Article posted: May 14, 2018
By Joakim Thorén, CEO
A U.S. Senate Intelligence Committee report released earlier this week confirms there was some meddling in the 2016 election cycle by Russian-linked operatives. While the publicly released report summary, entitled "Russian Targeting of Election Infrastructure During the 2016 Election," shows voting systems in as many as 21 states were targeted, the impact was largely negligible.
But the larger issue is that voting systems in the U.S. are considered vulnerable and, in some cases, could be tampered with. The Russian hackers, the report says, "scanned databases for vulnerabilities, attempted intrusions, and in a small number of cases successfully penetrated a voter registration database." If they truly were able to "alter or delete voter registration data," as the report states, and even though the summary report states those intruders "did not appear to be in a position to manipulate individual votes or aggregate vote totals," the impact on voters' confidence in their elections easily can be impacted. And that, the report states, was the ultimate goal of the hackers.
Fortunately, several states were able to block the cyber intrusion attempts - most of which came in the form of SQL attacks. However, it seems the intruders were targeting state systems rather than third-party election vendors - presumably because they see them as less secure.
The Department of Homeland Security has taken a larger role with state election officials, particularly over the last six months, the Committee said. Still, with many voting systems across the country considered "outdated," the vulnerabilities may not go away in time for the 2018 mid-term elections. Vulnerabilities cited in the report include the lack of paper record of votes as a backup (which means many voting systems have no ability to be audited if questions arise about machine manipulation - currently five states use Paperless Direct Recording Electronic (DRE) voting machines); there are fewer vendors serving the voting machine market; and many aspects of the election infrastructure are connected to and accessed over the Internet (including machine updates that expose them to potential vulnerabilities and hacking).
Together, these problems led to "extensive scanning" of state-run voting systems during 2016, the summary report notes, and adds that the full impact may not yet be discernable.
What does this mean for the upcoming 2018 mid-term elections in the U.S? States are absolutely on watch for any anomalies and intrusion attempts, and DHS has definitely stepped up its efforts to help. But it also shows the need for better security measures at every possible entry point - which could include volunteer and paid election workers and anyone with access to voter rolls, and even voters themselves.
Two-factor authentication - which is widely used among many federal agencies - can certain play a vital role here, ensuring that anyone accessing voting systems is authorized to do so, and that people working in the systems have the access to only the data their jobs authorize them to see, and that voters are who they claim to be.
A good case in point is Estonia, the tiny Baltic nation, where officials implemented two-factor authentication at the voter level. We blogged about this a couple of years back - you can read the full text here: https://versasec.com/blog/online-smartcard-voting