“In these cases, they were attacked through old Web application vulnerabilities,” says Alex Heid, chief research officer at Security Scorecard. “Web apps that were written in the early to mid-2000s and are still online and often still have the vulnerabilities that were carried over from that era. States that have an online portal for any type of registration will want to make sure their web apps are up to current [security] standards.”
Ray Rothrock, CEO of RedSeal, suggests that those vulnerable assets should be taken offline. “Nobody says that the computer in Town Hall needs to be on an internet,” he says. Just as outdated IRS systems have already been compromised, “You can’t keep patching old systems for security, you actually have to architect something and think about it strategically,” Rothrock says.
The government has offered to help states protect its voter databases and election systems by dispersing, on request, federal cyber security experts could scan for vulnerabilities in voting systems and provide other resources to help protect them.
“I don’t think that will necessarily help things, Heid says. “If the government is doing an assessment on themselves – there’s always the risk of a small group of individuals in the program, even with legitimate intentions, to cause issues.”
The lesser of two evils: confidentiality or integrity/availability
Harkins believes that election security risks go far beyond the recent voter database attacks and end-point security solutions.
“The confidentiality of your vote is important, but it’s not going to change the election. Integrity and availability risk [however] could alter the outcome of an election,” Harkins says, and not by manipulating votes, but by influencing the ability to vote. For instance, in municipalities with voter databases and no paper backup, cyber thieves possibly could cryptolock files and hold voting rights for Bitcoin ransom, he says.
There are simpler ways to disrupt voting at the height of election day, Harkins adds. Cutting power to a school where electronic voting is taking place, and without paper backup, could halt voting for hours, and many voters would turn away.
There is also the threat of tampering with electronic voting machines themselves. Georgia, Delaware, Louisiana, South Carolina and New Jersey use electronic voting machines that leave no way to audit results after the fact, according to the ICIT report. Swing states, such as Pennsylvania and Virginia, do not rely on machines that generate a paper trail. According to Verified Voting, which advocates for transparency of voting machines, 47 of Pennsylvania’s 67 counties rely on digital voting machines without a verifiable paper auditing trail.
“You would have to harden those systems from intrusions or attacks that would affect the availability of the system, then you would have to look at the redundancy of those systems,” Harkins says.
Sign up for Computerworld eNewsletters.