As for­eign hack­ers plot next at­tack, Wash­ing­ton strug­gles to shore up vot­ing sys­tems

Jerusalem Post - - COMMENT & FEATURES - • By EVAN HALPER and CHRIS MEGERIAN (Olivier Douliery/Abaca Press/TNS)

WASH­ING­TON (Los An­ge­les Times/TNS) – Even as it is con­sumed by po­lit­i­cal fall­out from Rus­sia’s med­dling in the 2016 elec­tion, Wash­ing­ton is still strug­gling to re­spond to what many of­fi­cials see as an im­mi­nent na­tional se­cu­rity threat: a net­work of vot­ing sys­tems alarm­ingly vul­ner­a­ble to for­eign at­tack.

As hack­ers abroad plot in­creas­ingly brazen and so­phis­ti­cated as­saults, the United States’ creaky polling sta­tions and out­dated voter reg­is­tra­tion tech­nol­ogy are not up to the task of fight­ing them off, ac­cord­ing to elec­tions of­fi­cials and in­de­pen­dent ex­perts.

Se­nior na­tional se­cu­rity of­fi­cials have re­peat­edly said that the US should pre­pare for more for­eign ef­forts to in­ter­fere with elec­tions. On Tues­day, Pres­i­dent Don­ald Trump’s top in­tel­li­gence ad­viser warned a Se­nate com­mit­tee that Rus­sia is mov­ing to build on its ear­lier ef­forts to in­ter­fere with US elec­tions, which in­cluded a sus­tained cam­paign of pro­pa­ganda and the un­leash­ing of cy­ber­op­er­a­tives.

“There should be no doubt that Rus­sia per­ceives its past ef­forts as suc­cess­ful and views the 2018 US midterm elec­tions as a po­ten­tial tar­get,” said Dan Coats, the di­rec­tor of na­tional in­tel­li­gence. The ad­min­is­tra­tion’s top na­tional se­cu­rity of­fi­cials have all warned about the Rus­sian threat, although Trump, him­self, con­tin­ues to min­i­mize it.

Elec­tions of­fi­cials are daunted by the chal­lenge of for­ti­fy­ing their de­fenses. Many still use out­dated soft­ware that has fewer se­cu­rity pro­tec­tions than a decade-old cell­phone. Mil­lions of Amer­i­cans vote on eas­ily cor­rupt­ible ma­chines that pro­vide no pa­per trail – an es­sen­tial com­po­nent for au­di­tors to ver­ify that tam­per­ing did not take place, ex­perts say.

Although no ev­i­dence has sur­faced to in­di­cate that Rus­sian hack­ers suc­ceeded in di­rectly tin­ker­ing with votes in 2016 – as op­posed to pro­pa­ganda ef­forts aimed at sway­ing pub­lic opin­ion – ex­perts warn that the US can’t count on that hold­ing true next time.

“Are we go­ing to be pre­pared to pre­vent some­thing more egre­gious from hap­pen­ing?” said David Salvo, a res­i­dent fel­low at the Al­liance for Se­cur­ing Democ­racy, a bi­par­ti­san initiative guided by some of the na­tion’s top na­tional se­cu­rity ex­perts. “We’re all a lit­tle skep­ti­cal.” CONGRESS HAS so far balked at pro­vid­ing re­sources to up­grade vot­ing sys­tems, de­spite the urg­ing of some of the na­tion’s most in­flu­en­tial na­tional se­cu­rity voices. Many states are too broke to take up the slack. The lum­ber­ing bu­reau­cra­cies charged with in­oc­u­lat­ing elec­tions against at­tack don’t al­ways talk to one an­other. Depart­ment of Home­land Se­cu­rity of­fi­cials re­main re­luc­tant to share in­tel­li­gence tips with the es­pi­onage neo­phytes on lo­cal elec­tions boards.

“They will say, ‘We may have in­for­ma­tion, but if you don’t have proper clear­ance, we can’t share it,’” said Cal­i­for­nia Sec­re­tary of State Alex Padilla. “Well, let’s do some­thing about it.”

“I wish the fed­eral gov­ern­ment would re­al­ize the mag­ni­tude and scope of these threats and act on them,” he said.

Anx­i­ety about the risk is shared at the high­est lev­els of gov­ern­ment. Sec­re­tary of State Rex Tillerson re­cently ex­pressed doubt that the US is any bet­ter pre­pared to deal with for­eign elec­tion med­dling now than it was two years ago. A bi­par­ti­san let­ter signed by a for­mer Home­land Se­cu­rity sec­re­tary, CIA di­rec­tor and House In­tel­li­gence Com­mit­tee chair warned that fail­ure to help lo­cal elec­tions boards up­grade their equip­ment could have “cat­a­strophic con­se­quences.”

The warn­ings come as 500 elec­tions of­fi­cials in 41 states re­ported in a new sur­vey by the Bren­nan Cen­ter for Jus­tice at NYU Law School that the vot­ing sys­tems they use are more than a decade old. Many of them agree that the ma­chines need re­plac­ing, but re­ported they don’t have the money to do it.

“We’re can­ni­bal­iz­ing (vot­ing) booths that no longer func­tion to pull parts,” said Neal Kel­ley, the Or­ange County, Calif., regis­trar of vot­ers. Kel­ley said he never imag­ined when he took the job 14 years ago that fight­ing off Rus­sian hack­ers would be­come a cen­tral part of his du­ties.

“This is ab­so­lutely top of mind for us,” he said. At least Or­ange County, like all other ju­ris­dic­tions in Cal­i­for­nia, keeps a pa­per trail of votes that can be au­dited. Cy­ber­se­cu­rity ex­perts say pa­per – if au­dited prop­erly – is ul­ti­mately the best de­fense against hack­ers. Roughly one in five vot­ers in the US casts a bal­lot with no such backup.

How vul­ner­a­ble our elec­tions are to tam­per­ing is a mat­ter of dis­pute. Elec­tions of­fi­cials tell a con­cern­ing story. Cy­ber­se­cu­rity ex­perts and “white glove” hack­ers who have probed the ma­chines of­fer an even more wor­ri­some ac­count.

When hack­ers were un­leashed on 30 dif­fer­ent vot­ing sys­tems at the DEF CON 25 con­fer­ence in Las Ve­gas over the sum­mer, ev­ery sin­gle one was pen­e­trated. Some within min­utes. In one case, a 16-yearold act­ing alone was able to hack into a ma­chine in less than an hour. Some ma­chines were com­pro­mised with­out a trace of ev­i­dence left be­hind.

“These sys­tems are uni­formly vul­ner­a­ble,” said Jeremy Ep­stein, deputy di­vi­sion di­rec­tor for com­puter and net­work sys­tems re­search at the Na­tional Sci­ence Foun­da­tion. “Any cy­ber­se­cu­rity ex­pert would come to that con­clu­sion,” he said in an in­ter­view, of­fer­ing his per­sonal view, not speak­ing for the agency.

While Home­land Se­cu­rity has taken en­cour­ag­ing steps to con­front the risk – send­ing teams to elec­tion dis­tricts to con­duct se­cu­rity scans and shar­ing more in­tel­li­gence in­for­ma­tion with the states – “any­one who thinks that is enough is not look­ing close enough,” he said.

“Imag­ine hir­ing some­one to see how re­sis­tant your house was to bur­glars, and they just twisted the front door­knob to make sure it was locked,” he added, of­fer­ing an anal­ogy for the lack of thor­ough­ness of the se­cu­rity tests cur­rently be­ing done.

Home­land Se­cu­rity of­fi­cials take is­sue with such char­ac­ter­i­za­tions. The se­cu­rity train­ing ses­sions and as­sess­ments they con­duct are hav­ing a big im­pact, and new chan­nels of com­mu­ni­ca­tion have been opened to share threat alerts with lo­cal elec­tions su­per­vi­sors, depart­ment of­fi­cials said.

“There is no ques­tion we are mak­ing real and mean­ing­ful progress,” said a state­ment from Jeanette Man­fra, as­sis­tant sec­re­tary for the Of­fice of Cy­ber­se­cu­rity and Com­mu­ni­ca­tions at the DHS. THE GOV­ERN­MENT’S Elec­tions As­sis­tance Com­mis­sion has been mov­ing ag­gres­sively to make lo­cal of­fi­cials aware of the sever­ity of the threat, pre­pare them to con­front it and in­crease their ac­cess to fed­eral in­tel­li­gence. It has en­cour­aged lo­cal of­fi­cials to take part in elec­tion war games run by Har­vard’s Belfer Cen­ter for Sci­ence and In­ter­na­tional Af­fairs, which sim­u­late a for­eign cy­ber­at­tack and re­quire of­fi­cials to fig­ure out how to keep Elec­tion Day from melt­ing down.

It’s a stress­ful ex­er­cise. Par­tic­i­pants are con­fronted with the prospect of their de­ci­sions lead­ing to mass protest, ag­gra­vated by a con­cur­rent so­cial-me­dia pro­pa­ganda cam­paign launched by the hack­ers.

Elec­tions of­fi­cials in­creas­ingly find them­selves in a job they never signed up for: in­for­ma­tion tech­nol­ogy man­agers tasked with pro­tect­ing some of the most sen­si­tive com­puter sys­tems in the world. Yet they don’t have the de­fenses of a ma­jor re­tailer like Tar­get or a fi­nan­cial in­sti­tu­tion like Cit­i­group – and even those op­er­a­tions are get­ting breached.

The state of Vir­ginia got so spooked by what hap­pened at DEF CON that, just nine weeks be­fore its statewide elec­tions in Novem­ber, it di­rected all 22 vot­ing dis­tricts to aban­don the pa­per­less elec­tronic vot­ing ma­chines they had se­cured for the elec­tion and im­me­di­ately shift to other sys­tems. Penn­syl­va­nia an­nounced this month it is also mov­ing in that di­rec­tion.

The push­back that some lo­cal vot­ing of­fi­cials gave to the Depart­ment of Elec­tions in Vir­ginia con­firmed for com­puter sci­en­tists that too many still don’t un­der­stand the de­gree of risk they face. Lo­cal of­fi­cials in­sisted their sys­tems were safe be­cause they were not con­nected to the In­ter­net, or that they could be pro­tected from in­trud­ers by wrap­ping them with tam­per-proof tape. Hack­ers have shown re­peat­edly that such de­fenses are easy to pen­e­trate.

“A seasoned ac­tor that can do this is not even touch­ing the ma­chine,” said James Scott, a se­nior fel­low at the In­sti­tute for Crit­i­cal In­fra­struc­ture Tech­nol­ogy, a Wash­ing­ton non­profit that is ad­vis­ing law­mak­ers on the cy­berthreat. “The vul­ner­a­bil­i­ties are there to ma­nip­u­late these ma­chines.”

A fix does ex­ist, Scott said: Congress could pro­vide money for new vot­ing ma­chines and man­date they pro­duce a pa­per trail that is ran­domly au­dited, steps called for in sev­eral bi­par­ti­san mea­sures that have been in­tro­duced, but not acted on. All such pro­pos­als come with a price tag of hun­dreds of mil­lions of dol­lars and nei­ther the ad­min­is­tra­tion nor Congress has made that a pri­or­ity.

Even na­tional se­cu­rity ex­perts who are skep­ti­cal that for­eign op­er­a­tives could stealth­ily change vote counts ex­press deep con­cern.

“I don’t know if they are aim­ing to change out­comes, but they don’t need to,” said David Becker ex­ec­u­tive di­rec­tor of the Cen­ter for Elec­tion In­no­va­tion and Re­search. Merely pok­ing around an elec­tion sys­tem is enough to shake the faith of vot­ers, he said.

NA­TIONAL SE­CU­RITY AGENCY di­rec­tor Mike Rogers, joined by top in­tel­li­gence of­fi­cials, tes­ti­fies be­fore the Se­nate In­tel­li­gence Com­mit­tee at a hear­ing in Wash­ing­ton, DC, fo­cused on global threats.

Newspapers in English

Newspapers from Israel

© PressReader. All rights reserved.