After the 2016 Presidential Election, many have concerns over voting security. This midterm election will reveal whether the Republicans will remain dominant over the legislative branch or if the Democrats will reign power. There's no doubt that people are passionate about their vote and that their vote remains secure. Areas of concern include the security of the machine, the security of the transmittal of results and the security of the reporting of results. After the spear phishing email attack was deployed in the 2016 Presidential Election, both Americans and Russians were charged with hacking the election. Business email compromise is an area of concern for many individuals holding a position that allows escalated privileges within their company. After such controversy, many may wonder where that leaves the security of voter machines and our upcoming elections.
The federal government has deemed elections as critical to our infrastructure. Best practices recommend leaving a paper trail with voting. Right now, there is not complete consistency across the board for the machines generating a paper copy of the ballot. Some states hand count a representative sample to double-check that the machine tally is accurate. Do you take the time to ask at your voting poll if the machines have a paper trail? The 2016 Presidential Election was not the first source of concern over voter security.
Voting Machines with Remote-Access
Another particular story that comes to mind took place in 2011, when an election board in Pennsylvania's Venango County asked David Eckhardt, a computer science professor at Carnegie Mellon University, to examine its voting machines. He discovered a serious security issue. Remote-access software installed on the voting machines was causing them to be vulnerable to hackers. In this case, increasing the security of the voting machines was relatively simple. It is accomplished by disconnecting them from the internet as well as other internet connected devices. This is a process known as air-gapping. Although this story took place approximately 7 years ago, it is still relevant in 2018 and raises the question: Is there currently protocol in place that ensures all polling stations audit voter machines carefully to determine if they have similar software installed?
He Made the Voting Machine a Jukebox
Cybercriminals continue to show their talents. Another interesting story about the security of voting machines is when the annual security research conference known as DEF CON, invited hackers to try to gain access to a particular voting machine used in 18 different states. They discovered that the hackers were successful in their attempt to hack the machine's administrative access in under 2 minutes. It takes the average voter 6 minutes to cast a vote. Another participant was able to turn the voting machine into a jukebox displaying animations and playing music in just a few hours. If a voting machine can become a jukebox in a few hours, a malicious insider can just as easily program it to skew voting results in a specific direction. In today's political climate, there's plenty of interest in disrupting our elections.
It's so Easy, that Kids can Do It
In addition, websites that report election results are easy to hack. In fact, they are so easy, that DEF CON set up a challenge inviting child hackers to gain access. It may come as a surprise, but an 11 year old girl gained access after only 10 minutes. Children are smart enough to hack into many websites. Websites connect to the internet which makes them more vulnerable. Therefore, they are easier to hack than the voter machines.
Hacked voter websites will have huge consequences to our nation. For instance, if a hacker deleted every 10th voter registration, imagine the chaos that would result at the polling stations as voters were turned away. Websites announcing results are a target as well. Furthermore, consider the consequences if false reports post across the nation reporting which candidate won. In order to protect voter confidence, news organizations should be cautious when reporting results to the public.
Air-Gapping is not Always Enough
While air-gapping is necessary, it does not eliminate all of the security concerns. Security expert, Jake Braun says that even air-gapped machines are vulnerable. Still, air gaps do not eliminate all security concerns. A machine will still need to exchange files and receive software patches. In other words, an unconnected machine will become connected again at some point. As well, voting machines that digitally sign results and encrypt them using secure file transfer protocol are at risk if the hacker can obtain the signing key. In addition, installing malware on the underlying operating system is not that difficult. Malicious actors are looking for various vulnerabilities and the voting industry's security practices are under immense scrutiny.
The overall message is that there are a variety of ways hackers can impact the integrity of our elections. Whether their intent is to affect the outcome or to simply cause turmoil, hackers are becoming much more advanced than in the past. Often, they have crafted a well-thought out plan with many steps and have been working well in advance, waiting for the perfect opportunity to attack. The Department of Homeland Security has created an elections task force to share best practices with election officials around the country to secure our elections. In other words, they want to train those who help with the process of the election strengthen the security measures. TechGuard believes in providing a secure environment by including people, process and technology in its recommendations to businesses.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.