Article in the Atlantic summarizes some of the bad news from the last couple of weeks: There’s No Way to Know How Compromised U.S. Elections Are <read>
While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed.
While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed…
The splintered digital infrastructure across and within states; the use of multiple vendors; the overlapping interfaces between municipalities, counties, and states; and the reliance on of volunteers for data entry and verification in both registration and voting mean that there are literally thousands of entry points to compromise elections in each state.
Another case study is the state of Georgia, where organizations have filed lawsuits against the state over the security of its elections in advance of the special election in the 6th Congressional District. A June 14 Politico investigation revealed just how insecure the entire system is, and how much more insecure it was in the past. Last August, cybersecurity researcher Logan Lamb probed the Kennesaw State University’s Center for Election Systems—which programs voting machines for the entire state—and found a structure that basically begged to be hacked.
It had no password protection, and was available on a public site without encryption and lacking even basic security updates. Lamb found millions of registration records, credentials for the central elections server, files for the electronic ballot equipment, and database information for the Global Election Management Systems (GEMS) used by many states for preparing ballots and counting votes. In other words, with rather basic tools that fall well outside the realm of sophisticated “hacking,” as it is known, Lamb would have had a wide-open entry point to disrupting Georgia elections last fall, had he been a malicious actor.
So let us not be complacent. Just because you do not understand something, does not mean that hundreds and thousands of others can’t easily hack it.
