Nearly two-thirds (64 percent) of registered voters believe the 2016 presidential campaign will be compromised by a cyber breach in some way, according to a poll conducted by data security firm PKWARE and Wakefield Research. Their concerns are not unwarranted; at a time when breaches and data theft make headlines on a regular basis, much of the voting process remains unprotected. “There is a lot of vulnerability in paperless voting systems, whether they are direct reporting electronic machines, or email return ballots,” said Pamela Smith, president of Verified Voting, a nonprofit organization that advocates for accuracy, transparency and verifiability of elections. Most polling places use paper ballots that are tabulated by a scanner. Even if the scanner goes haywire, there is a paper record of voters’ intent and officials can take a manual count. In fully paperless systems, no such backup exists. “In a situation like that, there’s no way to demonstrate that the software is working properly. If something seems amiss or there is an unexpected outcome, you really wouldn’t have a way to go back and correct it because you don’t have an independent record of voter intent,” Smith said. Electronic systems, then, offer a prime target for hackers looking to influence elections.
A few years ago, Smith said, Washington D.C. ran a pilot program of an online voting system that would enable overseas military personnel and other expats to cast their ballots remotely. It opened up a test version of the system to the public, inviting hackers to try and breach the system. “Within 36 hours, some white hat hackers from the University of Michigan were able to fully breach the server. They could change votes; they had access to the PIN numbers assigned to the intended users. Nobody even knew they were in there,” Smith said. “And while they were in there, they noticed the server was being pinged by IP addresses from places as far away as Iran and China, so they set up a firewall while they were at it.”
After the hackers confirmed the ease with which they were able to hack and manipulate the system, D.C. bagged the program. Most jurisdictions, though, don’t run such tests. Standard polling place equipment undergoes federal testing and certification before jurisdictions can buy them, but online and email systems do not have to meet any federal or state standards.
Often, the counties and townships managing the voting process in their areas do not have the resources to test or fully protect their systems. “If organizations the size of Google and Sony can get hacked, how can small townships without even an IT staff prevent a breach?” Smith said.
Full Article: Risk & Insurance.