Network Security

Poor election cybersecurity abounds

Could the presidential election be hacked? Given the latest embarrassing breach of even the supposedly most secure of enterprises, yet another insider theft within the National Security Agency (NSA), a better question is how can it be hacked, according to IT security experts queried by SCMagazine.com. That it can be is a given – it only takes one loose link in the chain, for example, an unprotected voting machine that's tampered with, to change the vote and, possibly, history.

No one really knows for sure whether the question above will become more than a hypothetical worst-case scenario. Vulnerabilities loom throughout an unwieldy, disparate hodgepodge of more than 9,000 U.S. election precincts using a variety of (sometimes antiquated) voting systems, ballots and voting procedures.

Meanwhile, politically motivated nation-state attacks on the election process are almost certainly afoot. President Obama on Oct. 7 formally accused Russia of “interfering with the U.S. election process,” an accusation that Russian President Vladimir Putin denied. But most observers credit Putin with a psychological warfare of sorts, attempting to shake the confidence of the American electorate and undermine the veracity of the election's outcome. Welcome to the 21st century equivalent of the Cold War.

A few months ago, Donald Trump publicly welcomed Russian hackers to find Hillary Clinton's 33,000 reportedly missing emails while she was U.S. Secretary of State. And, the Republican candidate has threatened to terminate existing U.S. trade pacts with China if he wins on Nov. 8. China, also often accused of nation-state cyberattacks, hasn't commented.

Cybersecurity varies from state to state

Moreover, the degree of cybersecurity vigilance varies among the 50 states, and any pre-election federal assistance is strictly voluntary. Currently, 43 states are using voting machines that are at least 10 years old, run on operating systems such as Windows CE, Windows XP, Windows 2000 (all of which Microsoft stopped supporting by 2014), Linux and others, and can't be updated with anti-virus patches. Only 60 percent of states require a post-election, paper-trail audit. So what happens if a recount is necessary?

“When you have a system that is opaque and can't be verified by the voters, as well as is buggy and doesn't function correctly, that's the problem causing voters' loss of confidence,” points out Bev Harris, founder of Carlsborg, Wash.-based election watchdog Black Box Voting, which has documented voting weaknesses since 2003 in antiquated machines, proven to be hackable by various studies, and some that fractionalize votes.

What's at stake – nothing less than American democracy being hijacked – isn't lost on Congress.  A Sept. 27 hearing of the House Subcommittee on Information Technology set out to learn just how vulnerable our elections might be to hackers and what U.S. local, state and federal governments can do to protect its electoral processes. Since the contested 2000 presidential election, a complete overhaul never happened – mostly because of financial considerations.

“We have confidence in the overall integrity of our electoral system, because our voting infrastructure is fundamentally resilient,” testified Dr. Andy Ozment, U.S. Department of Homeland Security assistant secretary for cybersecurity and communications, at the hearing. “It is diverse, subject to local control and has many checks and balances built in,” said Dr. Ozment. “Reliance on digital technologies could introduce new cybersecurity risks,” he admitted.   

The federal government's insistence everything is under control was echoed by co-panelist Thomas Hicks, chairman of the U.S. Election Assistance Commission (EAC). “Our elections are secure,” Hicks stated. “They are secure because the American election administration system inherently protects them,” he added. Hicks acknowledged the “threats to our elections, but the voters have confidence that their votes will be counted accurately and recorded accurately when they cast them.”

When questioned point blank by the committee chair Rep. Will Hurd (R-Texas) whether a cyberattack could change the outcome of the national election, every

panelists said no.

“[The federal government] seems to believe their job is to instill confidence,” Harris commented. “That's dangerous.”

The brave face doesn't fly in today's attack-ridden climate, or continuous stream of breach revelations. An anonymous DHS official told the AP that hackers have targeted voter registration systems in at least 20 states over the past few months. The source indicated the attackers' motives were unclear, or whether they were domestic or foreign. While the DHS was unaware in this instance of “any manipulation of data,” DHS Secretary Jeh Johnson separately confirmed hackers scanned or probed several states' voting systems.

The DHS has offered states comprehensive, on-site risk and vulnerability checks. As of early October, 28 states reportedly signed on for the assessment.

At the Sept. 27 hearing, Hicks reported 47 of 50 states use the EAC's voluntary voting machine testing, and its certification program, in part or in whole. “We produce the most comprehensive election administration survey in the country, and we produce volumes of materials designed to help election administrators run their elections more effectively and efficiently,” he said.  Headlines related to cyberattacks and data breaches are “not representative of our voting machines,” Hicks insisted. “Unlike the systems in the headlines, our voting machines are not connected to the Internet.”

The problem with that assertion, according to James Scott, senior fellow of the Washington, D.C.-based think tank the Institute for Critical Infrastructure Technology (ICIT), is potential lapses in chain of custody of the machines themselves.

“They think just because the voting machines are not connected to the Internet, they're not hackable,” said Scott, who authored for ICIT a two-part, 77-page report provocatively titled “Hacking is Easy.”

“No one is telling them that all you have to do is poison an update,” said Scott. “Even if one machine is not directly connected to the Internet, [say] it's networked to another machine, even a printer, that attack surface is exploitable and completely vulnerable.”

The National Association of Secretaries of State (NASS) published an open letter n Sept. 16 maintaining just that – the election process is safeguarded because voting machines are not connected directly to the Internet and there's no national system to be attacked. Any belief to the contrary could “unnecessarily damage public confidence, NASS stated. “In the short term, our goal is to avoid distractions and work together with our federal partners to secure the systems that are in place for the November election,” the letter added.

Calling NASS's statement “sad and pathetic,” Scott said the organization has “absolutely no concept of the attack surface that's at the state, local and manufacturers' level.”

Both Scott and Harris questioned whether technician contractors hired by local election districts are properly vetted and monitored that they aren't tampering with machines.

A single machine vendor called Election Systems and Software ­– one of three major voting machine manufacturers – will be responsible for tabulating 60 percent of the votes. “Local counties can get local remote access privileges to the central tabulators,” Harris says.

“Every one of the 50 places in about 25 different states I've been has had older computers,” said Harris, who is “100 percent certain the election will be tampered with.” She pointed out that 80 percent of the votes that will be counted have no poll tape because voting districts changed their method of voting.

Dr. Andrew Appel, a Princeton University professor of computer science, told the Sept. 27 hearing that in 2009 in a Superior Court of New Jersey, he demonstrated how to hack a voting machine. “I wrote a vote-stealing computer program that shifts votes from one candidate to another,” he testified.

“This is not just one glitch in one manufacturer's machine; it's the very nature of computers,” Dr. Appel said. “So how can we trust our elections when it's so easy to make the computers cheat?”

Similarly, Symantec recently discovered potential methods to hack the voting process, a company spokeswoman confirmed. Its Cyber Skills Development team dissembled and forensically analyzed used voting machines, “so we could build a simulated voting machine that was a close reproduction.” Symantec's goal was to simulate all of the components of a modern-day electronic voting system to better understand the threat landscape and software and hardware weaknesses, which it found.

Several years ago, Jeff Williams, CTO of Palo Alto, Calif.-based Contrast Security, reviewed the code of an electronic voting/election management system for one of the major vendors. “I can only say that I expected better,” he said. “What we found was that these systems have the same types of security mistakes as everything else. Which is to say they had a lot of easily identifiable vulnerabilities.”

Disillusioned voters can be easily convinced their vote won't matter and simply will stay home on Election Day. Protecting completed ballots is obviously important, but so are the registration rolls that determine who is able to vote. ICIT's report last month provides screenshot evidence of hacked voter rolls from every state – not just the previously disclosed Illinois and Arizona – being available on the black market.

Security Watch blogger Chris Vickery, of MacKeeper, reported in June that he found a database containing profiles for 154 million American voters, and he has proof that foreigners may have been accessing it.

During the primaries, irregularities were reported from several states, in which tens of thousands of Americans claimed their names were missing and who were not allowed to vote, doesn't exactly instill confidence a few months later. In June, the Riverside County, Calif., district attorney reported that a hack before the primary resulted in lost registrations and changed party affiliations.

Hackers can also manipulate pre-election online polls that the mainstream media widely report, notes Distil Networks.

“The biggest danger, I believe, to the integrity of our election this November are attempts to undermine public confidence in the election,” testified Lawrence Norden, deputy director of the Democracy program at the Brennan Center for Justice at the New York University School of Law, at the Sept. 27 congressional hearing.

Besides the well-publicized DNC hack and leaks of emails, tinkering by unauthorized parties most likely has been happening in Republican circles as well. Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, told CNN on Sept. 14 that he learned from intelligence briefings that hackers also targeted the Republican National Committee (RNC). 

McCaul subsequently retracted that assertion after RNC chief operating officer (COO) Sean Cairncross quickly said the congressman was mistaken. “What I had intended to say was that in addition to the DNC hack, Republican political operatives have also been hacked," the congressman said in a statement.

A cybersecurity consultant noted that his firm was contacted by the Trump campaign to prevent its web properties from being defaced.

Manhattan-based cybersecurity firm LIFARS was separately retained by the RNC to secure their systems, provided detection and incident response. Threats never turned into actual breaches, according to LIFARS CEO Ondrej Krehel, stressing his company is politically neutral. “This is not personal to the RNC or Mr. Trump; we are team of cybersecurity professionals. If Hillary wanted to engage our cyber team, we would do it for her too,” Krehel said.

He is “99.9 percent sure” the election will be hacked by multiple parties, most likely hacktivists looking to embarrass the U.S. “But the real question is: Do they have a plot?” He's not so sure a nation state would be responsible. “Hacking an election is a declaration of war.”

In regard to whether the election could be hacked, former Rep. Tim Bishop (D-N.Y.), who left the House in 2015 after serving 12 years, said it is “very troubling” if the populace could be influenced by the possibility of a breach. Questioning the legitimacy of the American presidency “fundamentally undercuts our democracy,”

said Bishop, now a professor at St. Joseph's College in Patchogue, N.Y.  His congressional office had never been hacked, nor had he heard of any Capitol Hill colleagues being victimized by a breach, he added.

Williams, the CTO, said while it's possible the election could be hacked he doubts it would happen, or it could be proved. “So if the election is close, be prepared for all kinds of unsubstantiated allegations of election fraud,” he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.