There is no evidence, despite partisan claims to the contrary, that mail-in ballots are rife with voting fraud but there are parts of the election system that security researchers say are at far greater risk for malicious activity.
National elections like the one in November, when Americans will decide whether Donald Trump or Joe Biden will lead the country for the next four years, are really thousands of smaller elections administered by state and county governments. And each of those governments has its own procedures for ensuring ballot and information security, and for purchasing, maintaining and testing the equipment that it uses to conduct its election.
For instance, even though more than 30 states allow overseas voters to cast their ballots by email, fax or through other electronic means, there are no standards for even basic security measures like encryption.
Encryption? We dont do that, Cochise County, Ariz., Recorder David Stevens told Arizona Mirror about the ballots his office accepts by email. We probably should.
The Cochise County Recorders Office accepts only federal ballots not those with state or local contests via email, Stevens said, and only in specific circumstances, such as voters who are in the military and stationed overseas.
Most overseas and military voters use a secure online portal provided by the Secretary of State, though some counties told the Mirror that they still accept ballots via fax or email.
Lax or nonexistent security on those systems, as well as the physical machines used to cast or count ballots, open the door to election hacking.
Hackers and security researchers at the annual DEFCON conference have in recent years made a point of looking at how secure or insecure the nations voting infrastructure is, known as the DEFCON Voting Village.
This year, instead of the hands-on hacking of election machines that have grabbed headlines in years past, the Voting Village focused on in-depth discussions about the integrity and security of our election infrastructure. Among the topics of discussion were the vulnerabilities to election systems presented by fax machines, email voting and more.
Hack the vote
Earlier this month, a Russian newspaper reported that the personal information of 7.5 million Michiganders was posted on a Russian hacker site. It appeared to show the their voter identification number and polling places. The paper claimed the site had been hacked in an attempt to solicit money from the U.S. government.
But Michigans Department of Statedenied that this was a data breach of any sort, as the information being posted is already publicly available.
Public voter information in Michigan and elsewhere is accessible to anyone through a FOIA [Freedom of Information Act] request. Our system has not been hacked, secretary of State spokesperson Jake Rollow told Michigan Advance in an email.
That focus on infosec was a big part of DEFCON talk this year by Forrest Senti, director of government and business affairs for the National Cybersecurity Center, and Caleb Gardner, a fellow with Secure the Vote.
The talk focused on how certain fax machines that are used to accept ballots can present a vulnerability to election offices, with election officials frequently unaware of the security issues stemming from a fax number that is often posted online.
Without proper security, all a hacker would need is the phone number to take over an election officials fax machine, allowing them to search other computers that are on the same network or install a malicious program to steal documents.
Even if you dont get any ballots through a fax machine, it still represents a vulnerability, Senti said to the Mirror.
Thirty-one states and the District of Columbia allow voters to return ballots by email and fax, according to the National Conference of State Legislatures. In Maryland, when voters receive an emailed ballot and return it by email, it is printed out by elections officials and counted by hand.
In the 2016 election, 455 ballots were cast by overseas voters in Cochise County, according to data by the United States Election Assistance Commission. That includes votes cast via the countys un-encrypted email system, faxed or through an online portal run by the Arizona Secretary of States Office.
In 2018, some 29,000 ballots were cast across the country by voters overseas using some form of online portal, email or fax, according to the data.
While Senti and others say this number is not statistically significant, the shortcomings pose an outsized risk.
The greater fear is that the ballots themselves could be compromised.
In the DEFCON Voting Villages 2019 report, hackers and researchers found that voting machines had a number of vulnerabilities. Some had security features turned off when they were shipped, some had voter data easily accessible, some had no passwords set and one even had an unencrypted hard drive.
Several states across the country use those machines.
The ES&S Automark is used in many states to help voters with disabilities mark their ballots. The machines have been in use for years, and the Voting Village found some concerning vulnerabilities.
Immediate root access to the device was available simply by hitting the Windows key on the keyboard, the report states. A user who gains root access on the device can see and potentially change any files or other systems.
The ES&S Automark obtained by the Voting Village was using software from 2007 and appeared to have last been used in a 2018 special election. The PIN code to replace the firmware on the entire device was listed as 1111.
But there are no national guidelines for how election officials conduct these sorts of audits or tests on electronic voting devices; instead, it is up to each jurisdiction to develop its own methods of checking the devices.
For example, in Colorado, election officials roll a series of 10-sided die on a webcast in order to generate a random number that determines which machine-tallied election results will be checked for discrepancies.
These jurisdictions have a lot of autonomy in what they do, Mattie Gullixson, program manager for Secure the Vote, said.
Information warfare
Some of the jurisdictions may also not have the manpower needed to institute the changes required to ensure safe election procedures.
Its estimated that a nationwide vote by mail effort could cost up to $1.4 billion, compared to $272 million for in-person voting. Localities could get monies from the Help America Vote Act or the CARES Act to offset costs associated with voting this election cycle, but election hacking and its interplay with COVID-19 will present an acute financial impact, according to Gullixson and Senti.
And hacking isnt limited to computer systems: Disinformation from foreign actors is commonly referred to as social hacking for its manipulation of social behavior.
How do you (fight) against messages that say, because of COVID, this voting center has been shut down? Gullixson said. Those levels of mis- or disinformation could be one of the stronger negative drivers in people voting this year.
Gullilxsons background is in election administration and shortly after the 2016 election, she said that mis- or disinformation led many voters to call the elections office confused, asking questions that were fueled by disinformation circulating on social media.
The FBI and the Cybersecurity and Infrastructure Security Agency has already issued an alert urging Americans to be on the lookout for new websites or changes to existing websites made by foreign or malicious actors with the intention of spreading such misinformation.
Information warfare has been around as long as warfare has been around, Gullixson said.
In fact, in 1985, the Russians started a disinformation campaign dubbed Operation INFEKTION that aimed to make the world believe the United States had created AIDS, a conspiracy theory that is still active today.
So far in 2020, Russian, Chinese and Iranian hackers have been caught by Microsoft in attempts to target both the campaigns of Trump and Biden.
China has also been caught by Facebook using fake accounts to speak on election matters. And just this month, Facebook and Twitter removed dozens of Russian accounts aimed at dissuading left-leaning voters from voting for Biden.
So how does one combat this type of warfare?
It starts with voters.
There are growing efforts to try to tackle that but it starts with the voter realizing they could be manipulated in that way, Gullixson said.
The FBI has shared similar advice, saying that voters should make sure to get their election information from their state and county officials instead of Facebook pages, as they could very well be hacked or fake pages.
Despite what may seem like a lot of doom and gloom, Gullixson and her colleagues are hopeful that the attention these issues have been getting will help shape policy around voting for the next 15 years for the better.
We just have to make sure we can get through it unscathed, she said.
Jerod-MacDonald-Evoy is a reporter at the Arizona Mirror. Michigan Advance reporter Laina G. Stebbins, Maine Beacon reporter Evan Popp and Colorado Newsline reporter Chase Woodruff contributed to this report.
See the rest here:
Parts of the Election System Are Ripe for Hacking: 'Encryption? We Don't Do That' - Josh Kurtz
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]