Is the US ready for election hacking 2018? No way.
- Summary:
-
With 2018 U.S. elections looming, the government has done little to reinforce the security of the American electoral process in the aftermath of what intelligence agencies agree was a major Russian cyber operation designed to sway the 2016 Presidential contest.
What many state officials found extraordinary was that the DHS disclosure of the states involved came some 10 months after the agency made the discovery and only months before some of the affected states - Florida, Ohio, Pennsylvania, Virginia, Wisconsin, Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Iowa, Maryland, Minnesota, North Dakota, Oklahoma, Oregon, Texas and Washington—are scheduled to hold important elections in 2018. Sen. Mark Warner, the ranking Democrat on the Senate’s intelligence committee, said:
It’s unacceptable that it took almost a year after the election to notify states that their elections systems were targeted, but I’m relieved that DHS has acted upon our numerous requests and is finally informing the top elections officials in all 21 affected states that Russian hackers tried to breach their systems in the run up to the 2016 election.
While I understand that DHS detects thousands of attempted cyberattacks daily, I expect the top election officials of each state to be made aware of all such attempted intrusions, successful or not, so that they can strengthen their defenses -- just as any homeowner would expect the alarm company to inform them of all break-in attempts, even if the burglar doesn't actually get inside the house.
Most of the attempts were preliminary probes like scanning or failed attempts to infiltrate systems and none were aimed at the systems that actually tabulate votes, DHS said. Only two successful breaches have been made public so far. Hackers gained access to the records of tens of thousands of voters in Illinois' centralized registration database, but no records were deleted or changed. Russian hackers also gained access to the password and other credentials of a county elections official in Arizona. Earlier this year, a leaked National Security Agency report also detailed attempts by Russian military intelligence to infiltrate an election software vendor's computer and to use that information to send emails containing malicious software to 122 local election offices.
The lack of successful hacking of voting machines in 2016 should not lead to complacency. Alex Halderman, director of the University of Michigan's Center for Computer Security and Society, whose research includes information security testing on the exact machines used by states during federal elections, said at a recent Brookings Institute discussion:
The machines have vulnerabilities that could allow someone to hack in and alter the software that's running on them. You don't even need physical access to the machines. I think it's a matter of time before vote tampering occurs, if the vulnerabilities are left unaddressed. Our election systems are known to be vulnerable as these attacks will only become more sophisticated going forward. With just momentary access to the memory card that's used to program the ballot for the election, we could insert vote-stealing software that would then reprogram the machine... and select whoever we wanted as the winning candidate.
No action from Congress
Congress has also been oddly quiet on the subject of hardening American defenses against election intrusions. In June, U.S. Senator Amy Klobuchar, Ranking Member of the Senate Rules Committee with oversight jurisdiction over federal elections, introduced legislation to improve the security of U.S. election systems and make improvements to election administration. DHS has designated election infrastructure as a critical infrastructure, but the designation only provides expedited access to DHS information, it does not provide local jurisdictions with the resources they need to modernize and upgrade infrastructure to keep elections secure.
Klobuchar says her Helping State and Local Governments Prevent Cyber Attacks Act would help combat foreign interference by providing state and local governments with information and resources they need to keep our elections secure and improve voter confidence. The bill directs the Election Assistance Commission to hold public hearings and establish best practice recommendations for both election cybersecurity and election audits. Once those best practices are finalized, the bill provides for a grant program that helps provide states with $325 million in grant funds to implement these best practices.
So far, Congress has shown no interest in taking up the problem. Klobuchar’s plan has somewhere between zero and no chance of becoming law.
Washington State takes the lead
Another factor in the seeming lack of a national response to election hacking is that states zealously guard their voter rolls and databases and they are often reluctant to share information with national authorities. One notable exception is Washington State which began working with DHS before the 2016 election. Said Washington Secretary of State Kim Wyman:
We have embarked on an unprecedented opportunity to work collaboratively with the Department of Homeland. This partnership allows us to work together, elections and IT experts working hand in hand to ensure our systems are secure. The security protocols we already have in place made us aware of these attempted intrusions by Russian IP addresses throughout the course of the 2016 election. There was no successful intrusion and we immediately alerted the Federal Bureau of Investigation of the activities.
Wyman cites some highlights from its DHS partnership, including a Risk and Vulnerability Assessment (RVA) that encompasses a wide range of security services including penetration testing, web application testing, and social engineering as well as a Cyber Resilience Review (CRR) that measures and enhances the implementation of key cybersecurity capacities and capabilities of critical infrastructure of governmental entities. This is a non-technical assessment that helps the assessed organization to develop an understanding of its operational resilience and ability to manage cyber risk to critical services during normal operations and times of operational stress or crisis.
In addition, Washington employs the recommendations raised by security experts, and have done so for years. Such as, paper-based systems, including voter verifiable paper audit trails, independent testing, pre- and post-election audits and physical security of tabulation equipment.
My take
Part of the lack of urgency to address voting system vulnerabilities on the part of policymakers no doubt stems from President Trump’s refusal to accept the consensus assessment of America’s intelligence agencies, that Russia mounted a sophisticated cyberattack on the American voting process in 2016 using the selective leaks of purloined emails and targeted “fake news” on social media. The President still maintains that the “Russian thing” is a hoax and about one third of American voters agree with him, according to public opinion polls.
The DHS is willing to help states and municipalities that request assistance to bolster their security procedures but many states are paranoid, perhaps justifiably, about sharing that information. So, 2018 looks to be a lot like 2016—only more so.
Paper ballots, anyone?
As a side note, this story bears hallmarks that are similar to many other topics in both government and business and where critically important change is required. Not least of which is the rise of the anti-bodies to change that both resist and sabotage change efforts.