the second part of this assignment, you'll analyze a defense in the context of your threat model. I offer you several defenses to choose from, but with my approval (catch me in office hours, collaboration hours, or via email) you may also choose your own. I also provide a few resources to get your brain going on each of these, but know that these resources don't give you the answers here -- it's your job to do the analysis here. Additionally, you don't have to understand everything these resources say - I'm much more interested in your careful statement of assumptions and analysis of a defense under those assumptions (your ability to think critically using the skills of the security mindset and threat modeling while reasoning about diverse stakeholder groups) than about the "correctness" of your analysis in the real world.

• Voter ID laws

  • https://www.ncsl.org/research/elections-and-campaigns/voter-id.aspx

  • https://www.propublica.org/article/everything-youve-ever-wanted-to-know-about-voter-id-laws

• Mail-in ballot signature checking

  • https://www.liebertpub.com/doi/full/10.1089/elj.2020.0648

  • https://nyti.ms/2GOrMyo

  • https://www.eac.gov/sites/default/files/electionofficials/vbm/Signature_Verification_Cure_Process.pdf

Your analysis should include the following elements. They could be section headers or woven through the narrative, depending on how you prefer to write, but I'll grade your paper based on how well you accomplish each of these items.

1. Describe the defense in detail. If the defense could be implemented in multiple ways, be sure you're clear on what version you're analyzing. This can be a real version in effect today (e.g., the signature checking procedures used in a specific US state) but it can also be fictional, as long as you're clear about the details you're analyzing. What you write here should be like a high-level design document, that would allow me implement your defense based on your description, even if I'd have to work out some of the low-level details.

2. Analyze the defense's potential or actual costs. What kinds of logistical, financial, political, economic, ecological, or any other sort of costs would implementing this defense cost? How widespread would those costs be? Which stakeholders will (are more likely to) bear the costs?

3. Describe the threats this defense aims to mitigate. Which threats are supposed to be mitigated by this? Which threats do people say this defense mitigates, even if it doesn't succeed at doing so? Which threats are definitely out of scope of this defense, even if people have misconceptions that the defense does prevent them? It's remarkably common in security to find that people believe that certain defenses work against totally unrelated threats.

4. Describe how the defense mitigates (or fails to mitigate) the threats. There are many ways a threat can be mitigated. For example, a defense can prevent attacks or make them ineffective; detect attacks so their effects can be fixed; detect attacks to threaten attackers with punishment, disincentivizing them from attacking; make attacks more costly or inefficient; and various other approaches. Think about ideas such as defense in depth and the attacker's asymmetrical advantage here.

5. Analyze the risk. How frequent are the threats this defense attempts to counter? How likely are these threats to compromise assets successfully? How large are the costs of deploying the defense? Analyze these

6. Argue for a policy. Based on everything you've written above, argue for a policy. Should this defense be used, and why. Direct this argument toward a specific policymaker of your choice, such as elected officials, election boards, judges, etc.

Have fun with this assignment!