Proposition: Voting Systems Are Vulnerable–Yes

It wouldn’t be very hard for a hacker to access U.S. election systems, according to a recent report by the Institute for Critical Infrastructure Technology (ICIT), titled “Hacking Elections is Easy.”

“Every four years, during the presidential election, the same stories re-emerge acknowledging that the e-voting systems are vulnerable to the same old attacks, without any change in the security or oversight of the systems,” James Scott, a senior ICIT fellow, and Drew Spaniel, an ICIT researcher, write in the report.

“Our election systems face credible cyber threats from our nation-state adversaries, and it’s prudent to adopt contingency plans before November to mitigate these threats,” said Dan S. Wallach, a professor of computer science at Rice University. “It’s sufficient for them to go after battleground states where a small nudge can have a big impact.”

Both Wallach and the ICIT report agree that aging and outdated election machines are a key source of vulnerability to those cyber threats.

“Many e-voting systems, such as those manufactured by Diebold, ES&S, or Sequoia, are nothing more than stripped down embedded PCs without so much as perimeter security,” Scott and Spaniel wrote. “The actor could physically infect machines by gaining access to machines as an employee or contractor or by illegally accessing the machines at their storage site. For instance, at the time of this writing, ES&S has open positions available for interns and contractors. The listings do not specify any requirement of a clearance or in-depth background check to work in close proximity to electronic voting systems.”

Any connection between the voting machines, whether physical or on the Internet, could lead to widespread compromises.

“Studies conducted in 2007 by the state of California, state of Ohio, state of Florida, found security vulnerabilities that could take advantage of these to engineer viruses, where one compromised voting machine could then infect eventually the entire fleet of voting machines for an entire county,” said Wallach. “Typically, at the end of the Election Day you move an election card through each of the machines in the precinct, and that’s to collect the vote totals. That process can spread a virus.”

Though there has been no record of a hacker accessing voting machines and altering votes to date, Wallach cautioned that it’s possible that the hackers simply haven’t been found.

“The nature of the threat is that they don’t want you to see them there, so we can’t assume if we haven’t seen them that they’re absent. What we do know is that we’ve established motive,” said Wallach.

The voting machines are not the only cybersecurity concern, as some believe that a hack on the voter registration databases or candidate websites could also cause Election Day problems. The Arizona and Illinois voter databases have already been hacked, though there is no evidence that anything was added to or deleted from them.

“Disrupting election agencies and regulatory officials’ operations can interrupt reporting, interrupt record management, or prevent coordination between agencies. Public defacement of election agency sites or the public disruption of services reduces citizens’ trust in the electoral process,” wrote Scott and Spaniel.

“My top concern is the voter registration systems, because they’re online,” said Wallach. These registration hacks could end up disenfranchising voters because of long lines and confusion at the polls. The public may end up feeling that their vote won’t ultimately count. “That in my opinion is more damaging than the potential for hacking.”

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
No Comments

    Leave a Reply