Editor’s note: “Wired for Safety” is a weekly column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer College. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a first-year doctoral student at Northeastern University. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[D]EFCON is a conference that attracts the top thinkers on digital security. They often have a hack-a-thon, where hackers discuss cybersecurity, write code and sometimes test the security of software or hardware.
This year participants were given access to voting machines to attempt to hack. They were able to gain access to all voting systems via the network or find physical security flaws that could allow modification of the voting system.
The security vulnerabilities discovered — including one that was known back in 2003 — are not surprising. Richard Pethia, former head of the Computer Emergency Response Team at Carnegie Mellon University, said that when “vendors release patches or upgrades to solve security problems, organizations’ systems are not necessarily upgraded. The job may be too time-consuming or complex for the system administration staff to handle.” He also said technology “evolves so rapidly that vendors concentrate on time-to-market. Until their customers demand products that are more secure, the situation is unlikely to change.”
He make those remarks in testimony to Congress in 1996 — 21 years ago.
What does this have to do with voting machine security? Loss of control of one our fundamental rights as citizens of this country: a government by the people, for the people.
If voting machines are allowed to be developed without security built into the design and use, it could allow both foreign and domestic adversaries to control who is in power. That could happen not just at the federal level, but local or state elections could be affected.
Keep in mind that at the local or state level, there is a lot of money and power to be gained when the right person is in political office. The financial investment in hiring a rogue hacker to modify votes would be minimal compared to the return on that investment for a business or other organization.
One other sobering discovery at the DEFCON event was that many of the voting machines didn’t have audit logs to provide evidence of tampering. An audit log is a digital record of an event that occurs on a computer system, such as authenticating to the system, rebooting or starting the computer. Finding the trail for malicious activity could be virtually impossible.
What do we do? Heed the advice Pethia gave Congress — in 1996:
• “In 1988, intruders most often exploited widely known system vulnerabilities, default passwords and easy-to-guess passwords.”
One of the voting machines was compromised with full control in a few minutes, as the DEFCON attendant explained, by Googling the default password. “The (default) username and password for this unit was released on a PDF by State of Maryland (username as 1 password as 1111).”
• “Invest in security training for users and system administrators.”
System administrators may not be trained in cybersecurity and risk management. There are many reasons for this, but that is not the point of this article. System administrators must be trained in how to properly secure systems and how to view the network as a whole and not separated by their duties. This is difficult because there is a lot to system administration, and they have enough work to do. Funding should include hiring a separate full-time security person, especially in larger networks.
Voting machine attendants and those who set up the machines for voting also should be trained so they can work on developing secure deployments; implement risk mitigations if WiFi or standard wired networks are necessary; mitigate any physical security limitations of the machines; and test that the controls they put in place are working. They should also be trained to check the voting machines for signs of tampering.
• “Engineering for ease of use is not being matched by engineering for ease of secure administration.”
Voting machine vendors should have a team with cybersecurity training that can help develop the machine that incorporates security into the design of the software and hardware. The vulnerabilities identified in the voting machine hack-a-thon are not new. They are well-known with well-documented mitigations.
Ease of use is possible when developers design applications with feedback from those who will be using what they are developing. It becomes complicated when people are used to performing tasks a specific way, and security controls cause them to change how they perform those tasks. It is possible for people to use security products without even knowing they are working; look at how SSL is used to secure access to email, banking or purchases from Amazon.com. They don’t make decisions about security; just have them type “https” or look for the little padlock.
Of course, the concept of designing secure systems is not new, and training for it is not a dark art. It is freely available.
If it takes a group of volunteer hackers to test the security of voting machines to make them more secure, I’m all for it. However, how about requiring the manufacturers to build security into the machines? Also, voting machine manufacturers should, minimally, address the known issues identified from the results of the hack-a-thon.
Gov. Phil Scott recently announced the development of a 10-member cybersecurity advisory team. Let’s hope voting machine security is on the priority list and they’ve read the recommendations from 1996.
