The U.S. has spent hundreds of millions of dollars bolstering cybersecurity, but election infrastructure hasn’t been the target of the same rigor.
As with the industrial and health care sectors, government infrastructure is rife with legacy technology, which heightens security risks. Indeed, the Department of Homeland Security classifies election systems as critical infrastructure, alongside critical manufacturing, health care, transportation systems and other sectors deemed vital for society’s well-being. Cyberattacks on critical infrastructure can cause “population panic” and can seem like “the stuff of disaster films,” as a McKinsey report on critical infrastructure notes.
But they pose more than a fictional risk. Nine out of 10 security professionals working in critical infrastructure sectors report that their environment has suffered a cyberattack in the past two years, according to a 2019 study from the Ponemon Institute. And in early 2020, DHS warned of the possibility that tensions between the U.S. and Iran could create industrial control system (ICS) security problems.
In the past few years, awareness of the risks to election security has improved, according to Andrea Little Limbago, chief social scientist at Virtru. But knowledge does not always drive results. “My biggest concern is that risk frameworks will be structured based on 2016 and fail to address the ways attackers have evolved over the last four years,” Limbago said. “For instance, Russia was the core election interference threat in 2016, but now there are a range of international and domestic actors who may seek some form of interference.”
One piece of election infrastructure — voting machines — has become a favorite target of security researchers. Whether voting machines are Internet of Things devices is debated, they are similar in their use of embedded computing and networking to automate traditionally manual data-collection tasks. They are also alike in their potential for manipulation. At least year’s DEFCON cybersecurity event, for instance, hackers had little trouble breaking into the dozens of voting machines at the event.
But “election interference can occur through myriad means, including social media manipulation and digital attacks on voting systems such as voter registration sites or databases,” Limbago warned.
This piece examines election infrastructure, offering advice that applies to other sectors with ICS security concerns such as aging software and equipment and a growing attack surface.
Analog Strategies Can Shore Up Election Security
To improve the security of paperless voting systems, Chris Krebs, a cybersecurity leader within the Department of Homeland Security, recommends the use of paper-based systems. Municipalities with digital voting systems should “have a paper ballot backup,” Krebs said at DEFCON.
While enlisting paper-based systems may sound old-fashioned, “the use of analog controls to protect digital systems is often an overlooked technique” for bolstering cybersecurity, according to Andrew Howard, chief executive officer of Kudelski Security. “From the electrical grid to self-driving vehicles to voting, there is a role for analog protections such as in-hardware control message validation and verified paper audit trails,” Howard said.
Because digital modifications to election machines can be hard to detect and could potentially influence election results, paper audit trails are vital. “When implemented properly, paper audit trails can provide a layered defense against in-software vote swapping techniques,” Howard said.
Slow Refresh Cycles and Uneven Patching Spell Cyber Problems
According to the Brennan Center, nearly half of the states with paperless voting machines in 2016 will not have replaced them in time for the 2020 elections. “There are still a half-dozen or so states that haven’t integrated paperless voting machines, and actual resources allocated to modernizing and securing voting machines varies significantly state to state,” Limbago said.
Voting machines, many of which rely on Windows 7, are no longer supported with bug-fixes or security fixes. The Associated Press reported in July 2019 that it found multiple battleground states affected by the end of Windows 7 support.
While modern voting machines have a shelf life of perhaps 10 to 15 years, as The New Yorker observed, many are in use for considerably longer.
Aging equipment that poses cyber-vulnerabilities is broadly similar in the industrial and ICS security sector. “The refresh cycle in IT is three to five years, said Jason Haward-Grau, chief information security officer at PAS Global. The refresh cycle in operational technology is several times slower. A 2017 Reuters analysis indicated the average age of industrial equipment is a decade. Often, OT equipment is in use for 15 or 25 years, Haward-Grau said.
Human Error Is a Risk to Election Security
Election Security doesn’t need to involve a breach for problems to occur.
Voting systems can also be misconfigured, sometimes without the awareness of voters or election officials. When it comes to misconfigured ballot-marking systems, for instance, “officials have no way to tell whether there was a BMS malfunction, the voter erred, or the voter is attempting to cast doubt on the election,” wrote Philip B. Stark, a professor at the University of California, Berkeley.
While running parallel testing of devices such as ballot-marking systems can help detect problems, “the only remedy is to hold a new election,” Stark wrote. “There is no way to reconstruct the correct election result from an untrustworthy paper trail,” he continued.
Recent elections in Georgia encountered a string of problems, nearly all of which were related to human error, according to a local NPR affiliate.
Lack of Funding Is a Common Excuse
One of the most common reasons organizations postpone making cybersecurity-related upgrades is lack of funds. Many election officials would like to upgrade equipment but lack the funds to do so, according to the Brennan Center.
It’s not just end-users that are cash strapped. “This industry is significantly underfunded,” Tom Burt, CEO of Election Systems & Software, told NBC News. “Margins are very thin. Very frankly, it is not a great business to get into.”
While lack of funding poses a challenge, another difficulty is finding time to take systems offline to upgrade them. While this is a concern when it comes to voting systems, the challenge is greater when it comes to systems used in health care and manufacturing, where bringing a system down for hours or days is rarely an option.
While it can be challenging to find resources — whether time or money — to upgrade vulnerable software and hardware, there are enough stories of cyberattacks to warrant dedicating resources to securing critical infrastructure. “Analysis of return on investment and potential downside risk of not upgrading are helpful in the discussion,” Howard said.