Apple Magazine - - Summary -

It was the kind of se­cu­rity lapse that gives elec­tion of­fi­cials night­mares. In 2017, a pri­vate con­trac­tor left data on Chicago’s 1.8 mil­lion reg­is­tered vot­ers — in­clud­ing ad­dresses, birth dates and par­tial So­cial Se­cu­rity num­bers — pub­licly ex­posed for months on an Ama­zon cloud server.

Later, at a tense hear­ing , Chicago’s Board of Elec­tions dressed down the top three ex­ec­u­tives of Elec­tion Sys­tems & Soft­ware, the na­tion’s dom­i­nant sup­plier of elec­tion equip­ment and ser­vices.

The three shifted un­easily on fold­ing chairs as board mem­bers grilled them about what went wrong. ES&S CEO Tom Burt apol­o­gized and re­peat­edly stressed that there was no ev­i­dence hack­ers down­loaded the data.

The Chicago lapse pro­vided a rare mo­ment of pub­lic ac­count­abil­ity for the closely held busi­nesses that have come to serve as front-line guardians of U.S. elec­tion se­cu­rity.

A trio of com­pa­nies — ES&S of Omaha, Ne­braska; Do­min­ion Vot­ing Sys­tems of Den­ver and Hart In­terCivic of Austin, Texas — sell and ser­vice more than 90 per­cent of the ma­chin­ery on which votes are cast and re­sults tab­u­lated. Ex­perts say they have long skimped on se­cu­rity in fa­vor of con­ve­nience, mak­ing it more dif­fi­cult to de­tect in­tru­sions such as oc­curred in Rus­sia’s 2016 elec­tion med­dling.

The busi­nesses also face no sig­nif­i­cant fed­eral over­sight and op­er­ate un­der a shroud of fi­nan­cial and op­er­a­tional se­crecy de­spite their piv­otal role un­der­pin­ning Amer­i­can democ­racy.

In much of the na­tion, es­pe­cially where tech ex­per­tise and bud­gets are thin, the com­pa­nies ef­fec­tively run elec­tions ei­ther di­rectly or through sub­con­trac­tors.

“They cob­ble things to­gether as well as they can,” Univer­sity of Con­necti­cut elec­tion-tech­nol­ogy ex­pert Alexan­der Schwartz­man said of the in­dus­try lead­ers. Build­ing truly se­cure sys­tems would likely make them un­prof­itable, he said.

The costs of in­ad­e­quate se­cu­rity can be high. Left un­men­tioned at the Chicago hear­ing: The ex­posed data cache in­cluded roughly a dozen en­crypted pass­words for ES&S em­ployee ac­counts . In a worst-case sce­nario, a so­phis­ti­cated at­tacker could have used them to in­fil­trate com­pany sys­tems, said Chris Vick­ery of the se­cu­rity firm Up­gard, which dis­cov­ered the data lapse.

“This is the type of stuff that leads to a com­plete compromise,” he said. ES&S said the pass­words were only used to ac­cess the com­pany’s Ama­zon cloud ac­count and that “there was no unau­tho­rized ac­cess to any data or sys­tems at any time.”

Im­age: Mel Evans

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.