Clarifications to PBS Newshour “Here’s How Hackers Could Mess With Electronic Voting”

PBS Newshour reporting on election cyber risks offers a good roundup of a handful of notable cyber-risks, but also contains some basic misunderstanding of how election operations actually work. While appreciating the reporting as a whole, here is my list of some mistakes.

• Tied for first in misleading points is the claim that “Some experts believe this tactic may have been partially responsible for the voting irregularities witnessed in Florida during the 2000 election.” The tactic in question is actually a demonstration hack developed by Harri Hursti. Lots of people have lots of theories about Florida 2000, but I don’t know any election tech expert who believes that there is any evidence of this hack having actually been used to effect Florida’s deciding vote Bush/Gore.
• No, the FBI did not issue “an alert stating foreign hackers had infiltrated state election systems” but there was an FBI advisory on attacks on state-operated voter registration systems. The “Targeting Activity Against State Board of Election Systems” was about data exfiltration, not takeover of the systems themselves. Attack yes, infiltration no; registration systems, yes, “state election systems,” no.
• Yes, the DDoS attack on Dyn has raised awareness of how vulnerable so many systems are to these types of temporary take downs. But “flooding multiple polling stations” isn’t relevant because most polling places are not connected to the Internet, and a network outage wouldn’t affect voting operations.
• The same is true of “computer where regional votes are tabulated could delay election reporting” because these computers – “election management systems” or “tabulation managers” for 2 common terms for them – are not connected to the Internet. In fact in many states that would be illegal.
• The part about the Dark Web being used to sell pilfered voter records sounds scary, but the reality is more mundane. Every state has methods for public access to an extract of the voter database; these are essential tools for parties and campaigns, and there is an active niche market for information services on top of this base data. If some enterprising Dark Web denizen can sell $300 copies of public data sets that cost $100 or less to obtain, that only tells us that gullible buyers exist on the Dark Web, too.
• But it is true that voter records can be abused to impede voters. However, calling “voters to change the location of their polling stations” is the least efficient way to abuse this information. Political operations have been doing “caging” attacks for years, for example, and online automation of these attacks is real concern.
• Max Kilger is right about “You have to look at attacks at the intermediate stages,“ but not so much “where there are computers tabulating results from around a state or a county.” It’s purely a county or other local level responsibility to aggregate vote tallies from early voting, polling places, and centrally counted ballots. This is supposed to be entirely offline, so attacks need to be physical. Sure, states do collect up results data from counties, and certify election results, but the source data lives in the localities. I’d like to think we’d notice if a state’s vote totals for some reason did not equal the sum of the numbers published by each locality.
• Not related to elections were a couple of misleading comments about critical infrastructure. Yes, the energeticBear/dragonfly attack successfully targeted energy and power distribution operators’ corporate systems. But “infiltrated power grid” – no. Takeover of the actual grid’s industrial control systems (ICS) is now considered a cyber act of war.  Hasn’t happened.
• Lastly, and also tied for first, is a very unlikely speculation of a dragonfly-like attack on voting machine vendors. Yes, any vendor’s corporate operations can be infiltrated with the intent to tamper the vendor’s products in the pre-manufacturing stage. Voting system vendors are not immune to those attacks, but the products in use today are. Manufactured a decade or more ago, many of the attackers were probably in middle school at the time. And the ability to set a logic bomb used only in a specific election years afterwards is certainly a capability that today’s nation state cyber-operations have – but 10 years ago I have to doubt.

So, that’s 9 points that I take exception to, but let me close to acknowledge that overall, the PBS report covered as lot of ground for a wide range of threats.

— John Sebes, CTO