Com­puter se­cu­rity ex­perts warn that state elec­tions sys­tems are vul­ner­a­ble to hack­ers.

Los Angeles Times - - FRONT PAGE - By Evan Halper

WASH­ING­TON — When Chris Grayson pointed his Web browser in the di­rec­tion of Ge­or­gia’s elec­tions sys­tem ear­lier this year, what he found there shocked him.

The Santa Mon­ica cy­ber­se­cu­rity re­searcher ef­fort­lessly down­loaded the con­fi­den­tial voter file of ev­ery reg­is­tered Ge­or­gian. He hit upon un­pro­tected fold­ers with pass­words, ap­par­ently for ac­cess­ing vot­ing machines. He found the off-the-shelf soft­ware patches used to keep the sys­tem se­cure, sev­eral of which Grayson said could be eas­ily in­fected by a savvy 15-year-old hacker.

“It was like, holy smokes, this is all on the In­ter­net with no au­then­ti­ca­tion?” Grayson said in an in­ter­view. “There were so many things wrong with this.”

Amer­i­can elec­tions only re­cently seemed im­pen­e­tra­ble: too many dif­fer­ent sys­tems, dif­fer­ent ju­ris­dic­tions and dif­fer­ent machines — on­line and off­line — to hack. But con­fi­dence in the sys­tem’s in­vul­ner­a­bil­ity is erod­ing af­ter na­tional se­cu­rity of­fi­cials re­vealed that dur­ing the 2016 pres­i­den­tial race Rus­sian hack­ers at­tempted to in­fil­trate elec­tions sys­tems in 21 states.

Of­fi­cials won’t iden­tify which states, but say in some cases cul­prits got in­side net­works to look around.

Fed­eral law en­force­ment of­fi­cials say they are con­fi­dent the vote count was not dis­rupted in 2016. But they

worry about up­com­ing cy­cles.

“The cy­ber threat to elec­tions in 2016 was sig­nif­i­cantly more se­vere than in pre­vi­ous years,” said Bob Ko­lasky, the act­ing deputy un­der­sec­re­tary for na­tional pro­tec­tion at the Depart­ment of Home­land Se­cu­rity, which is try­ing to help states shore up their sys­tems. “We an­tic­i­pate go­ing for­ward it will be a more sig­nif­i­cant threat than we’ve had in past.”

Among the most alarmed have been pedi­greed com­puter se­cu­rity schol­ars, who warn that a well-timed hack of a ven­dor that serves mul­ti­ple states could be enough to cause chaos even in sys­tems that were thought to be walled off from one another. And they say se­cu­rity lapses like those in Ge­or­gia re­veal the ease with which hack­ers can slip in.

The most shock­ing part about Ge­or­gia’s prob­lems may have been that elec­tion of­fi­cials were warned months be­fore. A friend of Grayson’s named Lo­gan Lamb had dis­cov­ered the vul­ner­a­bil­i­ties prior to the 2016 pres­i­den­tial elec­tion and alerted the keep­ers of the sys­tem. They as­sured Lamb the prob­lem was fixed.

It wasn’t. Soon af­ter Grayson tapped in and alerted of­fi­cials that they still had a prob­lem, the FBI was called to in­ves­ti­gate. But its quick find­ing that the se­cu­rity lapses had not been ex­ploited by ma­li­cious hack­ers was met skep­ti­cally by more than a dozen com­puter se­cu­rity schol­ars at in­sti­tu­tions such as Yale, MIT, UC Berke­ley, Brown, Prince­ton and the Lawrence Liver­more Lab­o­ra­tory, who un­suc­cess­fully urged Ge­or­gia to im­me­di­ately side­line its vot­ing machines and use pa­per bal­lots.

The vul­ner­a­bil­i­ties have rat­tled Ge­or­gia. Rep. Hank John­son, a long-serv­ing Demo­crat in the At­lanta suburbs, says he now ques­tions the re­sults from an April con­gres­sional elec­tion in which Demo­crat Jon Os­soff fell just a few thou­sand votes short of win­ning the seat he would ul­ti­mately lose in a runoff.

No ev­i­dence of tam­per­ing with vote tallies emerged in that elec­tion, but the com­puter sci­en­tists who wrote to Ge­or­gia of­fi­cials, in­clud­ing the for­mer White House deputy chief tech­nol­ogy of­fi­cer, had warned that the equip­ment was sus­cep­ti­ble to stealth vote count cor­rup­tion.

“It re­ally makes me sus­pi­cious of the re­sult that night,” said John­son, who is push­ing leg­is­la­tion that would force of­fi­cials na­tion­wide to shore up their elec­tions se­cu­rity. “I’m sorry to have such a lack of trust in the re­sult. But it is due to what I learned since that time about the vul­ner­a­bil­ity of Ge­or­gia’s sys­tem.”

Such dis­cord and un­cer­tainty are ex­actly what in­tel­li­gence of­fi­cials say op­er­a­tives from Rus­sia and other hos­tile na­tions are seek­ing as they tar­get U.S. elec­tions sys­tems.

The pos­si­ble sce­nar­ios for in­ter­fer­ence are un­nerv­ing. Wor­ries range from cy­ber crim­i­nals chang­ing vote counts — as they did suc­cess­fully a few years ago in Ukraine — to a mass cor­rup­tion of voter reg­is­tra­tion that could par­a­lyze key precincts on elec­tion day.

Not all elec­tion of­fi­cials are heed­ing the warn­ings. The Depart­ment of Home­land Se­cu­rity’s sim­ple step in the wan­ing days of the Obama ad­min­is­tra­tion of des­ig­nat­ing elec­tions sys­tems as “crit­i­cal in­fra­struc­ture” — en­ti­tling state and lo­cal of­fi­cials to re­ceive depart­ment help se­cur­ing their sys­tems and re­spond­ing to po­ten­tial at­tacks as they emerge — drew re­bukes across the coun­try.

Con­ser­va­tive elec­tions chiefs warned of fed­eral in­tru­sion, ar­gu­ing the best defense against tam­per­ing is leav­ing in­tact the ex­ist­ing, de­cen­tral­ized patch­work of lo­cally con­trolled elec­tions that they in­sist is too dif­fuse for hack­ers to over­take. Now pro­gres­sives have their own wor­ries about the Trump ad­min­is­tra­tion, es­pe­cially as a White House task force at­tempts to val­i­date the pres­i­dent’s un­founded al­le­ga­tions that ram­pant voter fraud cost him the pop­u­lar vote.

The Na­tional Assn. of Sec­re­taries of State pil­lo­ried the fed­eral help in an of­fi­cial res­o­lu­tion that de­clared the Depart­ment of Home­land Se­cu­rity “has no au­thor­ity to in­ter­fere with elec­tions, even in the name of na­tional se­cu­rity.”

Ge­or­gia Sec­re­tary of State Brian Kemp, a Repub­li­can, went fur­ther. He ac­cused the Obama ad­min­is­tra­tion of try­ing to hack into the state’s sys­tem in midNovem­ber. An in­de­pen­dent in­ves­ti­ga­tion by the depart­ment’s in­spec­tor gen­eral found this month that no such hack­ing took place.

More than 40 states use vot­ing sys­tems that are over a decade old. The vul­ner­a­bil­i­ties of the dated equip­ment are chill­ing, ac­cord­ing to J. Alex Hal­der­man, di­rec­tor of the Cen­ter for Com­puter Se­cu­rity and So­ci­ety at the Univer­sity of Michi­gan.

“As a tech­ni­cal mat­ter, it is cer­tainly pos­si­ble votes could be changed and an elec­tion out­come in a close elec­tion could be f lipped,” he said, ex­plain­ing that even vot­ing equip­ment dis­con­nected from the In­ter­net can be cor­rupted by com­pro­mised soft­ware that is ul­ti­mately dis­trib­uted to elec­tions of­fi­cials on­line. “The tech­ni­cal abil­ity is there and we wouldn’t be able to catch it. The state of tech­ni­cal defense is very prim­i­tive in our elec­tion sys­tem now.”

Hal­der­man said he ac­cepted the find­ings of U.S. in­tel­li­gence agen­cies that such tam­per­ing did not al­ter vote counts from the last pres­i­den­tial elec­tion. But he warned that dur­ing it, hack­ers planted a lot of seeds to make fu­ture dis­rup­tions.

Red flags are go­ing up around the coun­try, even as sec­re­taries of state try to as­sure an in­creas­ingly con­cerned elec­torate that they have things un­der con­trol. Par­tic­u­lar con­cern is fo­cused right now on voter reg­is­tra­tion. The data­bases ap­pear to be the most vul­ner­a­ble link in elec­tions and eras­ing tens of thou­sands of vot­ers from the rolls on elec­tion day would be a sure­fire way to cre­ate a chaos sce­nario.

Hack­ers are al­ready ag­gres­sively prob­ing ways in. Both Illi­nois and Ari­zona shut down their voter reg­is­tra­tion sys­tems for a week last sum­mer af­ter they were pen­e­trated. Just be­fore the pres­i­den­tial elec­tion, hack­ers showed they could break into VR Sys­tems, a Florida com­pany that elec­tion of­fi­cials in eight states, in­clud­ing Cal­i­for­nia, rely on to keep track of who is el­i­gi­ble to cast a bal­lot on elec­tion day. The hack­ers used a “phish­ing” probe to trick at least one em­ployee into re­veal­ing their lo­gin in­for­ma­tion to ac­cess the com­pany sys­tem, ac­cord­ing to a Na­tional Se­cu­rity Agency doc­u­ment leaked to the In­ter­cept, a me­dia out­let. Once in­side, the hack­ers were able to present them­selves on­line as em­ploy­ees of the firm and send un­sus­pect­ing lo­cal elec­tions of­fi­cials mal­ware mas­querad­ing as le­git­i­mate com­pany soft­ware.

Com­pany of­fi­cials said in a state­ment that no hacker emails tar­get­ing lo­cal of­fi­cials were opened.

It was cold com­fort to se­cu­rity ex­perts.

“Our elec­tions sys­tems are more con­nected than they seem,” said Hal­der­man, warn­ing that hack­ers who find their way into the network of a poorly se­cured elec­tions board through such phish­ing schemes could un­leash mal­ware with po­ten­tial to cor­rupt not just reg­is­tra­tion files but even vot­ing machines. “VR Sys­tems had cus­tomers across a num­ber of states that could be tar­geted or breached by them be­ing breached. They send soft­ware up­dates, have con­tact info. The way a re­mote at­tacker op­er­ates is by fol­low­ing those chains of in­ter­con­nec­tions.… Peo­ple are say­ing we have 50 dif­fer­ent states, lots of lo­cal elec­tion of­fi­cials in dif­fer­ent of­fices run­ning sep­a­rate sys­tems, so how could some­one pos­si­bly do a wide­spread at­tack? This is ex­actly how.”

In the af­ter­math of the VR Sys­tems in­ci­dent, elec­tions of­fi­cials in Ken­tucky have told ven­dors look­ing to bid on a big voter reg­is­tra­tion con­tract there that un­der no cir­cum­stances can the voter logs that poll work­ers use on elec­tion day be con­nected to the state’s main voter reg­is­tra­tion data­base on­line.

Other states are tak­ing pre­cau­tions. Gov. Jerry Brown signed a new law re­quir­ing the state to alert vot­ers when their reg­is­tra­tion has been changed af­ter the River­side County district at­tor­ney’s of­fice heard of about three dozen vot­ers who said they were ei­ther re­moved from the vot­ing rolls or had their party changed with­out con­sent, which Dist. Atty. Mike Hestrin at­tributes to hack­ing.

“This was a wake-up call,” Hestrin said. Some Cal­i­for­nia coun­ties have also joined Colorado and New Mex­ico in con­duct­ing ro­bust au­dits of pa­per backup bal­lots to en­sure they match the dig­i­tal vote re­sults, which many com­puter se­cu­rity ex­perts ad­vo­cate as the best defense against elec­tion hack­ing. Ven­dors of vot­ing machines were chas­tened af­ter the DefCon hack­ing con­fer­ence in Las Ve­gas high­lighted how pro­gram­mers can pen­e­trate the machines in as lit­tle as 90 min­utes if left in the same room with them. Some found pass­words for the ad­min­is­tra­tive func­tions of the equip­ment on Google.

Not ev­ery­one in Wash­ing­ton is alarmed. The group many com­puter se­cu­rity ex­perts say is best equipped to de­velop na­tional pro­to­cols and help elec­tions of­fi­cials find and ad­dress their vul­ner­a­bil­i­ties is the bi­par­ti­san Elec­tions As­sis­tance Com­mis­sion. But the group has been tar­geted for elim­i­na­tion by the White House and Repub­li­cans in Congress.

That con­founds Dan Wal­lach, a com­puter se­cu­rity scholar at Rice Univer­sity who re­cently tes­ti­fied in Congress about elec­tion sys­tem vul­ner­a­bil­i­ties and who says a strong EAC is vi­tal to na­tional se­cu­rity, par­tic­u­larly as vul­ner­a­bil­i­ties in voter reg­is­tra­tion sys­tems emerge.

“The sys­tems we are us­ing to­day to man­age voter reg­is­tra­tion were never built with this kind of a threat in mind,” Wal­lach said in an in­ter­view. “If I can de­stroy vot­ing reg­is­tra­tion data, it does not mat­ter how good the rest of your sys­tem is. You will have lines and a gi­ant mess when peo­ple turn up to vote.”

Joe Raedle Getty Images

A VOTER in Sandy Springs, Ga., in June. A Santa Mon­ica cy­ber­se­cu­rity re­searcher said he found glar­ing weak­nesses in Ge­or­gia’s elec­tions sys­tem this year. “There were so many things wrong,” he said.

Bill Clark CQ-Roll Call

REP. HANK JOHN­SON (D-Ga.) says he now ques­tions the re­sults from an April con­gres­sional elec­tion.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.