The Race to Secure American Election Infrastructure

In July 2017, DEFCON’s annual event in Las Vegas included a new feature: a Voting Machine Hacking Village (“Voting Village”) to highlight cyber vulnerabilities in U.S. election infrastructure. Over 25 pieces of election equipment, including paperless electronic voting machines and electronic poll books, were made available to mainstream hackers, free of restrictions for the first time. Most models are still widely used in U.S. state and local elections today.

By the end of the conference, every single piece of equipment had been effectively breached.

One machine’s password was “abcde” and could not be changed. One hacker set up a machine to play Rick Astley’s “Never Gonna Give You Up” after successfully changing vote totals. One machine was hacked in two minutes. And one electronic poll book–a Diebold ExpressPoll 5000 that had been used to check in voters circa 2008 and was acquired for DEFCON from eBay–still had personal voter information stored for 654,517 voters from Shelby County, Tennessee; the data included home addresses and voting records, was not encrypted or password protected, and was stored on a removable memory device.

Shortly after reports emerged from DEFCON over how easy it was to hack voting machines, Virginia’s Department of Elections decertified all DRE (Direct Recording Electronic) voting machines that were in use by the state. DRE voting machines do not produce a paper record of a vote, making it almost impossible to detect suspicious activity.

America’s election infrastructure is highly decentralized, often managed at the county or municipality level. This system has benefits, making elections at the national level difficult to rig and allowing for small-scale experimentation and innovation. However, it also means that individual jurisdictions may not be knowledgeable about security procedures or improvements; or they may not have the funding for (or desire to allocate budget toward) security issues with voting equipment and data.

Furthermore, when this decentralized system is combined with America’s current political landscape–where only a few highly-populated counties can swing the total Electoral College vote one way or another–it means that only a few small, underfunded local election systems would theoretically need to be breached in order to swing a national election.

Election cybersecurity researchers saw some of their fears realized when on October 7, 2016, a Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security reported that states were seeing “scanning and probing” of elections systems, and urged states to take advantage of Homeland Security’s cybersecurity assistance in advance of the 2016 election. It is unclear how many, if any, states took the DHS up this offer.

In June 2017, Samuel Liles, Acting Director of Cyber Division, Office of Intelligence and Analysis, at the Department of Homeland Security (DHS), testified before Congress that 21 states were targeted and actors connected with the Russian government were responsible. He told the Senate Intelligence Committee that the hackers seemed to be looking for vulnerabilities, and penetrated the systems in a handful of states, including Illinois and Arizona.

DHS did not notify state election officials if their election systems had been targeted by Russian government hackers until September 22, 2017, nearly a year after the Joint Statement warning.

The Illinois State Board of Elections noticed the attack on the Illinois voter registration database on July 12, 2016, about three weeks after it had begun on June 23rd. The website was under attack, through a SQL injection vulnerability that allowed attackers to access voter registration records. According to testimony from Steve Sandvoss, Executive Director of Illinois State Board of Elections, “Firewall monitoring indicated that the attackers were hitting SBE IP addresses five times per second, 24 hours a day. These attacks continued until August 12th, when they abruptly ceased.”

Illinois’ most populous county, Cook County is obviously aware of the work that must be done to protect voting systems in 2018 elections and beyond, but they do not have the funding to be able to effectively act. In a white paper (PDF) published in December 2017, Cook County Clerk David Orr called for federal support for American elections officials, including supporting a digital network for local elections officials to facilitate knowledge sharing when threats arise or occur, and financing an Elections Infrastructure and Information Security Officer (EIISO) “for every local and state election official in the country.”

“Local election officials–nearly 9,000 of them in the country–are the shock troops on this new battlefield,” the report opens. “They desperately need resources, including federal government resources.”

In the final days of the Obama Administration, the Department of Homeland Security classified elections as “critical infrastructure,” a designation the Trump Administration has been openly critical of but has so far not reversed. This classification puts elections infrastructure into a highly protected category, alongside other critical infrastructures such as emergency services and the electric grid. It means that “storage facilities, polling places, and centralized vote tabulations locations used to support the election process, and information and communications technology to include voter registration databases, voting machines” and more are a priority for cybersecurity protections and assistance from DHS.

But lawmakers, especially on the Senate Intelligence Committee, have been concerned that DHS is not doing enough or moving fast enough to protect elections before Americans go to the polls in 2018. In testimony before Congress on March 21, 2018, Homeland Security Secretary Kirstjen Nielsen, pushed back on this perception, laying out how states are refusing to cooperate as well. Only 33 states, she testified, have their voting systems certified by the U.S. Elections Assistance Commission, and two states were actively resisting efforts to improve cooperation with DHS. Furthermore, many states refuse to publicize breaches, not wanting to disclose that they are a victim; in this case, even if DHS is the organization to detect the breach, it has no recourse for sharing that information with other potential victims.

In the meantime, DHS has worked to build partnerships with states, including identifying three elections officials in each state to grant security clearance to so they can be read in on active threats; however, the process of granting security clearances can be slow. DHS has also been conducting vulnerability tests on state electoral systems, but it has been slow to process those assessments; complicating the issue is that these risk and vulnerability tests must be requested by the state in order to be processed.

All of this is made even more complicated by the fact that the last time there was significant federal funding for elections infrastructure was the Help America Vote Act of 2002, which provided almost $3 billion in funds for voting equipment. After the vote recount debacle in the 2000 election, many states opted for paperless voting machines that have been shown to be vulnerable to hacking and cyber attacks.

The good news is that at least part of Congress seems to be taking election cybersecurity seriously. Shortly before the March 21st hearing with DHS, the Senate Intelligence Committee released a report on election infrastructure with recommendations on shoring up security for the 2018 elections. The succinct, two-page report emphasizes that “States should remain firmly in the lead on running elections,” while the Federal Government plays a supporting role by ensuring states have the information and resources necessary “to better defend against a hostile nation-state who may seek to undermine our democracy.” The goal of releasing the report, according to Senator James Lankford (R-OK) is to incentivize states to have “auditable elections” and to take advantage of support offered by DHS; as well as to educate stakeholders (elections systems vendors, cybersecurity researchers, state and local elections officials, etc) on immediate steps to improving election security. The report closes by calling on Congress to “pass legislation increasing assistance and establishing a voluntary grant program for the states.”

On March 23rd, Congress passed an omnibus spending bill that will fund the Federal Government through September 30th. This bill included $380 million for Election Assistance Commission (EAC) grants to states “to improve the administration of elections for Federal office, including to enhance election technology and make election security improvements”; the EACH has until the week of May 7th to distribute approximately $3 million to each state, with some to states with more need. It also included increased funding to the FBI for “the counterintelligence and cyber-related investments necessary to help respond to foreign actors, including those seeking to compromise democratic institutions and processes”; and directed nearly $5 million “to support the new Election Infrastructure Security Initiative (EISI)” at DHS.

Additionally, a bipartisan bill has been introduced in the Senate to formalize and implement election security improvements. The Secure Elections Act would set up a grant program for states to make election cybersecurity upgrades, including paperless DRE voting machines (something at least 14 states are struggling to implement). The bill also streamlines information sharing on threats to election infrastructure, allowing DHS to inform any election agency that may be at risk of new or ongoing threats and requiring election officials to report cybersecurity incidents to DHS. Finally, the bill establishes an independent advisory panel of experts to “identify the top risks to election systems” and to “develop a set of guidelines for election cybersecurity, including standards for procuring, maintaining, testing, auditing, operating, and updating election systems.”

The co-sponsors of the Secure Elections Act are meeting with state elections officials for feedback, and the bill is currently in committee.

“The Russians have been trying to break the backs of democracies all over the world,” said Senator Lindsey Graham (R-SC) in a press release. “And although they did not change the outcome, they clearly interfered in our 2016 election. This bipartisan legislation will help defend our elections from foreign interference and sends a strong signal to other bad actors–like Iran and North Korea–that similar acts will not be tolerated.”

The Federal Government was designed to be slow to move and change direction. So while all of these actions are steps in the right direction, is it enough? Will American election systems be prepared for a hostile foreign power’s attempts to interfere?

“The bottom line is: No matter the level of nation-state hacking or interference in 2016, if our enemy’s goal is to shake public confidence about the security of the vote, they may already be winning,” reads the DEFCON Voting Village summary report (PDF). “It is imperative that leaders at the federal, state and local level come to understand this threat as a national security imperative and work together–leveraging the support of the national security and cybersecurity community–to better defend and protect the vote from cyber attacks in the upcoming elections in 2018 and 2020. Americans need the reassurance that their democracy is safe, starting at the ballot box.”

Photo: Seattle Municipal Archives (CC)