Are US Voting Machines Secure From Hackers?

Uploaded on 2016-09-09 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Some key swing states have declined an offer from the Homeland Security Department to scan voting systems for hackers ahead of the presidential elections.

As suspected Russian-sponsored attackers compromise Democratic Party and other US political data allegedly to sway voter opinion, some security experts say it wouldn’t even take the resources of a foreign nation to manipulate actual votes using this country’s antiquated tallying systems.

Against this backdrop, Homeland Security Secretary Jeh Johnson during an Aug. 15 call with state election officials, offered states DHS services that can inspect voting systems for bugs and other hacker entryways. Earlier in the month, he also suggested the federal government label election systems as official US critical infrastructure, like the power grid.

But some battleground states, including Georgia and Pennsylvania, say they will rely on in-house security crews to maintain the integrity of voter data.

“The question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security,” Georgia Secretary of State Brian Kemp told Nextgov in an email. “Designating voting systems or any other election system as critical infrastructure would be a vast federal overreach, the cost of which would not equally improve the security of elections in the United States.”

Georgia, where some projections show presidential contenders Hillary Clinton and Donald Trump neck and neck, reportedly could use a vote machine reboot.

“Georgia, which is running electronic-only machines—there’s no paper trail. … And the machines they’re using are more than a decade old, so the hardware is falling apart. And the operating system they’re using is Windows 2000, which hasn’t been updated for security for years, which means it’s a sitting duck,” Zeynep Tufekci, a University of North Carolina information and library science professor, told NPR on recently.  

There is no evidence ballot manipulation has ever occurred in the United States, and, per Johnson, DHS is not aware of any credible cyber-threats related to 2016 general election systems.

All the same, vote machine hacks are all the rage among researchers at Las Vegas hacker confabs.  

Even top White House tech privacy adviser Ed Felten helped demonstrate the weaknesses of digital voting booths in his previous life as a Princeton University academic. In a 2009 paper Felten co-authored, researchers commanded an AVC Advantage voting machine, the kind still deployed in Pennsylvania and other states, to steal votes. No Internet required. They altered a pretend election by inserting a malicious memory cartridge the size of a paperback book that would typically be used for recording votes. The tainted device combined snippets of authorized code inside the system to cause the unauthorized behavior.   

“An attacker who has access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another whose visible behavior is nearly indistinguishable from the legitimate program but that adds, removes or changes votes as the attacker wishes,” Felten and colleagues from Princeton, University of California at San Diego and the University of Michigan wrote in “Proceedings of the 2009 Electronic Voting Technology Workshop.”

No Recounts

Because of hacking concerns, many states are keeping a paper trail to audit the vote count, but not all. In addition to Georgia, parts of Pennsylvania, another tossup state, do not maintain paper backups in the event of a hack, Tufekci said.

Pennsylvania officials say cybersecurity experts from the commonwealth’s IT shop work closely with the state elections team to secure voting-related infrastructure. “Pennsylvania has implemented policies, technologies, best practices and procedures around the safeguarding of data and the protection of our applications, systems and resources,” Pennsylvania Department of State spokeswoman Wanda Murren said. “We constantly monitor our data and systems for vulnerabilities and attempted attacks in order to keep pace with the rapidly evolving threat landscape.”
She declined to go into specifics as a matter of policy.

A Homeland Security spokesman told Nextgov on background “several states” currently use DHS hygiene scans and assessment services for voting systems. He would not disclose the names of any jurisdictions.

Florida, where Trump has been down nine points, declined to say whether it will ask DHS to scan local voting machines but did participate in the national teleconference with Johnson.

The Florida secretary of State Department “is engaged with DHS, in addition to all of our other state and federal stakeholders, on an ongoing basis to help ensure the security and integrity of Florida elections,” department spokeswoman Meredith M. Beatrice said.

Ohio, where Clinton has a narrow advantage over Trump, appears to be taking advantage of some DHS support for election cybersecurity.

“The Ohio Department of Homeland Security is working with their federal counterparts, so we are working through them to perform the needed scans,” Ohio secretary of state spokesman Joshua Eck told Nextgov in an email.

Richard Clarke, a former National Security Council adviser under presidents Bill Clinton and both of the George Bushes, cautions it could be hard to detect a slight manipulation of voter data in some swing precincts.

“Smart malware can be programmed to switch only a small percentage of votes from what the voters intended. That may be all that is needed,” Clarke, now an ABC News consultant, commented recently.

DefenseOne

« Islamic State Members Embedded In Government
UAE Using Israeli Spy Technology »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Ergon Informatik

Ergon Informatik

Ergon Informatik AG is Switzerland's leading provider of customised software solutions and software products including fraud detection and the Airlock web security suite.

Advisera 27001Academy

Advisera 27001Academy

Advisera is a market leader in providing documentation and online support for the implementation of business standards including ISO 27001, ISO 22301 and EU GDPR.

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp is the world’s largest network of multi-corporate backed accelerators helping startups scale internationally.

AiCULUS

AiCULUS

AiCULUS is a global technology company that specializes in API security and Risk Management products.

FraudLabs Pro

FraudLabs Pro

FraudLabs Pro detects fraud and helps merchants to reduce e-commerce chargebacks by identifying high risk transactions.

Binary Security AS

Binary Security AS

Binary Security is a Norwegian information security consultancy company. We are specialists at application security, penetration testing and secure code reviews.

FPT Software

FPT Software

As a leading technology service provider, FPT assists customers of all sizes and from any industries in implementing and adapting digital technologies including cybersecurity.

Upfront Security

Upfront Security

Upfront Security helps companies with innovative products & services to prevent, recognise and recover from (identity) fraud.

Abertay cyberQuarter

Abertay cyberQuarter

The Abertay cyberQuarter is a cybersecurity research and development centre housed within Abertay University.

Amazon Web Services (AWS)

Amazon Web Services (AWS)

Amazon Web Services is the world’s most comprehensive and broadly adopted cloud platform, offering fully featured services from data centers globally.

Oort

Oort

Oort is an identity threat detection and response platform for enterprise security. The Oort platform is API-driven, cloud-native and agentless for rapid time to value and high scalability.

ASMGi

ASMGi

ASMGi is a managed services, security and GRC solutions, and software development provider.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.

TachTech

TachTech

TachTech is passionate about trust, security and privacy in the digital world. We create tailored security and compliance solutions to improve your business.

ConvergePoint

ConvergePoint

ConvergePoint is the leading compliance software provider on the Microsoft Office 365 SharePoint platform.

ABPCyber

ABPCyber

ABPCyber offers holistic cybersecurity solutions spanning DevSecOps, advisory and consultancy, designing and integration, managed operations, and cybersecurity investment optimization.