If there’s one thing we learned from the 2016 U.S. elections, it’s this: the entire process is in serious need of a cybersecurity update. And the biggest thing on most people’s minds right now as we head towards the midterm elections on November 6 is this: has the security situation gotten any better? Given how the existing technology deployed in the U.S. has been controversial for years, the possible answer is far from comforting.
Voting Machines Have Problems.
Voting equipment is a significant cyber attack target, and some voting machines have been found to be an easy hack. Last summer 2017, the DefCon Voting Village featured demonstrations with Diebold ExpressPoll 5000 and WINVote machines. WINVote devices have been found to be notoriously insecure in particular. Then this summer, Motherboard broke the story where voting technology vendor Election Systems and Software (ES&S) admitted to using remote access software on their machines, a grave security vulnerability which allows outside elections interference.
Another frequently used voting machine vendor, Diebold, has been caught up in corruption scandals for many years. According to the Columbus Free Press:
“Diebold was at the center of Ohio’s 2004 election debacle, and much of this captured in an article by Free Press Senior Editor Harvey Wasserman and this author, entitled, ‘Diebold’s Political Machine.’ Walden ‘Wally’ O’Dell, chairman of the board and chief executive of Diebold, was a long-time funder of Republican candidates. In September 2003, he held a packed $1,000-per-head GOP fundraiser at his 10,800-square-foot mansion Cotswold Manor in Upper Arlington, Ohio. He was feted as a guest at then-President George W. Bush’s Texas ranch, joining a cadre of ‘Pioneers and Rangers’ who pledged to raise more than $100,000 for the Bush reelection campaign. Most memorably, in 2003 O’Dell penned a letter pledging his commitment ‘to helping Ohio deliver its electoral votes to the President.'”
U.S. Elections Are Vulnerable.
And that’s just the tip of the iceberg when it comes to known cybersecurity vulnerabilities and controversies in America’s elections technology. It makes Russia buying Facebook ads look like small potatoes in comparison. Americans have good reason to suspect that some of these vulnerabilities are by design. And it’s reasonable to wonder if there’s corruption between politicians and technology vendors.
2018 is the year for midterm elections across the U.S. Although midterms aren’t as hyped as Presidential elections, they still have a significant effect on Washington D.C.’s power over the rest of the country. The midterm outcomes can influence whether or not the President is successful in passing legislation.
Protection Is Growing.
It was recently reported that Microsoft was able to prevent a cyber attack on political candidates. Microsoft’s Tom Burt confirmed the news, but was understandably vague:
“Earlier this year we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks. We saw metadata that suggested those phishing attacks were being directed at three candidates.”
Phishing websites for political candidates could be a way of deliberately making the candidate look undesirable, immoral, or incompetent. Or it could just be a means for grabbing usernames, passwords, and credit card numbers, using the candidate’s fame in the process. Alternatively, the phishing websites could be used to steal money from victims while simultaneously tainting the image of the specific political candidate. Two birds with one stone!
Speculation of a deliberate data breach is front and center in November’s election for the Governor of Georgia. Republican candidate Brian Kemp is being accused of involvement in a breach that likely exposed the digital records of 6 million voters by his opponent, Democrat Stacey Abrams. Kemp has called the accusation “fake news.” But Dr. Carol Anderson has been watching Kemp’s actions for years and has reason to believe that he’s been trying to prevent African Americans from voting.
Abrams states, “Mr. Kemp has worked diligently to fortify the Republicans’ crumbling bulwark since he became secretary of state in 2010. He has begun investigations into organizations that registered nearly 200,000 new Asian-American and African-American voters — efforts that resulted in the first majority-black school board in a small town. His investigations yielded no charges, no indictments, no convictions, despite years of probing, suspects’ losing their jobs and Georgia Bureau of Investigation agents knocking on doors. Yet the intimidation had an impact. An attorney from a targeted organization told a reporter: ‘I’m not going to lie; I was shocked. I was scared.'”
Meanwhile, a group of notable voting tabulation, election management, voter registration, electronic, and results-reporting technologies vendors have come together to form the Elections Industry Special Industry Group, with the stated intention of preventing foreign elections cyber interference in the midterms. It will share resources with the IT Information Sharing and Analysis Center, which works with companies like HP and Intel.
Future Goals Are Emerging.
Dominion Voting System’s Kay Stimson explained the purpose of the Elections Special Industry Group: “The goal is to broaden the view that we have and the information that we’re getting to include tech-focused threats that will impact our systems and our companies.”
So the companies involved in the group will share information about cybersecurity vulnerabilities. That’s great, but it won’t do much if a politician bribes vendors to make the voting results favorable to them regardless of how people actually voted. Or if a vendor deploys a deliberate vulnerability to facilitate outside interference. Perhaps the U.S. should follow Canada’s lead and return to paper ballots.