The November 6, 2018 midterm elections are being widely regarded as a referendum on President Trump, but they will also serve another, less obvious purpose. The integrity of our election infrastructure is being tested. Key technological vulnerabilities remain.
Although media coverage of Russian interference in the 2016 US presidential election has largely focused on the possibility of collusion, troll farms, and leaked DNC emails, election infrastructure was also directly targeted.
If hackers demonstrably alter votes in the midterms, our republic’s processes and core promise might seem tainted. The Secure Elections Act sought to patch up vulnerabilities and prevent this, but a committee session was cancelled following White House criticism.
According to an op-ed by Republican Senator James Lankford and Democratic Senator Amy Klobuchar, election security grant funding has not fully resolved electoral problems. “Fourteen states do not have adequate post-election auditing procedures,” they stated.
A recent DEF CON report revealed massive vulnerabilities in voting equipment. A voting tabulator used in 23 states can be remotely hacked via a network attack. A second critical vulnerability was disclosed to the vendor a decade ago, yet the machine still contains that flaw. The report also revealed that an electronic card used to activate voting terminals can be wirelessly reprogrammed. This vulnerability could allow a nefarious actor to cast an endless amount of votes.
There are indications that a Russia-backed hacking offensive is still underway. In May, British and US security officials revealed that a Russian hacking group targeted millions of computers and infected home wifi routers. In July, a Microsoft executive told a security forum that the company detected evidence of phishing attacks, originating from a fake Microsoft domain. The targets were all candidates in the midterm elections.
A History of Vulnerability
In 2002, the Bush administration passed the Help America Vote Act to assist states in the replacement of punch card and lever-based voting systems. But massive problems remained. In 2006, the documentary Hacking Democracy exposed backdoors in software made by Diebold Election Systems.
In 2016, infrastructure vulnerabilities were exploited. The Department of Homeland Security belatedly notified 21 states that their election systems had been targeted. Some states disputed DHS’s findings.
State and federal officials claim that no votes were changed, but there are other methods of disruption. Voter registration databases can be manipulated. In 2016, many Americans were turned away at the polls even when they displayed current registration cards. These problems were attributed to electronic poll books. One of the companies providing the software, VR Systems, had been penetrated by Russian hackers months earlier.
“I don’t believe that the goal of attacking the voter registries is just to send out the message to kind of say it has been hacked,” said Carsten Schürmann, Director of DemTech Group. He told me that it’s very difficult to discern if the hackers were successful.
“We don’t know how many people were turned away from polling stations because they weren’t on the electoral roll,” he said.
The Department of Homeland Security determined that election infrastructure should be designated as a critical infrastructure sub-sector.
When asked to comment, cybersecurity expert Chuck Brooks said, “The funding and compliance issues are complex as many state officials are wary of federal control over any aspects of elections under states’ rights.”
Lawrence D. Norden, Deputy Director of the Democracy Program at the Brennan Center for Justice, also told me that the federal government has been cautious about infringing on the authority of states to run their own elections.
Some problems are exacerbated by a general naiveté.
“For the most part, Americans really do not understand the cybersecurity dimensions of voting,” said Brooks. “We are in the midst of transitioning into a digital world where data and personal records are being routinely compromised and stolen.” Antiquated voting machines are vulnerable to insider threats, negligence, and hackers who get tools from the dark web.
Many governments outsource the procurement and operations of election technologies. The AP reported that only 3 companies sell and service more than 90 percent of the machinery used to cast votes and tabulate results in the US. This outsourced guardianship of democracy and digital campaign efforts has, at times, included questionable practices. In 2017, private contractor Election Systems & Software left Chicago voter data publicly exposed on an Amazon cloud server. Deep Roots Analytics, a data firm hired by the RNC, accidentally leaked personal details on about 61 percent of the US population.
What Happened in Georgia
Peculiar circumstances still loom over the state of Georgia’s presidential election results.
In 2017, Marilyn Marks, an elections integrity activist, was keeping an eye on Georgia’s 6th congressional district special election after hearing about the state’s reputation for questionable practices. I spoke with Marks earlier this year.
“On election night, something went kaflooey,” she told me. Democratic candidate Jon Ossoff was on track to win.
“And he had been winning, winning, winning, it was staying over 50 percent and then all of a sudden, the vote counting system goes down,” said Marks. “For two and a half hours, they don’t report anything because the system blew up. And then when it comes back, suddenly he’s down at 47 percent. And this black hole happened in-between.”
Marks litigated to try to prevent the same machines from being used in the runoff. Later on, she found out about cybersecurity researcher Logan Lamb. In August 2016, Lamb had realized that Kennesaw State’s election server was vulnerable. He informed the election center that there was a strong probability their site had already been compromised. After Kennesaw State failed to secure its infrastructure, Lamb got in the system a second time.
“They called in the FBI because they wanted to go after Logan, as if he was the bad guy,” said Marks.
Marilyn Marks got involved. Then, technicians at Kennesaw State wiped the server clean. This deletion happened even after voters had requested an independent security review of that server.
“The destruction of the records is what seemed to create the explosion between the Secretary of State’s office and Kennesaw State University,” said Marks.
The deletion was attributed to “standard operating procedure.”
In September 2018, a federal judge in Atlanta denied a motion to force the state of Georgia to switch from electronic touch screen machines to paper ballots in advance of the midterm elections.
No Way of Knowing
Some officials insist the machines weren’t hacked, but concede that if they were, we would have no way of knowing. In his testimony before the House Committee on Oversight and Government Reform, Dr. Matt Blaze said a successful attack that exploits a software flaw might leave behind little or no forensic evidence.
Schürmann successfully hacked a WINVote machine at Def Con 2017. He told me he agrees with Dr. Blaze’s assessment.
“The operations that we’ve carried out, I’m pretty sure have not left a trail. There is no log file that you can look at where it says somebody logged in here,” said Schürmann.
How to Secure Our Infrastructure
A Brennan Center for Justice paper titled “Securing Elections from Foreign Interference” urged Congress, states, and local governments to assist election officials in the replacement of vulnerable and paperless machines, arguing we should be using electronic machines with a voter-verified paper audit trail. This software-independent record provides an important security redundancy, which dually deters against attacks and provides voters with more confidence in electoral integrity.
Additionally, states and local governments need to update the IT infrastructure supporting their voter registration databases. Some systems still run on discontinued software like Windows XP or Windows 2000, rendering them more vulnerable to cyberattacks. Regular and comprehensive threat assessments should be conducted.
Furthermore, more states should conduct post-election audits of paper records in order to identify evidence of vote tampering. Even when states conduct audits, the standards of those audits are inadequate. “They are often insufficiently robust to ensure an election-changing software error would be found,” the paper’s authors wrote.
Schürmann told me, “I believe actually that it’s great to have two result paths, an electronic result path and a paper result path.” He added that it’s easy to acquire a basic set of hacker tools that can violate insecure electronic systems.
“You basically just have to type in the IP number of the server you’d like to attack and the tool does everything. It tells you what kinds of attacks are possible and which ones you should try,” he said.
In a foreword to the Brennan Center paper, former CIA Director Amb. R. James Woolsey wrote, “I am confident the Russians will be back, and that they will take what they have learned last year to attempt to inflict even more damage in future elections.”
As the midterm elections are conducted, there will be ample reason to question the security of the nation’s voting machines. Multiple sources have suggested a voter-verifiable paper audit trail as the most obvious solution, but for now, we are still open to interference.
We need to politically empower cybersecurity experts who can come in and provide third-party analysis. In the case of Logan Lamb, the cybersecurity researcher who sounded the alarm about Georgia’s exposed infrastructure, that wasn’t initially done. His concerns were dismissed. The Deep Root Analytics voter data leak was also discovered by a cybersecurity researcher.
Perhaps the mindset created by technology is partly to blame. Modern tech encourages a sense of urgency and expectation for immediate information and gratification. This does not actually serve the integrity of our voting process. Although the problem originates in the literal machinery of our democracy, the solution must be broader than improved technology.
Desiree Macy is the Editorial Director of SIA Online Magazine which is frequented by security executives, corporate security officers, and private protection professionals each month. Desiree’s interests revolves around cyber-security, and business continuity.