By Brent Whitfield, CEO at DCG Technical Solutions Inc.
Whether the attempts of foreign agents to affect the 2016 presidential election had a significant effect or not, many eyes have since been opened to the need to secure the integrity of our voting system.
With the mid-term elections rapidly approaching, this article looks at the current state of our cyber defenses and what work is left to do in the coming months to secure them.
What did the 2016 elections reveal?
The first inkling that voting interference was more than just a paranoid theory was in the summer prior to the 2016 elections when Democratic National Committee emails were leaked. Cybersecurity experts traced the cyber-attack to two Russian intelligence groups.
Donald Trump then went on to voice his concerns that the election would be rigged against him, claiming that lax voter ID processes would lead to repeat voting.
In the months leading up to the election, further reports revealed that voter databases had been probed with some being hacked. It has since been found that the databases kept by 41 States are outdated.
There is little evidence that actual hacking of the voting system itself has occurred. However, this is hardly surprising since a large number of voting machines do not have a parallel paper trail against which the results could be audited.
In the wake of Trump’s election victory, evidence has emerged of more pervasive attacks targeting the hearts and minds of the US electorate. These include the spreading of disinformation (so-called ‘fake news’) and the buying of online ads by foreign bodies. These have been facilitated by social media platforms which enable individuals and interest groups to wield greater influence than ever before.
Research has revealed that foreign organizations spent $100,000 on 3,000 ads and created 470 fake social media accounts during the presidential campaign. Russian bots and trolls have also been active in spreading the Nunes memo, a document exposing ‘illegal’ activity by the FBI in obtaining a FISA warrant against Trump adviser Carter Page in the Russian interference investigations.
How vulnerable is the voting system?
To test just how vulnerable direct-recording electronic voting machines (DREs) could be, Princeton professor Andrew Appel bought a Sequoia machine online. It was an AVC Advantage model used in some jurisdictions of Louisiana, New Jersey, Pennsylvania, and Virginia. Within seven minutes, Appel and a graduate helper, Alex Halderman, had broken into the casing and switched out the unsoldered circuit boards for modified versions.
This was just the latest of a string of hacks Appel and his Princeton colleagues had carried out on voting machines over more than a decade. They even managed to obtain keys for some of the machines via eBay and to turn one machine into a Pac-Man arcade game.
In addition to the technical vulnerabilities revealed by the Princeton hacks, there is an underlying constitutional weakness. This is because elections are regulated on a state-by-state basis and there are no overarching Federal bodies in charge of running them.
According to the president of voting transparency, advocates Verified Voting, Pamela Smith, there are five states which operate digital only voting machines. These are Delaware, Georgia, Louisiana, New Jersey, and South Carolina. A further ten use hybrid systems with voters in some parts of Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee, Texas, and Virginia also relying on technology alone.
Of those States, three (Florida, Pennsylvania, and Virginia) are considered perennial swing states. Two of these, of course, switched from blue to red in the 2016 election. Although there are no serious suggestions that fraudulent votes played much – if any – part in this, it does raise a red flag that can’t just be ignored.
The voting machines are supplied by seven companies: Avante (who supply Warren County, New Jersey only); Danaher; Dominion Voting Systems (which acquired Premier, formerly Diebold, and Sequoia); Election Systems and Software; Hart InterCivic; MicroVote and Unilect.
Online strategies for cyber protection
It is clearly important for any solutions to include protecting the election infrastructure itself. Some national security experts have insisted that the top IT consultants/professionals available need to be brought in to secure registration systems, voting machines, tally systems and election night reporting systems while others have called for paperless DRE machines to be replaced completely and to ensure that a voter-marked paper record is always retained.
The voting machine vendors will have to play a key role themselves in rolling out more secure technology.
In order to fund the changes, the Democrats have introduced an Elections Security Act which would make $1 billion of grants available for States to pay for paper-backed voting machines, hire security personnel and carry out proper risk assessments. The bill was referred to the subcommittee on Cybersecurity and Infrastructure Protection on 28th February 2018 but has no Republican co-sponsors.
Offline strategies for cyber protection
The Elections Security Act is just one piece of legislation that has been introduced as lawmakers seek to shore up our cyber defenses. Others include the Secure Elections Act, Paper Act, Honest Ads Act and DISCLOSE Act of 2017.
- The Secure Elections Act (introduced December 2017) proposes the elimination of paperless voting machines.
- The Paper Act (introduced September 2017) looks at developing best practices for States to use to protect the integrity of elections and to make grants available to implement this.
- The Honest Ads Act (introduced October 2017) proposes extending transparency over ad purchasers and content to the online space.
- The DISCLOSE Act of 2017 (introduced July 2017) seeks to put further restrictions on foreign-owned companies to prevent them from funding political movements.
None of these bills have yet made it to the Houses and each has a poor enactment prognosis.
The indictment of 13 Russian agents in February 2018 is another attempt by the government to disrupt and call out electoral interference although some have called for tougher sanctions against Russia itself.
Aside from these legal and political actions, some national security experts have called for both parties to dilute the impact of fake news by educating the American public on how to recognize it and stop its spread.
Whatever measures will see the light of day in the next few months, it seems clear that only a two-pronged, multi-agency Cybersecurity offensive can plug the holes in our voting system and restore trust in the democratic system that forms the foundation of the United States.
About the Author
Brent Whitfield is CEO of DCG Technical Solutions Inc. DCG provides a range of IT consulting and related IT services including cybersecurity, security assessments, breach prevention, security training, internet content filtering, disaster recovery, and dark web monitoring. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP Mentor. Twitter: @DCGCloud