From Buzzfeed’s Cyber Security Correspondent, Kevin Collier: A Year After Trump’s Victory, Our Elections Aren’t Much More Secure <read>
The halfway point between the election of President Donald Trump and the 2018 midterms has come and gone, and it still isn’t fully clear what Russian hackers did to America’s state and county voter registration systems. Or what has been done to make sure a future hacking effort won’t succeed.
US officials, obsessed for now with evidence that Russia’s intelligence services exploited social media to sway US voters, have taken solace in the idea that the integrity of the country’s voting is protected by the system’s acknowledged clunkiness. With its decentralized assortment of different machines, procedures, and contractors, who could possibly hack into all those many systems to change vote totals?
But the focus on how Facebook and Twitter were used to sow division in the US electorate has diverted attention from one of the weakest spots in the system: the gap between those locally operated voting systems that are well-protected by sophisticated technology teams and those that are less prepared. Russia knows those gaps exist and that a simple cyberattack can be effective against weak infrastructure and unprepared IT workers. Whether that can be fixed by 2018 or even 2020 is an open question.
Most states’ elections officials still don’t have the security clearances necessary to have a thorough discussion with federal officials about what’s known about Russian, or others’, efforts to hack into their systems.
Seven states still use all-electronic voting systems whose results cannot be verified because there is no paper trail.
And hundreds of US counties rely on outside contractors to maintain their registration records and update the software on voting machines. Some of those contractors are small operations with few employees and minimal computer security skills.
Here we caution that it is not just Russia to be concerned with. Those same vulnerabilities are open to other foreign actors, foreign and U.S. hackers, along with elements of the the U.S. Government. Beyond that open to official and contractor insiders. Not being connected to the Internet does not preclude attack from any of these actors, especially insiders.
Seven states still use all-electronic voting systems whose results cannot be verified because there is no paper trail.
And hundreds of US counties rely on outside contractors to maintain their registration records and update the software on voting machines. Some of those contractors are small operations with few employees and minimal computer security skills.
Many local officials are reluctant to seek federal help, worried about ceding authority to outside agencies.
“We’re not doing very well,” Alex Halderman, a renowned election security expert, told BuzzFeed News. “Most of the problems that existed in 2016 are as bad or worse now, and in fact unless there is some action at a national policy level, I don’t expect things will change very much before the 2018 election.”…
But in the aftermath of last year’s vote, it has become clear that the sheer complexity of the system is no reassurance that it can’t be exploited by a determined hostile power. Halderman, the election security expert, says that just because it didn’t happen last time — or in the voting completed Tuesday — doesn’t mean it won’t.
“It’s only a matter of time, if we don’t have coordinated national action, until a major US election is disrupted, or even its outcome changed, by a foreign nation-state in a cyberattack,” [former FBI director James Comey] said.
To this day, DHS points to the fact that it’s never found evidence that vote tallies were changed
We add that DHS, as far as we know has not looked for such evidence anywhere, let alone everywhere.
As we have said before. Protecting databases and votes requires Prevention, Detection, and Recovery.
- Protection alone is insufficient. Large corporations, the Federal Government agencies, and technology companies are regularly hacked. State and Local officials can’t come close to those ultimately limited efforts.
- Detection is necessary to provide assurance that hacking did not occur.
- Recovery is necessary for all sorts of potential errors, hacks, and fraud.
Paper ballots, properly secured, are the first requirement for detection and recovery of votes. Strong pre-election voter database backup and audits along with paper voter checkin lists are part, just a part, of recovery from corrupted or electronic voter lists, or election day power failure, equipment failure, and cyber attack.
