The American election system is a textbook example of federalism at work. States administer elections, and the federal government doesn’t have much say in how they do it. While this decentralized system has its benefits, it also means that there’s no across-the-board standard for election system cybersecurity practices. This lack of standardization has become all the more apparent over the past two years: Hackers probed 21 state systems during the lead-up to the 2016 election and gained access to one. But the federal government and states don’t appear to have made great strides to ensure that this doesn’t happen again. To do so, they’d need to deal with not only their own cybersecurity deficits but also those of the private companies that help states administer elections.
Voting machine manufacturers and the makers of election software and electronic poll books (which are lists of eligible voters) are crucially intertwined with state election systems. All states, to some extent or another, rely on these private companies for election products. But despite the central role these companies play, state regulations of them are relatively lax. That’s a problem, especially at a time when these companies are, along with state governments, targets of foreign agents of chaos.
The recent indictment of Russian military intelligence officers as part of special counsel Robert Mueller’s investigation aligned with previous reports that VR Systems, a company that provides electronic poll books and voter registration management systems to eight states, had been hacked via a phishing scheme aimed at compromising employee login credentials. The compromise of VR Systems allowed the hackers to create convincing emails for phishing attacks, this time on state election officials who used the company’s products. Many state officials appeared not to learn of the compromise until news reports about it last summer. Emails obtained by The Intercept reveal that state officials who use VR Systems responded to the breach by seeking guidance from the Department of Homeland Security.
States have felt the heat for their sometimes poor cybersecurity practices, but private voting companies can also lag behind security industry standards. Recently, FiveThirtyEight learned that a webpage labeled “Client Web Portal” for Dominion Voting, one of the country’s leading manufacturers of voting machines, lacked basic SSL encryption, a standard security practice used to protect user credentials, passwords and other sensitive information. Vulnerabilities like that on a login page could lead to stolen passwords or the addition of malicious software or links to the site. When FiveThirtyEight reached out to Dominion to ask about the webpage, Kay Stimson, the company’s vice president for government affairs, said the page had been “identified for SSL encryption and other upgrades as part of a broader company initiative to enhance security protections for our online presence.”
Stimson couldn’t provide a specific timeline for the security enhancements, though she said the company was making improvements “as quickly as possible.” She said that Dominion’s chief security officer, Matt Horace, was running “both physical and cybersecurity functions for the company.” As of this publication, Dominion’s client web portal page that was flagged as being vulnerable appeared to be out of service.
While a voting company’s poor website security doesn’t mean its products are faulty, it also doesn’t instill a great deal of confidence in its cyberattack preparedness. “Parts of the election business are still behind in implementing current best practices for cybersecurity,” election security expert J. Alex Halderman wrote in an email.
But Halderman also pointed out that private election companies are simply responding to the relatively unregulated marketplace in which they operate. “Somebody needs to produce and service election equipment, and the companies in this space simply respond to market and regulatory incentives. … The main problem is that our elections are largely administered by local governments, which have little to no cybersecurity expertise but are suddenly on the front lines of international conflict.”
States and local municipalities get to determine what voting machines, electronic poll books and other election software they will use. When it comes to voting machines, most states require them to live up to the standards set out by the federal Election Assistance Commission. But there are no EAC standards for poll books or for the electronic security of companies’ web presences. (According to the National Council of State Legislatures, 33 states use electronic poll books, but only eight states require state officials to certify the poll books themselves.)
In October 2017, Sen. Ron Wyden sent inquiries to the heads of the major manufacturers of voting machines, asking about their cybersecurity practices. Wyden’s inquiries included questions about whether the companies employ chief security officers and if they had processes in place to receive unsolicited reports about vulnerabilities in their products. (The Department of Homeland Security told FiveThirtyEight that it was providing ongoing cyber hygiene scans to five private voting companies, though it declined to name which ones.) The companies’ responses to Wyden’s letter reflected the ad hoc state of the industry: At least one has no security officer, while the others said that their security was spread across staff positions. Then again, they don’t have to do otherwise.
Other nuggets contained within the letters added to the impression that voting companies’ cyber practices are still evolving and are far below the standards of other industries. While having processes in place to receive unsolicited reports of system vulnerabilities is standard practice in most tech companies and could resolve bugs in a timely manner, Dominion Voting said that individuals who reported vulnerabilities in its systems would be “subject to criminal prosecution.” Separately, Motherboard recently reported that ES&S admitted in response to a follow-up letter from Wyden that the company had previously installed remote-access software in voting machines, a security risk. The company had previously denied that it had done so to the author of the Motherboard story.
“Election machine manufacturers have resisted meaningful oversight from both states and Congress about their security practices, and have actively deceived the press about the use of remote monitoring software on election equipment in the past,” Wyden said in a statement to FiveThirtyEight.
This lack of accountability is a fundamental problem among the manufacturers of voting systems — even the U.S. Senate can’t hold them to task. The power to impose stricter regulations on the cybersecurity practices of these companies lies with the states. Wyden warned that Russian President Vladimir Putin would order more sophisticated attacks in upcoming elections and that it was dangerous that we rely on state governments for election security. “America doesn’t allow individual states to fight wars with foreign governments, and it’s ridiculous to make states responsible for safeguarding our elections against foreign hacking,” he said.
Neil Jenkins, chief analytic officer at the Cyber Threat Alliance, said that the best approach for improving industry standards would be for states to require voting systems to have stricter certification and that their contracts with private voting vendors include “appropriate security considerations for every piece of voting infrastructure,” not just machines or ballot counters.
During a political moment when the world lives with eyes glued to the White House, the central symbol of federal power, it can be easy to overlook the influence that rests with individual states. As foreign attackers realize the potential to erode democracy by sowing seeds of doubt in our elections, state officials find themselves on the front lines of sophisticated attacks. While they have been taken to task for their insufficient preparedness, the greatest power to change the status quo lies with them. Foreign interference in American elections could remain a fiasco or become their motivating jolt into action.