Elections belong to the public. Just as we have the right to understand our overall election process, we have a right to understand the underlying hardware and software involved in electronic voting. We have a right to understand where our votes and voter registrations go, who checks them, and which institutions have access to that information. The NSA document allegedly leaked by Reality Leigh Winner and recently published by The Intercept suggests that the government is no longer confident about that critical information. The report details a Russian spear-phishing campaign that introduced malware into election contractors’ and officials’ machines, causing them to run “an unknown payload from malicious infrastructure.” According to the report, “It is unknown…what potential data could have been accessed” by Russian hackers. The malicious code was implanted into instructions for EViD, a piece of software that allows poll workers to verify voters’ sensitive personal information, including name, address, registration status, and voting history. The verification is done entirely over the Internet, and all data is communicated to and from EViD’s “secure website.”
After reading the report, I wanted to see for myself how EViD’s creators address information security. Enter the only EViD documentation I could find: an FAQ from EViD’s parent company, VR Systems. Here is VR Systems’ explanation: “Is the EViD system secure? During design and development of the EViD system, VR Systems implemented extensive security measures to protect the EViD system from electronic attack.”
If you’re wondering where the rest is, you’re not alone. Those are the only mentions of security. What are “extensive security measures”? Your guess is as good as mine. Great for their secure design and development, but what about maintenance? Ongoing updates and patches are just as important as the initial product. What kinds of attacks did they account for, specifically? “Electronic attack” is about as meaningless as “physical attack.” OK, maybe you have a bullet-proof vest, but what if somebody drops a piano on your head? In the same way it’s possible to prevent a malicious piece of code from being written into the system, but that doesn’t mean they’ve accounted for vulnerabilities that would allow an attacker to read data, for example. And physical attacks apply here, too—after all, the software is being run on a machine made of wires, boards, and sensors.