In-brief: Russian hackers aren’t the biggest threat to the security and integrity of elections says Bev Harris of Black Box Voting. Instead, it’s a more common enemy: run of the mill political corruption, mostly at the local level. Also: Eric Hodge of CyberScout talks about the challenges of helping states secure their election systems. Problem number one: recalcitrant voting machine makers.
When the world’s top hackers and security experts gathered in Las Vegas last week for the DEFCON hacking conference, the security of election systems was put under the microscope in a “Voting Village,” in which attendees could try their hand at compromising some of the hardware and software that is used to tabulate votes and decide elections throughout the US.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
According to news reports, it wasn’t much of a contest. The first voting machine, a WinVote system that was decertified in Virginia in 2015 because of security vulnerabilities, fell within minutes. And by the end of the weekend, every one of the roughly 30 machines, vote tabulators and portable devices used to check voters in at the polls had been compromised.
Sadly, this is nothing new. Many of the devices in use today have been known to be vulnerable for years, while other weaknesses in the election system such as poll workers and board of elections employees who are vulnerable to social engineering attacks may pose an even bigger threat than hackable hardware and software.
How did we get here, and who or what could possibly lead our big, diverse and seemingly divided nation out of the thicket? In this week’s Security Ledger Podcast Editor in Chief Paul Roberts talks to two experts on the security of elections systems: Bev Harris, the founder of Black Box Voting, an organization that has been highlighting cyber security weaknesses in voting systems since 2003 and Eric Hodge, the director of consulting at Cyber Scout, which is working with the Board of Elections in Kentucky and in other states to help secure elections systems.
Their perspectives on this problem are enlightening and really worth hearing. Both tell us that the complexity and decentralized nature of the U.S. election system is both a strength and a weakness; it makes the system impossible to compromise in its entirety, while also creating many openings for mischief makers at the local, county or state level. Both were also a lot less interested in making un-hackable voting systems (likely an impossibility) than with making un-hackable elections. That’s an important distinction. Because while the former seems like a technology problem, the latter is much more of a ‘people, process and technology’ problem, as Eric puts it.
At the root of our current problem isn’t (just) vulnerable equipment, it’s also a shoddy ‘chain of custody’ around votes: where they are collected, how they are moved and tabulated and then how they are handled after the fact, should citizens or officials want to review the results of an election. That lack of transparency leaves the election system vulnerable to unwanted influence. That could be shadowy Russian hackers like whoever are the members of the “Fancy Bear” APT group. Even more likely is “Senator Bedfellow” that is: elected officials or career bureaucrats acting in their interest.
At the root of much election tampering is a common motive. “It’s money,” Harris told me. “There’s one federal election every four years, but there are about 100,000 local elections which control hundreds of billions of dollars in contract signings.” Those range from waste disposal and sanitation to transportation. The most vulnerable positions she found those with the biggest corruption problems re sheriff which control drugs, contraband and guns, City council and commissioner type positions because they have contracting authority and judge-ships, which are susceptible to bribes for delivering certain verdicts or to direct criminals to certain (for profit) correctional systems.
“There are 1,000 convictions every year for public corruption,” Harris says, citing Department of Justice statistics. “Its really not something that’s even rare in the United States.”
We may not think that corruption is a problem, because we rarely see it manifested in the ways that most people associate with public corruption.
“The difference is here in the US we think of corruption as a foreign problem because we don’t have the violence associated with it and we don’t have the policeman in the corner saying you have to pay him cash to do this, or that to get your driver’s license you have to give somebody some cash…Its a different flavor here, but it is actually quite widespread.”
How does the prevalence of public corruption touch election security? Exactly in the way you might think. “You don’t know at any given time if the people handling your votes are honest or not,” Harris said. “But you shouldn’t have to guess. There should be able to check.”
And that’s exactly the problem Eric Hodge is working with at the state level. His company, CyberScout, has been contracted by officials in Kentucky and other states to help assess the security of elections systems. He says the biggest challenge is shoring up the chain of custody of voting systems and votes, especially in states where decisions about what equipment and processes to use often devolve to local officials, and where voting machine vendors are less than cooperative in sharing and disseminating information about security holes in their systems.
“How do you get the consistency to happen at all the different counties and precincts? …What we’re doing in a lot of cases is figuring out how that Director of Elections gets control. You want to come up with a good set of repeatable policies and processes that you know are happening out at the locality.”
Right now, he said, there is no consistency or control at the local level. “It doesn’t sound as sexy as some of the high-tech defenses but that’s where we find we can do the most good.” The danger, says Hodge, is that questions about the integrity of a vote are raised, but that election officials will not have definitive proof that the vote result they reported is accurate and legitimate.
Check our full conversation in our latest Security Ledger podcast below or over at Soundcloud. You can also listen to it on iTunes. As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.