Securing the Vote Against Increasing Threats
23.10.2018 securityweek Security
With the U.S. mid-term elections just a couple of weeks away, there are continuing concerns over the security of the electronic voting procedures used by many states. These concerns range from the integrity of state voter registration databases through the compromise of individual voting machines to the accuracy of their calibration without a paper audit trail to confirm accurate vote tallying.
Hacking the vote can be differentiated from manipulating the voter. Russian attempts to manipulate voters occurred in the 2016 presidential election, and are happening now with the mid-terms. On Friday, October 19, a Russian national named Elena Alekseevna Khusyaynova, 44, was charged for her alleged role in a Russian conspiracy to interfere in the U.S. political system, including the 2018 midterm election.
According to the DoJ, Khusyaynova operated as chief accountant for 'Project Lakhta', which allegedly used social media and other internet platforms to address topics ranging from immigration, gun control and the Second Amendment, the Confederate flag, race relations, LGBT issues, the Womenís March, and the NFL national anthem debate. The project sought to conduct what it called internally "information warfare against the United States."
It is against this background of active and continued foreign 'meddling' in U.S. elections that concern over the security of the vote itself has become a serious concern.
The state of Georgia provides an illustration of these concerns. The Coalition for Good Governance and citizens of Georgia sued the Secretary of State in an attempt to force a block on the state using electronic voting in the mid-terms. They cited insecurity of the devices, lack of a paper audit trail, and possible compromise of the state's voter registration database.
In this instance, Judge Amy Totenberg denied the plaintiffs' motion, but made it clear that she would be receptive to future applications. She also made it clear that she was unhappy with the way the state handled "the ramifications of the major data breach and vulnerability at the Center for Election Services"; which is where the Georgia voter registration database had been left exposed to the internet.
Malicious manipulation of the database could have a serious effect on the accuracy of votes. Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, told SecurityWeek, "If I were a hacker trying to affect an election in this state, that's where I would start." With no suggestion of a connection, it is noticeable that early voters by 18 October (in person or by mail) were up 230% on the number of early voters at the same time in 2014 (figures from the BBC). At the same time, many of the postal votes are being rejected. Figures sent to SecurityWeek by the Coalition for Good Governance suggest that in one Georgia county 11.1% of African-American postal votes, 15.3% of Asian-American postal votes, and 3.8% of Caucasian postal votes had been rejected by election officials by October 18.
Georgia is not the only state to have received concerns over the integrity of the voter registration database. On October 15, 2018, Anomali posted a blog, 'Estimated 35 Million Voter Records For Sale on Popular Hacking Forum'. The details purport to be current, and come from 19 different states -- including Georgia.
Anomali writes, "Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state. These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression."
The potential for persistent access to voter registration databases in multiple states is concerning. In this instance, however, Mark Arena (CEO at Intel 471, which worked with Anomali on the discovery) told SecurityWeek, "Intel 471 has not seen any indication that threat actors are seeking to use the voter data to influence the elections. We assess that the most likely potential use of this voter data is for fraud as per other compromised databases with similar personally identifiable information."
Protecting these databases should be relatively simple -- it's what business does all the time. It seems clear, however, that many states have not taken as much care as is necessary. Of course, this is not a problem specific to election databases. However, stringent data protection laws with hefty financial sanctions (such as GDPR) are forcing companies to take more concern over how and where they store personal data. It is likely that if states and state officials were subject to serious sanctions, voter registration databases would be kept more secure for future elections.
Protecting the individual voting machines -- especially those known as direct-recording election (DRE) systems (that do not produce a paper audit trail) is a much harder task. SecurityWeek turned to Darien Kindlund, VP of technology at Insight Engines, to gain an understanding.
Kindlund pointed to two primary problems making voting machine security difficult. The first is the age of most systems, and the second is the nature of their use.
Forty-one states will be using equipment that is more than 10 years old. Old computers may be running operating systems that are no longer supported, while there is no easy way to ensure that those supported have received the correct level of patches. In fact, it is estimated that 41 states will use voting machines that are no longer manufactured.
The machines themselves spend most of their time in storage -- which, provided physical security can be maintained, ensures an effective air-gap. At the time of an election, however, DRE systems are wheeled-out and plugged into the internet to allow votes to be cast, accumulated and counted.
The sheer volume of aging machines that suddenly come into play places an exceedingly heavy, but sporadic, load on the teams charged with securing them. Georgia, for example, has 27,000 Diebold AccuVote DRE touchscreen voting units running a modified version of Windows CE.
Georgia was the first state to move to electronic voting starting in 2002, and some of the systems are that old. As long ago as 2007, Princeton university's Feldman, Halderman and Felten analyzed the AccuVote systems and concluded, "the machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces."
Nothing much has changed. At this year's Vote Hacking Village at Def Con, 35 out of 39 children aged between six and 17 were able to break into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus, within three hours. The machines themselves fared little better. One system was using SSL certificates five years old, another had a removable memory card containing supervisor passwords in plain text, and another was running unsupported Windows XP that could be hacked in seconds.
The argument that the voting machines are kept securely off-line while not in use isn't valid. Kindlund points out that in use they are connected to the internet and could be compromised during that period. "Even while off-line," he added, "if attackers can gain access to one machine, it could be compromised. No security expert would guarantee that it could not be compromised with a stealthy malware that could spread worm-like once the machines are connected for an election."
But they remain just computers, and the security industry has been protecting computers for years. The biggest problem, suggests Kindlund, is the requirement for a small security team to monitor a large number of machines that is not part of their normal day-to-day workload. The solution, he suggests, is occasional checking by automated means.
His own firm, for example, offers Insight Investigator for Splunk. This is powered by a natural language processor that allows less-qualified staff to query a Splunk database. It could accept and respond to conversational queries such as, "Show me DRE systems with updates by status this week"; "Show me vulnerable winvote systems this week versus last week"; and for those DRE systems with remote access capabilities, "Show me logins to accuvote systems by source ip and dest ip this week".
Such methods would highlight vulnerable systems easily and within an acceptable timeframe -- allowing them to be made secure ahead of a vote.
The consensus among security experts is that electronic voting is not currently secure -- but there is no reason that it could not be made as secure as any other computer-based system. It just requires more effort and expenditure to do so. For now, there is no public evidence that any foreign power is attempting to sway the outcome of the 2018 U.S. mid-term elections through hacking the vote. But it wouldn't need to. If a foreign policy is to spread confusion, dissension and distrust within an adversary population, it has already succeeded. And it will continue to succeed until the vote is acknowledged to be secure, and the entire population is confident that their own vote will be accurately counted.