Keeping Our Voting Systems Secure
Editors Note: Each year, during National Cyber Security Awareness Month (NCSAM), we reach out to our partners and ask them about the significance of current cyber security efforts. Cris Thomas, strategist at Tenable, helps clients understand how to apply the unique advantages of continuous monitoring as well as how to meet compliance and security challenges. Also known as Space Rogue, Thomas commands an uncanny ability to link disparate events, read between the lines and distill complex, technical information into readily understandable, accessible and actionable intelligence. In this piece he looks specifically at the national election and the impact of security on the process. Here is what he has to say:
We’re less than a month away from an important national election. Most of us will vote with some sort of paper ballot, checking boxes or mechanically punching holes. And some systems will produce a paper receipt for backup. Is paper a good thing, or is technology better?
Today, voting systems are not “voting machines” – they are “voting computers” known as Direct Record Electronic Voting machines (DREs). When they run Windows, have touch screens and USB ports, they are just another form of computer, subject to crashing, malware and cyberattacks.
Unfortunately, there has been very little progress in voting system security for the past two decades. It only takes a few minutes of unobserved access for an attacker to breach a voting computer.
The Security Issue
Manufacturers of voting computers don’t sell security—they sell voting systems. And local election boards often don’t have the skills or knowledge to evaluate system security.
What’s the answer? One solution is to use a voter-verified paper audit trail (VVPAT). VVPAT is relatively easy to implement and is the preferred method for creating a verifiable audit trail. Some jurisdictions are using VVPAT now, but it is not required.
U.S. elections are handled at the local level by volunteers. Our system is unique; decentralization makes results hard to tamper with, the local officials know their districts and they can recognize discrepancies and skewed results immediately. To support the security and integrity of elections, the 2002 Help America Vote Act tasks the Election Assistance Commission (EAC), assisted NIST, with issuing guidance and best practices to help local officials. But getting assistance from the EAC is voluntary, and local election boards are not required to audit their voting computers for security.
The good news is there is a two year exemption to the Digital Millennium Copyright Act (DMCA) on voting machines. DMCA prohibits manufacturers from suing researchers for circumventing access controls while searching for vulnerabilities in voting computers. Creating an incentive for well-intentioned researchers should encourage them to investigate voting computer security and to fix vulnerabilities before an election is compromised. The bad news is this exemption is only good for two years.
Rep. Hank Johnson (D-Ga) recently introduced two bills: the Election Infrastructure and Security Promotion Act of 2016 and the Election Integrity Act. The first bill would require the Department of Homeland Security (DHS) to designate voting systems as critical infrastructure. This could fundamentally change how elections are run. It also requires the National Science Foundation to create an election technology development program, to research new, secure technologies that will replace paper ballots.
The second bill prohibits connecting voting computers to the Internet. While this sounds great, it could have very little impact because the real danger is connecting Election Management Systems (EMS) to the Internet. These systems are used to configure the ballots used by the voting computers and to tabulate votes. EMS software usually runs on standard PCs and is often connected to the Internet. By comprising an EMS, an attacker could change configuration files or alter results.
Both these bills are unlikely to see a vote before this year’s election. And interest in voting computer security quickly trails off following an election. The bills could have a tough time becoming law unless we pressure our representatives to pass these bills.
In the near future, we will have to trust voting computers – and even voting over the Internet. But for now, we must rely on paper. Let’s not wait another four years before we look at voting computer security again.
And regardless of the voting method you use, the most important point is to make sure you get out and vote.