Voting Machines in ‘Murica

We are less than nine months away from the 2018 national midterm elections and states and local municipalities are still scrambling to understand the threat to their infrastructure and to have in place the most secure voting methodologies. What is known is that the U.S. intelligence apparatus has warned congress that Russian meddling in our elections can be expected to continue. Additionally, the Department of Homeland Security recently provided expansive detail on the previous sojourn into 21 states’ election infrastructure by the Russian Federation’s intelligence apparatus. Follow that with the content of the indictment of 13 Russian citizens/operatives, some of whom traveled to the United States (Nevada, California, New Mexico, Colorado, Illinois, Michigan, Louisiana, Texas, Georgia and New York). Every state should be concerned. And other countries should be going to school on what is occurring in the United States.

The Voting Machines

The information security adage, “If man can create it, man can defeat it,” remains valid. For this reason, all states using electronic voting machines are hypersensitive to the possibility that their results may be skewed in some fashion. Kate Rabinowitz, a freelance data journalist, recently wrote an article that details how thin budgets are for new voting equipment across the United States. Many voting machines are more than a decade old, she wrote, and susceptible to both failure and compromise.

Rabinowitz cited a survey published by The New York University School of Law’s Brennan Center for Justice, which showed 33 states recognize the need to replace their voting machines. The most chilling quote came from Orange County, California’s Registrar of Voters Neal Kelley: “The sky really is falling. We’re taking systems out of service because we can’t repair them anymore.” How many systems does Kelley’s team support? About 11,000 machines.

Last summer, a number of voting machines were publicly compromised during the DefCon conference by security researchers. The event was an unambiguous signal to voting officials across the country that those using voting machines should make sure there is an accompanying paper trail.

Parts, We Need Parts

When machines hit end of life, spare parts become scarce and cannibalization occurs. Thus, it isn’t surprising to learn that election officials have resorted to buying spare parts on eBay.

Now, from a purely counterintelligence and OpSec perspective, knowing that states are buying spare parts out of channel—via eBay or other online retailers—is a juicy opportunity for those interested in compromising the integrity of the machines or the results they produce. Given the warnings from the intelligence community, it is not beyond the pale to process a potential scenario in which spare parts being sold via these gray channels are modified to fail or to act in an unexpected manner to the detriment of the voters. Will states have the resources to validate parts when they are needed yesterday and the election is tomorrow? Seeding supply chains is not new to the Russian Federation, China or any other potential adversary of the United States.

What To Do?

Is it time that voting machines fall under a national mandate and thus are provided to municipalities, rather than having each individual municipality independently determine what machines will be used for vote counting or collecting? Legislatures (both federal and state) demanding change but not funding change are simply spitting into the wind.

If federal funding is not forthcoming and given, we have only nine months to put in place a solution. Perhaps stepping back in time may be the right step.

Paper ballots are to voting machines like one-time-pad is to machine encryption: It might be most secure means to ensure the 2018 vote is secure, especially when we know the U.S. elections are under attack by foreign adversaries.

Additional reading: “America’s Voting Machines at Risk” (2015)

Sponsored Content
Upcoming Webinar
This Year at RSA: Don’t Miss The Conversation on DevSecOps!

This Year at RSA: Don’t Miss The Conversation on DevSecOps!

The 2018 RSA conference promises to feature a lively, yet critical discussion on the role of DevSecOps and how this movement is transforming the way organizations are building and securing their software.  Many agree that secure software equals good software. As we have seen in so many recent headlines, the ... Read More
March 22, 2018

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 36 posts and counting.See all posts by burgesschristopher