President Barack Obama’s chief counterterrorism adviser Lisa Monaco said recently that it would be very hard for someone to hack into America’s voting systems in a way that could alter an election outcome.
Monaco’s remarks echoed those of FBI Director James Comey, who also told an audience recently that “the vote counting in this country tends to be kind of clunky, which is a blessing because it makes it harder for hackers to infiltrate.”
The bottom line is that a fifth of United States citizens cannot securely cast their votes.
Yet in spite of those comments, the federal government is just now pushing out to states a set of tools, such as the ability to scan for vulnerabilities and quickly patch them, and some best practices that voting officials should adopt, a mere four weeks before what is probably the most important national election of our lifetime.
In case it matters, Lisa Monaco has no discernible background or experience in cybersecurity — or counterterrorism for that matter — having served only as Principal Associate Deputy Attorney General in the Obama Justice Department prior to her appointment to her present role, where her primary duties have been the handling of day-to-day responsibilities involved in the closing of the terrorist detention facility in Guantanamo Bay. However, Monaco did graduate from Harvard with a degree in history and has a J.D. from the University of Chicago, so at least she isn’t one of those down-market “deplorables.”
Still, rather than let you decide in a vacuum whether you believe the FBI director’s recent expression of concern about cyber hacks, or those of this administration’s chief counterterrorism adviser, let’s look at the facts as viewed by a veteran cybersecurity analyst.
Most (43 states) of the country’s e-voting machines are dilapidated, bare-bones PCs, over a decade old with virtually zero data security controls. This represents over 80 percent of the machines upon which votes will be cast.
Almost 70 percent of these machines are maintained and managed either by manufacturer personnel who refuse to discuss the insecurity of the systems or by local and state voting officials who are the very prototype of victims of the most common cyber attack techniques like spear phishing (where an email pretends to be from someone you know, yet contains malware that downloads immediately upon opening). The other 30 percent of the machines used are no longer supported, manufactured, or produced in United States.
As if this alone were not cause enough for alarm, add the fact that none of the voting administrators get any form of cybersecurity training and awareness. Nor are there any initiatives in place that attempt to bring these machines up to current software levels or to even perform the most rudimentary of security reviews.
Oh, and most of these old e-voting machines are interconnected, which provides an easy path for cyber attackers to access the machines and install malware to manipulate data.
And, while these machines are not yet connected to the internet, an attacker could easily mail an infected USB device with spoofed correspondence that directs an election official to “update” the machines with new “patches.”
All of these cybersecurity vulnerabilities that would never be tolerated in the private sector are somehow allowed to exist in abundance throughout these government voting machines. They include removable media such as smart cards, ROM modules, USB drives, PCMCIA modules, and flash memory that can be compromised or replaced to infect a system; open internal and external network connections that provide unintended access to a system; unsecured ports that can be used to subvert systems; poorly implemented cryptography and authentication mechanisms; and improper source code design — just to name a few.
E-voting machines are often poorly secured in the lowest-bid storage available, such as church basements or minimally secured warehouses. An attacker could easily pose as an insider, a volunteer, or possibly just walk in as a “repairman” to gain access to a system. Though most e-voting facilities test their machines in advance of elections, planted malware could easily infect a device with a logic bomb that doesn’t activate until after the testing period. In such an instance, local election personnel, absent any cybersecurity training or awareness, would likely be none the wiser to the attack.
Election systems are no more secure at the state level either. If an attacker can breach the main voter database, they can easily manipulate voter databases or the results of an election without compromising individual electronic voting machines.
As we have seen with the Office of Personnel Management hack, once a cyber adversary compromises one system in a state office, such as a personal computer, a fax machine, or a router, they can laterally move across the internal and external network or they can cross airgaps onto segregated systems using malware that installs itself onto and from any connected removable media.
In June, the FBI notified the Arizona Department of Administration that credentials related to the Voter Registration System had been compromised. Upon investigation, malware was discovered on a county computer with evidence that information was improperly accessed and manipulated.
In July, cyber attackers launched a campaign against the Illinois State Board of Elections’ online voter registration system, where they breached and exfiltrated personal data of at least 200,000 voters.
These two states are not alone. In fact, investigation of Deep Web marketplaces found it sold listings offering voter registration record databases from any of the fifty states.
There are many other instances and hard evidence of extreme vulnerabilities in our voting systems that would never be tolerated in any other venue, but they are far too numerous to describe here. The bottom line is that a fifth of United States citizens cannot securely cast their votes.
This “80-20” phenomenon is often spun by administration officials like Comey and Monaco as a reason to dismiss our severe cybersecurity deficiency, but with over 146 million Americans currently eligible to vote as of 2016, even 1 percent of votes (1.46 million) are enough to sway an election — let alone twenty times that number.
Despite the bunk arguments of election officials who lack the technical proficiency to justify claims of system security, our election systems are not secure. I don’t know about you, but anything James Comey says these days makes me feel less secure, not more.
Steve King is the COO and CTO of Netswitch Technology Management.