IS OUR ELECTION SYSTEM SAFE?
How hackers might attack Wisconsin’s elections
Aprivate vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official. These are some of the potential vulnerabilities of Wisconsin’s election system described by cybersecurity experts.
State officials insist they are on top of the problem and that Wisconsin’s elections infrastructure is secure because, among other safeguards, voting machines are not connected to the internet and each vote is backed by a paper ballot to verify results.
In July, the Wisconsin Center for Investigative Journalism reported that Russian hackers have targeted websites of the Democratic Party of Wisconsin, the state Department of Workforce Development and municipalities including Ashland, Bayfield and Washburn. Elections in this swing state are administered by 1,853 municipal clerks, 72 county clerks and the Wisconsin Elections Commission.
Top cybersecurity experts from the United States, Canada and Russia interviewed by the center said that some practices and hardware components could make voting in Wisconsin open to a few types of malicious attacks and that Russian actors have a record of these specific actions.
And it is not just Wisconsin — this is a nationwide threat, the National Academy of Sciences, Engineering and Medicine stated in its newly released report, Securing the Vote.
“With respect to foreign threats, the challenge is compounded by the great asymmetry between the capabilities and resources available to local jurisdictions in the United States and those of foreign intelligence services,” according to the report.
Wisconsin Elections Commission spokesman Reid Magney said the agency has been doing “almost everything they recommend” in the report for several years except for a specific type of post-election audit, which will be discussed at a Sept. 25 meeting.
“In short, we’re way ahead of the curve in election security and ought to get some credit for that,” Magney said.
Vendors source of concern
Private companies, which supply the hardware and software for voting, are increasingly the focus of federal lawmakers, security experts and election integrity advocates.
Former longtime Legislative Audit Bureau manager Karen McKim, a coordinator for the Madison-based grassroots group Wisconsin Election Integrity, said many Wisconsin elections officials do not realize “how very much is completely outside their control.”
“They really, truly, do believe that if they keep the individual voting machines unconnected from the internet and do pre-election testing, that the software is safe,” said McKim, whose group advocates for measures to secure Wisconsin’s elections.
Voting machines are certified by the state. But there are no federal standards for security, operation or hiring processes at companies that provide hardware and software for voting. The state does not scrutinize the security practices of such private vendors.
“While (outsourcing pre-election programming) may introduce
a vulnerability, the more important question is whether that vulnerability is acceptable,” Magney said. “And that depends on the exact details of the security mitigations involved.”
Dane County Clerk Scott McDonell said large counties in Wisconsin such as his “typically code their own elections,” but “the small ones are outsourcing.”
“If I were being paranoid,” he added, “I would worry about the outsourced ones.”
Cybersecurity expert Luke McNamara confirmed that private vendors can be a vulnerability. McNamara is a senior analyst at the California-based FireEye cybersecurity firm, which investigated the breach of Illinois’ voter registration database that happened before the 2016 election.
He said governments need to make sure the vendors they work with “are using proper security and safeguarding their own software, data and systems that they’re deploying out to the state level.
The Green Party’s presidential candidate, Jill Stein, who won the right under state recount law to evaluate the source code for Wisconsin’s voting machines, is advocating for public ownership of voting systems and technologies related to them.
“It’s outrageous that our election systems are owned by private corporations that claim a proprietary interest in keeping critical information secret from the public,” Stein campaign spokesman Dave Schwab wrote in an email to the center.
Computer scientist J. Alex Halderman, who was part of the team that pushed for the 2016 recount of the presidential vote in Wisconsin, told the U.S. Senate Intelligence Committee that private vendors can make elections systems vulnerable.
“Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters,” Halderman, director of the University of Michigan’s Center for Computer Security and Society, testified in 2017.
Wisconsin Election Integrity activists have sought transparency from Command Central LLC, a Minnesotabased vendor that has provided voting machine programming to more than half of Wisconsin’s 72 counties. In a 2011 email interview with local activists, a company representative said it serviced “3,000 pieces of equipment” in 46 Wisconsin counties.
The center asked Command Central several questions, including the number of governments it currently serves in Wisconsin, what technology it uses to exchange files with clerks and whether there are any full-time security personnel in the company.
“We do not disclose information to
the press (or the public) about internal and external procedures with our customers or the specifics of our internal security settings/applications,” Command Central President Chad Trice wrote in response.
Two corporations that supply most of the voting machines in Wisconsin, Election Systems & Software of Omaha, Nebraska; and Dominion Voting Systems of Denver, are suing the state Elections Commission and the Stein campaign in Dane County Circuit Court in Madison over the campaign’s plans to evaluate voting software used in the 2016 presidential election. The companies argue that any public dissemination of the findings would jeopardize “highly confidential, proprietary and trade secret information.”
Removable memory devices debated
Another potential vulnerability is the use of removable devices to transfer programming to the voting machines. If such a device contains malicious software, it can infect even voting machines not connected to the internet, said Alexis Dorais-Joncas of the cybersecurity firm ESET, who investigated just such an attack by Russian intelligence-associated hackers in 2014.
According to the commission, any problems with the voting machines would be identified by required preelection testing.
But Dmitry Volkov, chief technology officer for the company Group-IB based in Moscow, said such malicious software can be designed to be delivered “after all tests are conducted.”
“(If) a vendor has access (to an election system) through a secure channel, if you hack the vendor, you can gain an access through this secure channel,” said Volkov, a member of the advisory council on cybersecurity for Interpol, the European Union’s law enforcement agency.
Harri Hursti, an international expert on election cybersecurity and co-founder of the Voting Machine Hacking Village at the annual DEFCON hacker conference, agreed. He said that “it is hard to make the claim that anything using any kind of USB devices can be air-gapped,” or physically isolated from attack.
“USB memory cards are mini-computers,” Hursti said, “and we have known for years how to reprogram those to carry malicious content over air gaps and extract confidential information.”
Modems vulnerable?
Experts said another potential vulnerability is associated with the use of modems in voting machines across Wisconsin to transmit unofficial Election Day results.
In some cases, those modems are transmitting results over the Internet, Haas, the former Elections Commission administrator, acknowledged in 2016 testimony during the legal battle over Wisconsin’s presidential recount.
But Magney said the devices “do not accept any incoming connections. The user keys in a specific phone number to dial out. While misdials or interceptions may be possible … the receiving computer also has a firewall, and accepts authenticated transmissions for a very short period of time.”
Vendors and elections commission officials say proper safeguards, such as malware detection and encryption, are in place. Magney said the transmissions are made “only after all the votes have been tabulated.” He noted that the new National Academy of Sciences report does not mention modems as a potential vulnerability.
However, computer scientists say that existing defense measures can be overrun. According to The New Yorker, such concerns have prompted four states — New York, Maryland, Virginia and Alabama — to prohibit the use of machines with modems to transmit election results.
Cellular connection adds vulnerability
Another practice criticized by the computer scientists is the use of cellular technology to transmit unofficial election results. Cellular networks’ security liabilities were detailed in a 2017 U.S. Department of Homeland Security report, which called for enhanced protections when governments use cellular technology.
At the center’s request, the list of cellular modems in use in Wisconsin election systems was reviewed by Bart Stidham, chief executive officer of NAND Technologies, who has conducted cellular network security analysis for DHS and commercial clients.
In 2017, DHS designated election systems as critical infrastructure in need of enhanced protection. Stidham said most of the cellular modems used by Wisconsin “are commodity consumer devices. They are not designed for use in critical infrastructure.”
Magney said the federal government “is still parsing out what that (critical infrastructure) designation means” when it comes to elections and voting equipment.
Another vulnerability, according to Volkov, is that some of these cellular wireless modems rely on public cellular networks. “If you are on a public network,” he said, “you can be reached.”
In February, two Princeton University computer science professors, Andrew Appel and Kyle Jamieson, published a blog describing possible scenarios to hack modems used in DS200 paper ballot tabulators, including erecting fake cellphone towers near voting locations like police do with Stingray devices.
“If your state laws, or a court with jurisdiction, say not to connect your voting machines to the Internet, then you probably shouldn’t use telephone modems either,” they said.
Magney downplayed the concerns, noting that only unofficial encrypted results from Election Day are transmitted this way after polls close. Those are backed up by a printed paper tape, which is used to verify the official results.
But even discrepancies between initially reported unofficial results and the outcome of the election may achieve Russia’s goal of sowing discord, according to FireEye’s McNamara.
He is among those cautioning against becoming too focused on the vulnerabilities of America’s vote-tallying systems. McNamara said the Kremlin’s goal may be simpler: “Attacking the confidence of electoral process itself.”
Grigor Atanesian, a native of St. Petersburg, Russia, is an Edmund S. Muskie fellow at the Wisconsin Center for Investigative Journalism. He studies investigative reporting at the University of Missouri School of Journalism via a Fulbright grant.