A new report pushes recommendations based on the research done into voting machine hacking at DEFCON 25, including basic cybersecurity guidelines, collaboration with local officials and an offer of free voting machine penetration testing. It took less than an hour for hackers to break into the first voting machine at the DEFCON conference in July. This week, DEFCON organizers released a new report that details the results from the Voting Village and the steps needed to ensure election security in the future. Douglas Lute, former U.S. ambassador to NATO and retired U.S. Army lieutenant general, wrote in the report that “last year’s attack on America’s voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years – potentially more serious than any physical attack on our Nation. Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process — the fundamental link between the American people and our government — could be much more damaging,” Lute wrote. “In short, this is a serious national security issue that strikes at the core of our democracy.”
The political instability that has resulted from Russian meddling in the 2016 US presidential elections has put the focus on voting machines as a national security vulnerability, Douglas Lute, a former US permanent representative to NATO, said at the Atlantic Council on October 10. “I don’t think I’ve seen a more severe threat to American national security than the election hacking experience of 2016,” said Lute. There is a “fundamental democratic connection between the individual voter and the democratic outcome” of an election, he said, adding: “If you can undermine that, you don’t need to attack America with planes and ships. You can attack democracy from the inside.” … Lute delivered a keynote address at the Atlantic Council to call for a sense of urgency among policymakers and all stakeholders able to play a role in the solution to insecure voting machines. He also highlighted the findings presented in the DEF CON Report on Cyber Vulnerabilities in US Election Equipment, Databases, and Infrastructure, launched at the Council, which help to shed light on the technological dimensions of this national security threat. Ultimately, as Lute writes in the foreword, “this report makes one key point: our voting systems are not secure.”
When attendees at the July DEFCON conference breached every poll book and voting machine that event organizers had in the Voting Machine Hacking Village, elections officials took notice. A new report from DEFCON, the National Governors Association, the Atlantic Council, the Center for Internet Security and a number of universities and top technology vendors provides a more detailed look at just how vulnerable the entire U.S. election system – equipment, databases and infrastructure — is to hacking and urges policymakers to shore up security gaps. Vulnerabilities start with an insecure supply chain. Many parts used in voting machines are manufactured overseas, and the report authors suggested that bad actors could compromise the equipment “well before that voting machine rolls off the production line.” Voting Village participants found voting machines with universal default passwords and ones that broadcast their own Wi-Fi access point, which would allow hackers to connect. Once hackers gained access, they could escalate their privileges so they could run code, change votes in the database or turn the machine off remotely. Additionally, unprotected, uncovered USB ports provided easy inputs for thumb drives or keyboards.
You don’t even have to know much about voting machines to hack some of the systems that are still in use across the country. A new report published on Tuesday outlines how amateur hackers were able to “effectively breach” voting equipment, in some cases in a matter of minutes or hours, over just four days in July at DEFCON, an annual hacker conference. The report underscores the vulnerability of U.S. election systems. It also highlights the need for states to improve their security protocols after the Department of Homeland Security said Russian hackers attempted to target them during the 2016 election. “The DEFCON Voting Village showed that technical minds with little or no previous knowledge about voting machines, without even being provided proper documentation or tools, can still learn how to hack the machines within tens of minutes or a few hours,” the report says.
If Los Angeles County voters spark a revolution when they cast their ballots for President in 2020, it may not stem from the choices they select but rather the way they did it. The digital age is coming to the ballot box here with a new, publically owned system that the County Clerk plans to begin rolling out next summer. The first major makeover to the region’s voting system since 1968 was a long time coming. “We said ‘why don’t we look at this from a holistic standpoint and from the eyes of a voter?’” County Clerk Dean Logan told the Santa Monica City Council during a presentation of the new system. The County partnered with designers at Palo Alto based IDEO to give southern California elections the Silicon Valley treatment. The design firm was behind the first Apple mouse, the first wearable breast pump (still in beta) and revamped public school cafeterias in San Francisco. The result: new voting booths that integrate smartphones, touchscreens, QR codes and old-fashioned paper. Eight years after the over hall began in 2010, many of the changes to hit L.A. County’s five million voters are procedural, not digital.
When voters in Virginia head to the polls this November, they’ll be casting their ballots the old-fashioned way. The state’s Board of Elections decided earlier this month to de-certify the widely used Direct-Recording Electronic (DRE) voting machines ahead of the gubernatorial election – prompting counties and cities to replace their touchscreen machines with those that produce a paper trail. Virginia is not alone. Several states are now considering a return to old-fashioned paper ballots or a reinforced paper trail so results can be verified, amid concerns over hacking attempts in last year’s presidential race as well as longstanding cybersecurity worries about touchscreen machines. “Our No. 1 priority is to make sure that Virginia elections are carried out in a secure and fair manner,” James Alcorn, chairman of the State Board of Elections, said in a statement, calling the move “necessary to ensure the integrity of Virginia’s elections.”
Missouri: Boone County’s aging election equipment comes with estimated $1 million replacement price tag | Columbia Daily Tribune
Boone County’s aging voting equipment will need to be replaced in the next couple of years, and the estimated $1 million expense — once covered in the past by the federal government — solely will be the county’s responsibility. The Help America Vote Act of 2002, which reformed the U.S. voting process, awarded Boone County $888,700 more than a decade ago to purchase new equipment, including software, ballot counting equipment known as M100 machines and iVote machines, or the touchscreen ballots accessible through the American Disabilities Act.
The county’s voting equipment, which has a 10-year lifespan, has experienced an increasing number of errors in recent years and needs to be replaced, said Boone County Clerk Taylor Burks. Burks, appointed to the position in late July by Gov. Eric Greitens, said his office did not have enough time to meet the 2018 budget request deadline on Sept. 30 to find funding for replacement equipment next year. But he expects to have a plan for 2019.
Kansas: Appeals court to grapple with Beth Clarkson voting-machine case in Wichita | The Wichita Eagle
Is voting rigged in Sedgwick County? Is there any way to prove it is or isn’t? Those are the fundamental questions underlying a Kansas Court of Appeals case to be argued Tuesday morning in a special court session at Friends University in Wichita. The appeals court is being asked to allow a recount of votes on audit tapes from voting machines to test the accuracy of the tallies reported by Sedgwick County Election Commissioner Tabitha Lehman. Wichita State University statistician Beth Clarkson has tried for seven years to gain access to the tapes. Her request was denied by Lehman and the denial was upheld in district court. Lehman and Sedgwick County say that there is no problem with the votes and releasing the tapes would risk compromising the secrecy of people’s ballots. Tuesday’s appeal arguments will feature two prominent Wichita attorneys.
One of the reasons why computer security is so hard is because you have to get absolutely everything right in order to have a secure system. And there’s lots of different kinds of things you can get wrong. Everything from your software was buggy, your passwords were too weak, you published your passwords accidentally, your hardware was insecure, the user made a mistake and fell victim to a phishing attack and gave their credentials to a foreign agent or a bad guy. All of those things have to be done correctly in order to have a secure system. It might seem tempting to think, you know, everybody has a cell phone so you could just use your cell phone to do voting like we do for American Idol or similar TV shows. It works for American Idol because nobody cares all that much who wins or doesn’t win.
Editorials: Decertifying Virginia’s vulnerable voting machines is just the first step | Fredericksburg Free Lance Star
The Virginia State Board of Elections has belatedly decided that all electronic touchscreen voting machines still in use throughout the commonwealth cannot be used for the Nov. 7 general election because they are vulnerable to hacking, even though they are not connected to the internet. This revelation is not new. For more than a decade, computer scientists at Princeton, Johns Hopkins, and other top universities have demonstrated that hackers can surreptitiously change votes on these machines without leaving a trace. In 2005, Finnish computer programmer Harri Hursti successfully hacked into Diebold voting machines that were in a locked warehouse in Leon County, Fla., under the watchful eyes of elections officials, a feat still referred to today as the Hursti Hack. But it took another demonstration of successful hacking at the DEFcon cybersecurity conference in Las Vegas this summer to finally convince board members that they needed to immediately decertify all touchscreen voting machines still in use in Virginia. Better late than never, as the old saying goes, but that left 22 cities and counties that still use them to tabulate election results in the lurch. Decertification should have happened years ago.