Broad adoption of electronic voting machines may have provided a step forward for many jurisdictions in today’s United States election, but the diversity of software platforms and potentially insecure operating systems has cybersecurity experts on edge as the polls close and counting begins in the country’s historic battle between Hillary Clinton and Donald Trump.
Cybersecurity specialists across the US “are monitoring to look for any indications of malfeasance or malicious activity,” Chris Novak, director of investigative response with Verizon Enterprise Solutions, told CSO Australia as America’s 146 million registered voters headed to the polls to choose the country’s new president.
“Some of the biggest concerns that we see are akin to what we see in a lot of commercial organisations,” Novak explained. With 3143 local-government areas across the US, “there is a lot of fragmentation about how the balloting and voting process is done in different jurisdictions – for example, some do electronic and some do paper, and within those subgroups they do it freely.”
“There is no standardised mechanism across the country and all the districts as to how that is actually handled, and how they are meeting the different security guidelines. This is a cause for concern.”
Those concerns have taken on a very real tone in recent days after security firm Cylance released a video showing a hack of the Sequoia AVC Edge voting machine – used in 13 states, including several which do not tap into the machine’s ability to record a backup paper trail of recorded votes.
Voting watchdog Verified Voting maintains a watching brief over commonly used voting systems and has already voiced concerns about that particular machine – which, it noted, has “numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses.”
“In general,” the organisation concluded, “the software does not reflect defensive software engineering practices normally associated with high-assurance critical systems.... even where there may not be an obvious vulnerability identified, the presence of such errors reduces our overall confidence in the soundness of the system as a whole.”
That’s not the kind of assessment to inspire confidence in the voting process, and it’s far from the first time that the integrity of electronic voting – which was pushed into the limelight in the wake of the country’s controversial 2000 election and subsequent push to increase the use of voting machines – has been questioned. The Institute for Critical Infrastructure Technology (ICIT), for one, recently published a pair of reports (Read Part 1 here and Part 2 here warning of the potential for manipulation of e-voting processes and documented incidents of voting-machine breaches.
Novak – a trained forensic auditor whose responsibilities include serving as lead author of Verizon’s widely-referenced Data Breach Investigations Report (DBIR) – noted that the election process being used today presents “a lot of complexities that speak to the data themselves.”
“I look at it like when we do an investigation,” he continued. “Processes have to preserve the chain of custody from the beginning to the end of the process. There’s no way for a centralised body to vouch for the integrity of the apparatus, and that all goes onto the voting districts. But there are questions whether those districts even have the capability.”
Many of those districts had been pushed to quickly shift to electronic voting without regard for whether they had appropriate processes and staff skilled in maintaining security of voting data – leading Novak, who pointed to the recent surge in healthcare breaches as a byproduct of a similar transition in that industry – to argue that it would have been better that the electronic voting transition “evolve and move a little slowly”.
“Everyone was almost forced overnight to adopt electronic medical records and you had a lot of smaller organisations that had no capacity to do that, but facing penalties if they didn’t,” Novak explained. “Since then we’ve had the largest rash of healthcare breaches that we have ever seen; people said they had gotten there but the data obviously wasn’t secure. And if healthcare data is one thing, the ability for us to have legitimate election results brings about a whole new level of concern.”
Such concerns will inevitably surface as the votes are counted and recriminations – and lawsuits, such as Trump’s abortive lawsuit alleging vote manipulation in Nevada – fly about the validity of the results. Yet whatever the result of that election, Novak said the heightened visibility of the process will help continue raising the bar of security practice across all industries.
Visibility of security concerns had been significantly advanced by US laws requiring disclosure of data breaches, he added. With Australia poised to embrace similar laws, Verizon Australia security solutions consultant Aaron Sharp said there was a clear climate of proactive change and “a very deliberate attempt by the government to get organisations to lift their games. We’re still yet to see some of the concrete initiatives come out of that, but the intent is very much there.”
Just as Verizon this year began publishing detailed case studies collected during the assembly of its DBIR, such broad disclosure by Australian organisations will fuel the creation of a more detailed body of knowledge that will help businesses and government agencies alike continue to improve their security practices.
“Litigation in the US tends to put a lot of visibility on these breaches,” Novak said. “Every time there is a breach there are probably several lawsuits that follow, and what happens in the breach becomes public knowledge.”
Such exposure will be a “massive catalyst” for Australian businesses to “lift their games”, Sharp said, and Novak agrees that electronic voting will similarly benefit from increased scrutiny going forward.
“Like any new system, there are going to be new vulnerabilities that come along with it,” he said. “Just as with any new infrastructure, it will be a question of how we manage that. There are definitely adversaries that want to get in and are trying to get in; the question is whether they have a window of time or exposure long enough to successfully accomplish that.”
“Electronic voting is not widely used yet in the US – but when you go to 50, 60 or 70 percent of jurisdictions going electronic, that’s where you have a much greater attack surface.”