On today's BradCast: Elections officials seem to be panicking around the country, and for good reason. But their concerns may be coming a bit late...perhaps a decade or so too late, as virtually every aspect of our "public" elections in the U.S. --- from ballot programming to registration to voting to vote tabulation to election results reporting --- has now been allowed to have become largely taken over by private vendors and contractors, with little or no oversight from either state or federal officials. [Audio link to today's full show is posted at end of article.]
An exclusive analysis last month by AP found that virtually all voting systems currently in use in the nation's 10,000 separate voting jurisdictions in all 50 states run on software --- Windows 7 or earlier --- that will no longer be supported by Microsoft with regular security updates and patches as of January. That includes systems certified by the U.S. Elections Assistance Commission (EAC) from the nation's largest private elections vendors as recently as this year. Those newly certified systems still use Windows 7, which was released a decade ago in 2009.
Of course, the EAC's certification process --- for the few states which choose to follow federal voluntary (yes, voluntary) guidelines --- has been laughable for years. It focuses on usability and functionality, not security. Most systems in the U.S., if they are EAC certified at all, were tested to guidelines published by the EAC in 2005.
At a summit this week of elections officials and vendors, hastily convened by the EAC in Maryland in response to the disturbing AP analysis, officials complained about the lack of federal support and standards, and that financially strapped and technologically challenged elections divisions at both the state and local level are realizing only now that they are being asked "to take part in what is national security" with little or no help from the federal government. One official at the EAC confab reportedly complained: "We are talking about local communities having trouble funding roads and water bills, and now we want them to take part in defense against foreign and state actors."
Of course, it is not only nation-states like Russia that pose a threat to the security of America's vulnerable, computerized and privatized public elections, so do regular old Americans, as the recent hack by a woman in Seattle of more than 100 million customer records at Capitol One proved, along with the vulnerabilities in brand new voting and registration systems discovered by hackers in a few hours at the DefCon Voting Village convention last weekend in Las Vegas.
All of this comes on the heels of Thursday's federal court ruling finding Georgia's voting systems to be so "unsecure, unreliable, grossly outdated....seriously flawed and vulnerable to failure, breach, contamination and attack" that the judge declared the systems (which are similar to ones used in several other states) a violation of voters' Constitutional right to have their votes counted as cast.
But all of that might ultimately be small potatoes in light of longtime cybersecurity journalist and author KIM ZETTER's recent exclusive at VICE's Motherboard, finding that "Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials". Zetter, one of the only journalists in the nation who has been covering these matters as long or longer than we have at this point, joins us on today's program to explain her jaw-dropping article which begins this way: "For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can't be hacked. But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties --- all states that are perennial battlegrounds in presidential elections. Some of the systems have been online for a year and possibly longer."
In many cases, she tells me, the elections officials seemed to have no idea that their systems were connected to the Internet by their vendors. As for the vendors' part --- in this case, the nation's largest, ES&S --- Zetter explains their bizarre claim that voting and backend tabulation and reporting systems connected around the clock for years at a time aren't really connected to the Internet at all --- and, even if they are, they are perfectly secure. Zetter and the data researchers found otherwise.
The systems found vulnerable on the net, she details, would allow a malicious actor to change unofficial election night results, official results, and the public reporting of the results themselves. Moreover, she explains, access to the exposed backend portions of these systems over the Internet could also result in malware being transferred to voting machines themselves. And all of this was discovered by a small team of researchers with little or no funding. No nation-state required, she confirms.
"If it was just a box on the Internet that was receiving the votes transmitted [on Election Night from the precinct] that would be a security problem in itself, not only because you could potentially alter those votes. They are unofficial results on Election Night --- and the officials results are taken from the actual memory cards in the voting machines. But if you can alter the unofficial results, that's going to create a lot of mistrust in the final outcome if they don't match," she says.
"But even if you don't alter those votes, that communication over the phone between the voting machine in the field and that backend server that's on the Internet creates a channel for infecting those voting machines. So, someone who could actually install that malware on that system on the Internet can design it in such a way that it downloads to the voting machines when they connect to that system. So the attackers can alter that voting machine in preparation for a future election."
"But that's not the only problem," she continues. "If that was the only thing that was on the Internet, that would be a concern in itself. What was remarkable is that ES&S acknowledged to me that they don't just put an empty box on there to receive the votes. Also connected to that Internet connection is the backend system for tabulating both the unofficial results on Election Night, and those official results that are later taken from the memory card."
"And the Election Management System is also connected. The Election Management System is used to do a lot of functions in elections. Among them is the actual programming of these voting machines before each election. So, if you don't get to the machines through that little receptacle that's connected to the Internet, you can get to that backend Election Management System and put in malicious code that then gets transferred directly to the voting machines before the next election."
But, of course, other than that, why worry, right? Well, Zetter has much more to say on that as well, including about Republican Senate Majority Leader Mitch McConnell's continuing efforts to block any and all election security measures in the Senate that might help shore up at least some of these concerns, including bills already passed by the House that would mandate hand-marked paper ballots for all voters. Even that, at this point, wouldn't fully protect against attacks on computer optical-scanners currently used in all 50 states to tabulate those ballots with little or no post-election audits to make sure they did so accurately...
(Snail mail support to "Brad Friedman, 7095 Hollywood Blvd., #594 Los Angeles, CA 90028" always welcome too!)