The idea of a “security blanket” is just that—an idea. While it affords comfort, that feeling of implied safety enjoys none of the benefits of fact. In the realm of election security, facts are the only thing that matters.
The security blanket for the past five years has been the idea that voting machines are not connected to the internet, so votes can’t be changed.
This is a true statement, in the literal sense. Unfortunately, the machines are not always as safe as we may think. In the process of securing election systems we have seen all kinds of problems and disasters waiting to happen.
Even election boards hire vendors. Some practices are better than others, and security is hit or miss, but there are avoidable pitfalls. When a voting technology vendor aggregates vote counts at their headquarters before distributing them back to the states during or after tallying, it creates a vulnerability. The votes are sent from polling places to voting machine vendor headquarters over public networks. The data is encrypted, but it could be subject to disruption. It is also important to bear in mind that if the vendor headquarters is hacked or compromised, the adversary doesn’t need to hack machines.
Wireless Access Points
We have observed in the course of our work with states and county election boards wireless networks with little in the way of security that are connected to voting machines and aggregators. In one case, a vendor had included this weakness when it set up the network on voting day. We have shown that these wireless access points can provide access to adversaries from outside the building on voting day during live voting. Knowing what all the contractors, vendors and volunteers are doing as they support the process is vital but also very difficult with so many different locations and people.
In some states, voting machines are configured to allow an administrator to make a direct connection to the machine and upload or download data. Other states have no detective controls to identify when this has happened. What this means in plain English is that if a bad actor makes undetected changes the vote, there would be no way to know that it happened.
Access to production voter registration data is another threat that can be used to deny the ability of voters to cast votes on election day. These systems are getting better, but we have seen situations where hackers could make changes to production data and then cover their tracks. Relying solely on the preventative controls without also implementing detective controls is insufficient security.
Democracy is in harm’s way in the current pervasive environment where there is no standard for cyber security. There are many steps election boards can take, and there is much room for improvement. The above issues are just a few issues faced by election boards across the country.
Eric Hodge is Director of Solutions at CyberScout.