Cybersecurity, Election Infrastructure, and the Potential for Online Voting: A Series — Part 3
This is the third part of a five part blog series. Click here to read the Part 1 and Part 2 of our series.
Voting Machines
Like registration databases, voting machines are subject to adversarial threats, however, the aging stock of voting machines in use across the country makes them vulnerable to structural failure as well. The federated system of elections in the United States has resulted in a complex system of infrastructure that varies from state to state. Chronic underfunding, lack of maintenance, and an aging stock of machines have led to a landscape of voting and counting machines potentially vulnerable to attack or failure.
Although local boards of elections are responsible for the administration of elections, much of the United States’ election infrastructure is provided by private companies. Three companies, Election Systems and Software, Dominion Voting Systems, and Hart InterCivic control an estimated 90% of the industry (Miller, 2020). These companies have been resistant to oversight and remain largely unregulated (Huseman, 2019). This opacity and lack of supervision, combined with outdated hardware and software, contribute to the likelihood of machine vulnerabilities.
The most concerning election vulnerability related to voting machines is that malware can be installed onto the machines via election management systems (Halderman, 2018). Election management systems (EMS) are responsible for a wide variety of functions related to electronic voting machines, including installing ballots and tabulating results, and these systems are developed on networks that are often Internet-connected. EMS software is often installed on voting machines using a removable storage device, and that software could be infected with malware while being developed on the Internet-connected network where the EMS is created (Halderman, 2018).
Another potential vulnerability relates to whether voting and counting machines can connect to the Internet. Although election officials have testified before Congress that voting machines are not Internet-connected, cybersecurity experts have found this argument to be unconvincing. The fact that these machines are often Internet-capable makes them vulnerable to online attacks (Westby, 2020).
Additional threats posed by voting machines are more structural in nature. The age of the voting machine stock and the software that operates the machines not only present vulnerabilities to adversaries but also a real risk of structural failure. According to a report published last year by the Brennan Center, 45 states are using voting equipment that is no longer being manufactured (Norden & Cordova McCadney, 2019). In some cases, election officials are forced to find replacement parts for machines on secondary marketplaces like eBay (Cassidy & Liedtke, 2018). Voting machines and their parts available on the secondary market create additional security problems. Malign actors can acquire machines and parts to identify weaknesses in the voting infrastructure. In addition to aging hardware, many of these machines are running out-of-date software, including software that is no longer maintained by its manufacturer. Systems in South Carolina ran Windows XP as recently as 2019, and an unpatched version of XP was used on Virginia machines from 2004 to 2014 (Eddy, 2020). Hackers at DefCon, the world’s largest hacking conference, recently discovered that a machine used in the 2018 Virginia midterm election was running a version of Microsoft Windows CE that was fifteen years old (Parks, 2019).
Christopher King and Shlomo Ross have just completed their certification at Fullstack Academy Cyber Bootcamp and are pursuing careers in Cyber Security
Sources:
1) Miller, M. (2020, January 9). Voting machine vendors to testify on election security. TheHill. Retrieved October 21, 2020, from https://thehill.com/policy/technology/477455-voting-machine-vendors-to-testify-on-election-security2) Huseman, J. (2019, October 28). The Market for Voting Machines is Broken. This Company Thrives in It. ProPublica. Retrieved October 21, 2020, from https://www.propublica.org/article/the-market-for-voting-machines-is-broken-this-company-has-thrived-in-it 3) Halderman, J. A. (2018, September 13). Hacking Democracy. MIT Technology Review. Retrieved October 21, 2020, from https://events.technologyreview.com/video/watch/halderman-michigan-hacking-democracy/ 4) Westby, J. (2020, April 16). HBO Documentary Shows the Value of Cybersecurity in Election Security. Forbes. Retrieved October 22, 2020, from https://www.forbes.com/sites/jodywestby/2020/04/16/hbo-documentary-shows-the-value-of-cybersecurity-in-election-security/#55e3ba393f1c 5) Norden, L., & Cordova McCadney, A. (2019, March 5). Voting Machines at Risk: Where We Stand Today. Brennan Center for Justice. Retrieved October 21, 2020, from https://www.brennancenter.org/our-work/research-reports/voting-machines-risk-where-we-stand-today 6) Cassidy, C. A., & Liedtke, M. (2018, November 7). Midterm Voting Exposes Growing Problem of Aging Machines. AP. Retrieved October 22, 2020, from https://apnews.com/article/e1de7029cf2246ab97697ddf8f52d018 7) Eddy, M. (2020, September 21). Election Engineering: How US Experts Are Making Sure Your Vote Will Count. PCMag. Retrieved October 22, 2020, from https://www.pcmag.com/news/election-engineering-how-us-experts-are-making-sure-your-vote-will-count 8) Parks, M. (2019, September 4). Cyber Experts Warn of Vulnerabilities Facing 2020 Election Machines. NPR. Retrieved October 22, 2020, from https://www.npr.org/2019/09/04/755066523/cyber-experts-warn-of-vulnerabilities-facing-2020-election-machines
