Common security problems create soft targets

As recently as last summer, hackers targeted and tried to break into voter registration databases in 20 states. According to the Department of Homeland Security, the hackers breached the voter registration systems of at least four states, two of them confirmed to be Illinois and Arizona.

All election-related hacking attempts to date have targeted online systems with registration databases and political emails; there have been no real attempts to hack into our actual voting systems to alter election outcomes. But experts note that our voting systems are rife with security vulnerabilities, so it is only a matter of time before hackers succeed if effective actions are not taken.

Five states presently use electronic-only voting without a paper trail (e.g., paper receipts or paper ballots): New Jersey, Delaware, South Carolina, Georgia and Louisiana. Such receipts, paper ballots and other paper records for voting systems are good security controls for two reasons. One, they provide voters using ballot-less voting systems a way to independently verify that votes are cast accurately. And two, they provide voting precinct staff with a way to manually validate that the numbers of votes collected through the systems have not been modified.

Voting machines themselves also have high security risks. States such as Louisiana, New Jersey, Virginia and Pennsylvania use Sequoia AVC Advantage voting machines whose physical locks can be picked in seven seconds. This could allow an unauthorized individual to quickly and easily remove the ROM chips, which contain the unalterable code for the machine’s voting program, and replace them with tampered chips with different code. Such swaps could change vote tallies and alter election results.

State of Cybersecurity in 2016

Why is the U.S. in this precarious cyber security situation, especially in one of the most pivotal election years in recent memory? How did we get into a predicament where the very pillars of democracy are vulnerable to hackers?

There are many factors that contributed to this current situation. They can largely be considered under two broad categories: government silos and state differences.

Since formation, governmental agency systems have generally been siloed from one another. This includes the computing systems that were developed over the past several decades. Generally, each government agency determines its own cyber security policies and procedures. The common requirement is that each meet the Federal Information Security Modernization Act (FISMA) standards, which, for the most part, are broadly stated and non-prescriptive.

Identity may be your weakest link. Learn how to protect your organization with a free trial of RSA SecurID Access. These differences in cyber security practices from agency to agency result in an unbalanced federal government cyber security environment. The result is that some agencies, such as the Office of Personnel Management, have experienced a large, prolonged hacking incident, while others have not been on record as having experienced a cyberattack.

On top of compartmentalized government systems, each state is responsible for its own voting systems, choosing its own voting systems and creating respective voting procedures. Consequently, each state varies greatly in the types of security controls that are implemented. After the hanging chads election debacle of 2000, most of the states rushed to implement computerized voting systems. However, what resulted was a hodge-podge of systems throughout the country that vary greatly in their security control capabilities. This leaves the U.S. at the mercy of decisions by each state’s election officials.

In 2002, Congress passed the Help America Vote Act (HAVA), establishing the U.S. Election Assistance Commission (EAC). The EAC developed the Voting System Testing and Certification Program (Certification Program), which includes voting system security guidelines, last updated in 2015 and published in two volumes. However, the guidelines are voluntary. It is unclear how many states have actually implemented the full set of recommended security controls, and how many have basically implemented one or a few of the controls. Based on the findings of security researchers, it is clear that significant numbers of the voting systems have not sufficiently implemented these bare-minimum safeguards.

Lawmakers’ actions … too little too late?

Lawmakers are finally taking action, crafting bills to address these huge voting security vulnerabilities. On Sept. 21, Congressman Hank Johnson, D-GA, introduced the “Election Infrastructure and Security Promotion Act of 2016” (H.R. 6073) to require the Department of Homeland Security (DHS) designate voting systems as part of the critical infrastructure, and the “Election Integrity Act of 2016” (H.R. 6072), to prohibit the use of any new voting system that does not produce voter-verified paper ballots. Even though voting should be a nonpartisan issue, one could expect other bills to be introduced from Republicans.

While these steps are necessary and long overdue, they will not address the immediate threats and vulnerabilities facing Election Day in November. Only time will tell if and how cyber security exploits will impact the future of our democracy.