HBO Documentary Shows The Value Of Cybersecurity In Election Security
One thing is sure: after the coronavirus is no longer dominating the news, election security will come back to center stage. It is a complicated subject that few people really understand – even election officials. It is important to know right off the bat that election security is not just about Russian interference and disinformation campaigns; it is also about the role that private sector companies play in the voting system and the security vulnerabilities associated with voting machines and election processes.
Get started on your cybersecurity degree at American Military University.
Unbeknownst to most people, the core activities within elections are handled by private sector companies, not state or local officials. Private companies (a) sell the voting machines and program them for most elections, (b) register voters, (c) tally votes, and (d) report votes, and there are known security vulnerabilities in every process. The security of our elections is really about the vulnerabilities within the voting machines and electronic processes used in all of these functions, weak cybersecurity practices within election agencies, and the cluelessness of election officials about the technology they use.
HBO Documentary — Kill Chain: The Cyber War on America’s Elections
HBO spent four years talking to some of the world’s foremost experts on election issues, following them around from country to country, and putting together a compelling documentary film telling the real story about election security more completely and clearly than any other news report – Kill Chain: The Cyber War on America’s Elections. It premiered March 26 and is now available free on YouTube. The film is one every American should watch to learn the truth from the cybersecurity community, leading reporters and academicians, and the cyber criminals themselves about how insecure our elections really are.
Voting Machines and Electronic Processes
Harri Hursti has been working on election security issues for the past decade and is widely considered one of the foremost experts on the subject. In 2005, Hursti performed the famous Hursti Hack and successfully altered votes in a one-step hack that changed both the central tabulator results and the voting machine results tape. It was the digital equivalent of stuffing the ballot box. The election official who invited Hursti to check the Diebold AccuVote optical scan voting machines said he would not have been able to detect the change and would have certified the election. HBO’s 2006 Emmy-nominated documentary (for investigative journalism), Hacking Democracy, covered this hack.
The hack demonstrated that Diebold’s claims that votes could not be changed on the memory card and that the cards did not contain any executable code were false. Diebold called the hack a “sham.” California’s Secretary of State asked UC Berkeley to investigate the Hursti Hack. They did and issued a report validating Hursti’s work and stating that it was indeed possible to change the election results. Hursti subsequently found serious security flaws in the Diebold AccuVote TSx touch-screen voting machine.
In 2009, Diebold Election Systems was sold to its competitor, Omaha-based ES&S, and in 2010 ES&S flipped it to Dominion Voting Systems, a company with international headquarters in Toronto, Canada and U.S. headquarters in Denver.
None of the vulnerabilities found by Hursti were ever fixed, and these same machines are planned for use in 20 states in the 2020 election. A later model of these same voting machines – with the same vulnerabilities – was used in the hotly contested and disputed 2016 election for the governor of Georgia between Brian Kemp and Stacy Abrams. During that race, some of the machines malfunctioned, particularly in precincts that were known to be important to the outcome of the race. Lines were long, some waited five hours, and some voters did not get to vote.
As Hursti succinctly notes in the film:
There are many avenues for tampering with an election, including changing votes, causing machines to malfunction, altering voter registration records, and disrupting equipment used to check in voters. The film covers all of these possibilities.
Russians Hacked and Planned
The Russians did more in the 2016 elections than run disinformation campaigns. In the film, Ion Sancho, the Supervisor of Elections in Leon County, FL from 1988-2016, relates how all supervisors of elections in the state of Florida were ordered to participate in a secret call on September 30, 2016, during which the FBI informed them that a foreign power had penetrated a vendor who serviced Florida elections. Mr. Sancho said they very quickly realized the FBI was referring to the GRU, Russia’s military intelligence service, and VR Systems, a company that handles all of the programming for the majority of the counties in Florida and handles all absentee ballots and early voting.
VR Systems sells electronic poll books in eight states, which are used to check in voters and determine if they are legitimately registered. The film carefully documents situations in the 2016 elections where electronic voter ID systems in several states went down in certain precincts. These machine “technical glitches” caused hours-long lines for people who had come to the polls to vote. Some voters were unable to wait and others could not vote before the polls closed.
Sue Halpern, an author and contributor to The New Yorker who has researched and written about election security problems, states:
Mr. Sancho notes that all of the election officials in the country were “clueless” about what had happened until an NSA contractor, Reality Winner, leaked a Top Secret report that detailed how the Russians had launched a voter registration spear-phishing campaign targeting U.S. election officials involved in the management of voter registration systems. The Intercept anonymously received the NSA report, independently authenticated it, and reported on the Russian campaign in more detail. Sen. James Lankford (R-OK) states in the film that, “It was about a year later before the states that were actually attacked by the Russians were able to hear and know it was the Russians doing it. We should never have that.”
As it turns out, the organization that is tasked with providing voting best practices and assistance to all election officials across the country, the U.S. Election Assistance Commission (EAC) was perhaps the weakest link in the nation’s voting system. The EAC is a bipartisan commission established by Congress in 2002. It maintains the national mail voter registration form, accredits testing laboratories and certifies voting systems, and serves as a national clearinghouse of information on election administration. In testimony before Congress, Thomas Hicks, Chairman of the EAC, emphasized that, “Our elections are secure. They are secure because the American election administration system inherently protects them.”
Mr. Hicks’s reassurances fell apart in December 2016 when cybersecurity company Recorded Future reported that a Russian-speaking hacker named Rasputin was selling access to the EAC’s computers. Recorded Future actually obtained EAC documents from Rasputin, including lists of voting machinery, test reports of their software, and where they were deployed. Hursti called the document a “one stop shop all of the information you need to plan your attack campaign; it is a very horrible scenario.” Rasputin had full admin access to the database and could upload any file he wanted.
An EAC employee whose credentials had been compromised said if Rasputin had access to the database, he could access the server where the proprietary information is kept. Sen. Lankford explains in the film that the EAC keeps information about vulnerabilities in voting systems, so a hacker who gets into the EAC could find out where the weak links are in the voting system. He notes that “for a persistent actor, especially for a foreign government, who has the finances and the capability to be persistent in it, this is the way to do it.”
Voting Machine Companies: Recalcitrant and Arrogant
James Comey, former Director of the FBI, told Congress, “Our voting system in the United States is so very, very hard for someone to hack into because it is so clunky and dispersed….”
That view is probably shared by most Americans. They know that elections are managed at the local and county levels and assume that it would be too difficult to coordinate a hack that could influence an election.
This is wrong-headed thinking. There are three primary vendors for voting machines: Election Systems & Software (ES&S), Dominion Voting Systems, and Hart InterCivic, and very little is known about the security of these companies’ own IT systems. Some voting machines are optical scanners, some have touch screen voting, some use QR codes or bar codes, and others send votes in clear text back to vendors to be tallied. They can all be hacked or compromised. If almost all of the voting precincts in our clunky system use equipment from these vendors, an attacker only needs to hack the equipment to reach all of the voters.
Former White House Cybersecurity Coordinator, Michael Daniel, notes in the film that voting machine companies generally are not known for cybersecurity expertise. Jake Stauffer, a former cyber analyst for the Air Force who has tested ES&S and Dominion voting systems for the state of California observed that:
When Stauffer tested ES&S’s DS200 machine, they found multiple vulnerabilities that would enable an attacker to gain full access to the system, change configurations, and install a modified operating system without election officials knowing. Stauffer states that the vulnerabilities would enable a hacker to gain the highest level of privilege and gain remote access into the system and do whatever they wanted to do, “whether its change an election or shut the system down.” He found similar vulnerabilities in Dominion’s Democracy Suite voting equipment that would enable remote code execution, denial of service attacks, and off-line ballot tampering. “How can a vendor sell a voting system with this many vulnerabilities?” he asks.
Unlike major technology companies, such as Apple and Microsoft, these vendors do not allow researchers to test their equipment or review their code to find vulnerabilities and bugs. The symbiotic relationship between tech software and hardware vendors and researchers helps them improve their products and keep them secure. Voting equipment companies, however, have been highly resistant to any review by the research community, claiming their systems are safe and secure.
Three years ago, Hursti and Matt Blaze, the McDevitt Chair of Computer Science and Law at Georgetown University, set up an annual Voting Village at the popular DEF CON conference and invited the cybersecurity community to come test the voting machines and voting equipment that they had been able to assemble. Hursti has been able to purchase at least six machines on eBay, including the AccuVote TSx, which remains one of the most popular – and vulnerable – voting machines. He obtained others at surplus stores or directly from election officials. Most of the machines contained fairly recent voting data.
During the three years of the Voting Village’s existence, none of the vendors has supported the effort or has been willing donate or offer equipment for the researchers to work with at Voting Village. The idea behind the Village is to (1) help develop a community of cybersecurity experts in election security so there are more resources nationally to assist election officials, and (2) to help make the voting equipment more secure by revealing vulnerabilities. It is noteworthy that numerous state and local election officials do partake in the Voting Village and appreciate the work of the cybersecurity researchers.
Voting Machines, Election Officials, and the Internet
There is this popular belief that voting machines do not connect to the Internet. EAC chairman Thomas Hicks testified before Congress that, “From what we have determined, no voting machines are connected to the Internet…. and so there will not be any sort of Internet hack or Internet incidents.” Amy Cohen, Executive Director of the National Association of State Election Directors, testified that, “Voting machines themselves are not connected to the Internet.” Brian Kemp, current Governor and former Secretary of State for Georgia, testified, “They are non-networked pieces of hardware that do not connect to the Internet.” Andy Ozment, Assistant Homeland Security Secretary for Cybersecurity and Communications, testified, “The devices are not connected to the Internet.” James Comey, former FBI Director, testified, “Those things are not connected to the Internet.”
This was the moment during a private showing of the film for cybersecurity experts when the entire room burst out laughing. Husti says, “Every single system we have, there is a place where it touches the Internet…it might be indirect, it might be infrequent, but it is always there.” When Hursti powers up a machine he purchased off eBay, the first thing it wanted to do was connect to the Internet. Additionally, election officials are less alert between elections, so hackers can infect a machine and the malware can remain dormant in machines between cycles. Jeff Moss, founder of the BlackHat and DEFCON conferences, points out that it would not be difficult to hack these simple machines and erase any traces.
Alex Halderman, Professor of Computer Science and Engineering at the University of Michigan, examined the Diebold AccuVote TSx touch screen voting machine with Hursti. They discovered that the machine has a slot for a wireless modem, plus it has a telephone jack and network card, and also has room for a SD slot for an additional memory card that could be used for a wireless connection. “These machines want to be talking to other devices; they are built for it, and that is what magnifies the threat,” Halderman notes. He demonstrates how to scale an attack with software he developed that could spread code from machine to machine to ultimately “upset an election across an entire county, an entire state, an entire country.” The software he said controlled the machine, the printer, ballot programming, and paper summary tapes. The whole ball of wax.
Sandy Clark, a cybersecurity researcher at the University of Pennsylvania, noted, “I feel like we are in terrible danger of losing what it means to be a democracy; if elections can be altered subtly, they can be altered in a way that is undetectable, how does one trust the results of their election….those of us who know how vulnerable the voting systems are in these elections are terribly afraid right now.”
In 2018, Hursti was contacted by Nathaniel Herz, a reporter for the Anchorage Daily News (2013-2018), about some election concerns he had been investigating since the 2016 election. The paper was investigating whether recent activity in Alaskan election systems was linked to the Russian activities they had been reading about. In a call with Josie Bahnke, Alaska Elections Director (2015-2018), Ms. Bahnke said the FBI had advised them that Russians had, in fact, “rattled the door” of their election systems and looked at their website but there had been no breach.
The paper sent a FOIA request to the election office. After a year, they received a packet of documents that included a summary of the FBI call. The documents revealed that a hacker whose Twitter handle was @CyberZeist had compromised the Alaska Division of Elections on election day in 2016 by compromising the web application. He used privilege escalation to access the server’s file system, and posted a screen shot from the system’s election results as proof that he was able to access administrative areas of the server. The message also indicated the ballot administrator’s password had been compromised.
CyberZeist had a reputation for cyber hacking and had an Indian IP address. Hursti felt like a proper investigation had not been performed and “the whole thing was brushed over.” Through Twitter, the movie crew was able to find CyberZeist and filmed several communications they had with him. Initially, Hursti did not trust him, but later concluded that he was indeed behind the Alaskan hack.
CyberZeist said he entered a “certain kind of instructions” in the username and password logon fields that produced an error which provided the details of what was installed in the election database. He was able to access every user account and password, even administrator credentials. In the film, CyberZeist says, “I had root access, which not only allowed me to make small changes, but granted me full access of the system.” He was able to access the GEMS (Global Election Management System) system that held the live voting data of the 2016 U.S. presidential election. “I could have made any changes in the system…changes like deleting the candidate…I could alter any data, any vote,” he explained. Ultimately, CyberZeist said he chose not to do anything within the system at that moment out of fear that he might get caught. He disclosed that he was aware of a Russian hacking group that was also actively scanning U.S. election systems and trying to change the vote.
Paper Ballots, Voting Machines & the Senate
Virtually all of the scientific and cybersecurity experts – including the National Academies of Science – who have studied vulnerabilities in the election process are advocating the use of paper ballots. In part, this is due to the vulnerabilities that are known to exist in the voting machines currently in use and, in part, it is due to the necessity of having a paper audit trail to validate elections. QR and bar codes can be hacked, optical scanners and touch screens do not have a paper trail, even the touch screen machines with side printers do not provide an adequate audit trail. In order to have a meaningful, auditable ballot, it needs to be a hand-marked paper ballot. Mail in ballots may be the perfect solution for 2020; any security issues are surely less than those in our current system.
The American Bar Association, which represents over 400,000 attorneys, recently adopted a Resolution that urges the U.S. Congress to enact legislation that would define federal standards for election systems software, infrastructure, and hardware used in the handling, storing, processing, or transmitting data for voter registration, vote tallying, voter polling, or the manufacturing, servicing, or writing of election parameters of voting machines and equipment.
The Resolution also calls for a security certification process for election systems and an analysis of the private sector’s role in the election process, with recommendations of any functions that should be performed by government. The Resolution urges that federal funding be restricted to only those jurisdictions that:
· Comply with the NIST standards
· Use equipment that undergo annual comprehensive cybersecurity assessments
· Use only private sector vendors who also undergo cybersecurity assessments and make their reports available to election officials.
The ABA also urges Congress to require the deployment of machine-readable paper ballots.
The problem is…Senate Majority Leader Mitch McConnell refuses to bring election security bills to the floor to be voted on. Why? Well, perhaps because the current system has worked just fine for a politician in the White House.
Cybersecurity Best Practices & Standards Can Help
Election security problems will not get corrected overnight, but standing up a cybersecurity program for election systems that is in alignment with cybersecurity best practices and standards will be a big first step. Election officials should already be doing this, but most clearly are not. They are not only using equipment with vulnerabilities; their own networks and systems are vulnerable as well.
Election officials also should require election vendors to meet cybersecurity standards and best practices and conduct annual risk assessments of their program’s maturity. This is what all businesses are supposed to do – manage third party risk; election officials should do the same. In addition, they should follow the lead of California and other jurisdictions and hire experts to test the security of their voting machines and equipment and then demand that vendors close any vulnerabilities found. The findings of these tests should be shared among election officials around the country.
Legislation and other reforms are needed, but election officials can achieve these things through their own direction and in legal agreements with their election vendors. They should begin now and do as much as possible before November.