U.S. election infrastructure remains unsecured mere months before the next presidential election.
The threat of interference with our election systems became a major issue following the 2016 election. Media coverage focused on social media influences by foreign nation-states and other bad actors, and on voting machine insecurities. Yet at least as far back as the 2000 election, cybersecurity experts were warning us that election system infrastructure is vulnerable to getting hacked.
In 2018, the US federal government allocated $380 million in federal funding for states to begin improving cybersecurity. Most states have used some of this money to update their election systems and processes, according to a report by the U.S. Election Assistance Commission (EAC). But this is a huge job, because the attack surface in election systems is vast and complex, much more so than those in both an IT network and an industrial control, or operational technology, network.
In 2020, another $425 million was allocated to EAC to distribute for additional election security measures. That body is now telling states they can use those funds instead for disinfecting the polls due to the Covid-19 coronavirus.
Meanwhile, there’s growing concern that Russia and other nation states will try to interfere in the 2020 presidential election. A new report by the Brennan Center for Justice found that Russia’s social media-driven election interference is both “more brazen” and more difficult to detect than it was in 2016.
The Department of Homeland Security (DHS) didn’t declare election systems critical infrastructure until 2017. In January, acting secretary Chad Wolf said he “fully expects” more meddling by Russia, in addition to cyberthreats from China and Iran.
Wolf and other U.S. national security experts take the matter so seriously that they made an unusual public joint statement on March 2, the day before Super Tuesday. The FBI, and other federal agencies, including the Cybersecurity and Infrastructure Security Agency, warned voters to be wary of false information, and to be familiar with voting procedures such as checking their registration. Except for tornadoes, long lines at the polls, and some overwhelmed voting machines, voting went off that day with few hitches in most states.
With the presidential election just seven months away, there’s still a long way to go.
Technology and processes — what’s wrong?
From a cybersecurity perspective, election infrastructure shares some similarities with operational technology infrastructure, industrial control, and even industrial Internet of Things (IIoT) networks. All are plagued with aging, un-patchable, often proprietary hardware systems. Add to that cybersecurity-ignorant process flaws like the lack of audits and paper backups and implementation issues such as what systems should, or should not, be connected to the Internet, and for what purposes.
Unlike the smaller, relatively closed industrial environment, the attack surface of election technology is vast and complex. “Every part of the voting process is vulnerable. This includes the voter registration process, the voting itself, the vote tabulation and the results-reporting system,” Bruce Schneier, a cybersecurity expert at the Harvard Kennedy School of Government, told the Washington Post in February.
All 50 states do things differently, so there are in fact 50 different voting infrastructures in the US, each forming a large and highly distributed network, each with its own set of security holes. Unlike industrial environments, election infrastructure lacks anything resembling a chief security officer, let alone a security operations center.
The fact that voting infrastructure is a highly distributed system “limits how much trouble an attacker can get into,” Cindy Cohn, executive director of the Electronic Frontier Foundation, said in an interview. “But it also presumes we don’t have close elections where only a few votes can make all the difference. Yet we do.”
There’s no lack of advice and analysis for what’s wrong with the technology and the processes, and how to fix them. Much of the advice is very similar. The U.S. Department of Homeland Security, for example, has an extensive publications library. A section dedicated to election security on the Center for Internet Security website includes an extensive best practices database and handbook.
Schneier said computerized registration, voting, tabulation and reporting systems are ultimately unwise. One side effect of full automation is that “elections now have all the insecurities inherent in computers,” he wrote in 2018. “The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.”
Schneier cited a voting equipment hacking experiment conducted at the 2017 DEF CON: attendees having no previous experience with voting machines easily “compromise every piece of test equipment, to [load] malicious software, compromise vote tallies and audit logs, or cause equipment to fail.”
In an interview with EE Times, Schneier added: “The fundamental problems cited in my 2018 article — such as the insecurity of voting online and the use of outdated, unsupported voting equipment — have not been fixed. We like to think that computers make everything including voting better, but for voting they make it worse. All of the cybersecurity experts are unanimous in agreeing on this.”
One of the biggest differences that makes voting cybersecurity different from cybersecurity in the industrial environment, which Schneier sees as problematic for computerized voting, is the need for a secret ballot. “Otherwise, cybersecurity for voting systems would be no harder to implement than, say, banking: you could do audits and other standard practices,” he said. “But since you have to securely separate the voter roll systems from the vote tabulating systems, you can’t do all of those practices because of anonymity. And that makes voting cybersecurity an intractable problem.”
Schneier prescribes several fixes: better computer, network, and database security for each state’s voter organization and voter registration websites along with better security for voting machines, as well as tabulating and reporting systems. Also required are multiple, unchangeable backups stored separately, and paper printouts as backups for voter rolls.
The gold standard that security researchers agree on is voter-verified paper ballots. These can be used for post-election audits before results are certified, to verify the results even if any voting system has been compromised.
Lastly, there’s a need for national election standards.
The Covid-19 pandemic has only heightened concerns about crowding at the polls and maintaining social distance, resulting in calls for voting by mail. Universal vote-by-mail legislation has been introduced in Ohio. Colorado, Utah, Oregon, Hawaii and Washington have already adopted such systems. In California, half of voters are expected to cast ballots by mail in 2020.
Too many kinds of unregulated voting machines?
Voting technology varies widely by state: each may use combinations of hand-marked paper ballots, punch card voting, optical scan, direct recording electronic voting machines, voter-verified paper audit trail printers or ballot-marking devices. The non-profit organization Verified Voting tracks state-by-state voting systems in a database searchable by techniques and by voting machine types and brands.
According to a report by the University of Pennsylvania’s Wharton Public Policy Initiative, there are dozens of different voting machine brands. Further, more than 90 percent of the U.S. voting equipment market is controlled by only three companies: Dominion Voting Systems, Hart InterCivic and Election Systems and Software.
The EAC conducts a voluntary testing and certification program for voting system hardware and software, with the goal of maintaining the reliability and security of voting systems. It lists systems that are under test, have been certified, and have been de-certified, and registered manufacturers. It also publishes voluntary voting system guidelines.
The Brennan Center for Justice has proposed federal regulations for election vendor oversight. “The federal government regulates colored pencils, which are subject to mandatory standards promulgated by the Consumer Product Safety Commission, more stringently than it does America’s election infrastructure.”
The report describes voting machines as “points of attack into election infrastructure,” and notes that, even if the machines are EAC-certified, the configuration of their transmissions are not. Vendors are not even required to report security incidents as a condition of their certification. The report also describes past exposures of some election machines’ voter data to the public Internet, in some cases for unknown periods of time. It calls for more stringent federal oversight of election system vendors, not just voting machines, suggests expanded oversight authority for the EAC including cybersecurity, and outlines a framework for how that would work and how it could be implemented.
States and local governments are vulnerable
Although Super Tuesday revealed little evidence of hacking, a recent analysis by ProPublica found security weaknesses in the election-related websites of at least 50 towns and counties voting that day. The sites tell people where to vote, how to register, and provide election results. Security issues included “outdated software, poor encryption, and systems encumbered with unneeded computer programs.” Additional problems included files exposed to public view that should have been secured, and hosting election websites on the same server with other local government sites.
While all violate cybersecurity best practices, that last is a major cybersecurity no-no for critical infrastructure. That’s because shared hosting effectively provides a gateway into what should be isolated, protected election and voter data. Last year alone, ransomware attacks on state, county and city governments hit the state of Louisiana and the city of New Orleans separately, Baltimore, two cities in Florida, 22 towns in Texas, and Pascagoula, Mississippi, causing some to shut down temporarily or declare a state of emergency.
Some are vulnerable simply because of poor site design. A recent study by cybsersecurity leader McAfee surveyed county election administration websites in the 13 states expected to be “battlegrounds” in the upcoming U.S. presidential election. Most lacked simple security measures such as the use of HTTPS website security and official U.S. government .gov domain validation. Those steps could at least prevent hackers from setting up fake websites that look like legitimate county government sites.
Nebraska won a national award for election innovation. The state is deploying a tool called Albert sensors used to detect real-time intrusions in its voter registration system and alert the Secretary of State’s office if an intrusion occurs. The program is federally funded and supported through the Center for Internet Security. Four other states and territories are also using this technology.
In Rock County, Wisconsin, Microsoft has tested its open source ElectionGuard software on VotingWorks’ machines. The software, which can be integrated with voting machine hardware, is designed to make voting more secure and verifiable. According to a blog post on the Microsoft site, it will “enable end-to-end verification of elections, open results to third-party organizations for secure validation, and allow individual voters to confirm their votes were correctly counted.”
Mobile voting apps are slowly being deployed with mixed results. In the aftermath of the Iowa caucus app debacle, West Virginia has decided to scrap a different mobile voting app developed by Voatz. Among the reasons was the discovery of exploitable security flaws that could let hackers manipulate and change voting data.
Federal assistance: funding and legislation
While federal funding is available for improving election infrastructure, “From the perspective of law and legislation, at least at the federal level, nothing’s improved since two years ago,” said the Electronic Frontier Foundation’s Cohn. “Some states are taking the lead: Colorado, for instance, is doing audits. But the more conservative parts of the federal government say that the feds shouldn’t be involved in election security and that the states should run it. That fight has resulted in no real action on the federal level in terms of the law.”
CISA, part of DHS, is the key federal agency responsible for national cybersecurity. For industrial control systems and other critical infrastructure networks, CISA issues advisories about known security issues and alerts about immediate threats.
CISA also offers free cybersecurity assessments and other election security services to state and local election officials for assessing the physical and cybersecurity of their election infrastructure. In February the U.S. Government Accountability Office warned that CISA had not yet completed plans for helping officials safeguard the 2020 elections. Those plans were supposed to be finalized in January.
Yet only a few days after March 3, Super Tuesday, bucking bipartisan support for increasing CISA’s budget, the Trump administration instead proposed cutting $150 million.
While the huge attack surface of our election infrastructure means funding remains inadequate, 10 House bills for funding election cybersecurity improvements have stalled.
“Voting security practices haven’t improved from two years ago; they’re still really bad,” said Schneier. “It shouldn’t be a partisan issue. There’s a belief that better voting systems and making voting easier helps Democrats, but when you’re talking about this kind of security vulnerabilities and attacks, both sides have to worry about it.”
“For voting to work, we need people to vote,” said Cohn. “And we want every vote to count.”