The first step to correcting the plague of cyber-kinetic vulnerabilities riddling our election system is to admit these problems exist, then bring in qualified personnel to expediently patch vulnerabilities, upgrade technologies and erect cyber defenses around the perimeters of targeted technologies such as manufacturer updates, voting machines and scanners, state websites, state servers and local and state tabulators. This quick blog post is a last attempt by cybersecurity experts to influence local and state election officials to patch the listed vulnerabilities existing within their space that could hinder the natural outcome of the election process. Figure 3 in this post is a checklist for state officials to use when analyzing their networks for vulnerabilities pre-election. The results of the 2016 elections will decide: the next President of the United States, the majority control of the Senate, the potential to appoint up to four Supreme Court justices, and numerous state and local level positions. While political tensions and opinionated discourse run rampant in the days before the election, it is paramount to the continued solidarity of the United States of America, that the integrity of the election process remains demonstratively uncompromised. Election systems are vulnerable at the local, state, and manufacturer level. The decentralization of the U.S. election system offers no benefit to security. The fallacy of the decentralization argument is the conclusion that because systems are not networked at the state level, the result of the national election cannot be affected. This simply is not the case. All decentralization means is that while some states secure election systems to various degrees according to the modern threat landscape, other states barely secure systems at all. Security through obscurity is not a defense. As discussed the Hacking Elections is Easy! report series, an adversary who targets local machines in a pivotal county of a swing state or that targets a state tabulation system directly, can significantly impact the results of a national election through the results of the target state. Local and State level election systems are vulnerable to exploit due to black-box proprietary code, exploitable features and insecure design, vulnerable removable media, interconnectivity, and antiquated cybersecurity strategies. With mere days before Election Day, state and local election officials have limited options available to mitigate a tide of partisan backlash and allegations of fraudulent results.
State and local election officials have limited resources, a limited number of personnel trained in cybersecurity and cyber-hygiene, and a limited number of options to increase the security, transparency, resiliency, and integrity of the election system before Election Day. At the local level, the direct recording electronic (DRE) and optical scanning (OpScan) voting systems are nothing more than rushed-to-market vendor applications built without security-by-design principles, operating on stripped down personal computers that lack any form of native security or layered defense, and that are roughly a decade outdated. Every one of these systems exhibits major security flaws ranging from exploitable open ports to insecure remote connections to vulnerable removable media, as shown in Figure 1. Script kiddies, self-radicalized lone wolf threat actors, or nation state APTs can infect local level systems with malware through their exploitable ports and connections, through undisclosed flaws in their black-box proprietary code, by infecting vulnerable removable media, or by poisoning vendor updates with malware. The most efficient and most probable attack vectors on local level machines is to compromise removable media or by poisoning a vendor update. Removable media, which includes memory cards, USB drives, and other forms of memory, can be infected with malware by an insider threat or by physically tampering with the device on Election Day. In the short term, local level officials can protect machines from compromise via infected removable media by training their volunteers and personnel in cyber-hygiene, by closely monitoring all personnel, by securing removable media with tamper evident seals in conjunction with requiring personnel to interact with machines and removable media in pairs, by securing machines at their storage sites, and by hiring an objective testing authority to conduct penetration testing on a random sample of machines to test for indicators of compromise, suspicious behavior, or the fractionalization of votes. An adversary would poison a vendor update by compromising the vendor systems or update server, or by posing as an insider threat within the organization. To mitigate this attack vector, local officials should not allow any updates to be installed on the system until after Election Day.