Election-day activities center on polling places and their voting machines, and this is where the public interest in vote security is most acute. Each state is in charge of acquiring and managing voting machines, and many states have different types of machines within their borders. The wide variety of voting machines used across the United States, rather than deterring hackers, actually helps empower them if they want to change the outcome of people’s votes, say many cybersecurity experts. Many voting machines are so old that modern security has not yet caught up to them. The differences among voting machines also mean that no single tactic could be employed to cause them to give misleading vote totals. Any coordinated effort to use the machines to affect voting outcomes would have to be tailored to each type of machine and would require an extensive network of operatives to be effective on a large scale. Some electronic voting machines still in use in the United States date back to the last millennium, according to a report by the Brennan Center for Justice, a liberal nonpartisan policy and law institute connected with New York University School of Law. The oldest machines have all the security of an ATM—which is to say, very little. Newer machines still are vulnerable because they provide access points for cybermarauders to inject malware that could change votes outright. Direct-reporting voting machines that offer no paper backup are the most vulnerable, states Chuck Brooks, vice president of government relations and marketing for Sutherland Government Solutions. Also, the diversity of electronic voting machines precludes any easy security fix. Few have had software updates, he says.
Touchscreen machines without paper ballot backup can be reprogrammed without any means of auditing the results. In some elections, touchscreens have malfunctioned by displaying incorrect entries to voters just prior to the individual authorization point, Brooks reports. These voters fortunately were able to alert officials at the moment of change, but the vulnerability of unauditable touchscreen machines was demonstrated before their eyes.
Maj. Gen. Jennifer L. Napper, USA (Ret.), group vice president, defense and intelligence, Unisys Federal Systems and former director of plans and policy for the U.S. Cyber Command, says, “You have everything you can imagine out there in generations of machines.” That in itself is a form of defense, she offers. Even though older voting machines are considered more vulnerable because their security is less sophisticated, one asset they possess is that they never were designed to be connected to the Internet. That cyber threat never will manifest itself to them. And implementing a large-scale onslaught on the voting machine system would take substantial resources of money and power, Napper declares.
Newer voting machines have much better security than their predecessors, says Ron Bandes, network security analyst in the CERT division of the Software Engineering Institute of Carnegie Mellon University. He also is president of VoteAllegheny, a nonpartisan election integrity organization. But even if older ones are not connected to the Internet, they may sit around a polling place for days before an election, which increases their vulnerability to an insider threat. A person with access to the machine could replace its chips or hook up a USB device if the machine is USB-capable.
Full Article: Elections at Risk in Cyberspace, Part II: Variety is the Spice of Hacking for Voting Machines | SIGNAL Magazine.