Computer systems are complex and insecure due to the multiple layers involved in their functioning. These layers include the application software, user interface, operating system, firmware, and microcode. The presence of these layers makes it difficult to determine if a system has been compromised by malware, as any layer can be hacked and substitute fraudulent software. The complexity of computer systems is driven by the increasing number of transistors in CPUs and the anomaly of cheap complexity. Universal computation and Moore’s law contribute to the prevalence of complex general-purpose CPUs and software. However, this complexity leads to insecurity, as simpler and more secure devices are costly to build. The need for trust in CPU vendors and concerns about remote-management infrastructures further highlight the challenges of computer system security. Despite the inherent insecurity of voting machines, optical-scan machines are recommended for counting paper ballots, with risk-limiting audits as a measure to protect against hacking.
| Signal | Change | 10y horizon | Driving force |
|---|---|---|---|
| Computer systems are complex and insecure | Complexity and insecurity | Increased security and simplicity | Controlling complexity and improving security |
| CPU contains more transistors, peripherals more complicated | Increasing complexity | More cost-effective to simulate simplicity | Economies of scale and Moore’s Law |
| General-purpose operating systems are free, custom-designed OS expensive | Cost-effective complexity | More expensive, custom-designed, secure OS | Universal computation and cost-effectiveness |
| Hardware supply-chain issues and lack of control | Lack of control and security | Establishing control and trust | Possession and control decoupling |
| Optical-scan voting machines for accuracy, risk-limiting audits for protection | Ensuring accuracy and protection | Continued use with added safeguards | Consensus of election-security experts |
| Kill-switches on high-end processors for added security | Added security with kill-switches | Authenticating chips and controlling access | Eric Schmidt’s suggestion |