August 20, 2018

When It Takes an 11-Year-Old 10 Minutes to Hack an Election System


Brennan Center, Getty Images


Congress dithers as evidence of the insecurity of the nation’s election infrastructure mounts.


By Ciara Torres-Spelliscy, J.D. / 06.15.2018
Leroy Highbaugh Sr. Research Chair
Associate Professor of Law
Stetson University


Every year 25,000 hackers gather in Las Vegas at a convention known as DEF CON. Although there are no guarantees, the notion is that most of the attendees are “white hat hackers,” specialists who break into protected systems in a benign exercise to improve security. They stand in contrast to “black hat hackers,” who break into systems and do something malicious.

The major story out of last year’s conference was a Voting Village in which hackers were invited to penetrate more than 25 pieces of election equipment, including voting machines and electronic pollbooks. The results were grim. According to a report on the Voting Village, “By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems.”

This year’s conference ended Sunday, and if anything, the news from the Voting Village is even worse. According to CNN.com, “one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.”

Moreover, part of the windowless conference room in Caesar’s Palace was set aside for children. It took one 11-year-old all of 10 minutes to hack into a website akin to a Secretary of State’s that  would report official election results. The actual vote totals weren’t changed, but the reported results were. If this isn’t a wake-up call, I don’t know what is. As another hacker — who won’t be eligible to vote until 2025 — remarked, “We should have [these systems] way secure because the Russians out there, people.”

To its credit Congress in March made a one-time $380 million appropriation to help states update voting technology. The good news is every state is eligible for the money. States apply to the Election Assistance Commission (EAC) for funds with state money representing 5 percent of the total. The good news is that all 50 states have applied for the federal money, and all but $36 million has been distributed.

The bad news is that the money wasn’t targeted to those states that need it most — those with jurisdictions that use purely electronic voting machines that do not print a paper record of a vote. The consequence is that there is no way of checking if the machine is recording votes accurately and no paper trail of votes.

Anyone remember Reality Winner? She’s the National Security Agency contractor who, 18 months before Special Counsel Robert Mueller indicted Russian intelligence officials, leaked classified documents that showed the Russians had attacked a company that sells voter-registration-related software as well as 122 local election officials. Winner, who pleaded guilty, is now serving more than five years in a federal prison for her trouble.

And this election year comes word that Missouri Sen. Claire McCaskill — perhaps the Senate’s most vulnerable Democrat — discovered phishing attacks aimed at her campaign. Florida Sen. Bill Nelson (D), who is locked in a tight a reelection race against Fla. Gov. Rick Scott, told the Tampa Bay Times last Wednesday that the Russians had already penetrated some of his state’s voter registration systems. Nelson, a member of the Armed Services subcommittee on cybersecurity said, “They have already penetrated certain counties in the state, and they now have free rein to move about.” Meanwhile, state officials said they had received “zero information” to support Nelson’s claim.

What is remarkable is that even in the face of overwhelming evidence of the vulnerability of the nation’s election infrastructure, Congress is dead set against doing any more. Less than a week after Mueller’s exquisitely detailed indictment, the House refused to spend more money on election security. In one of the odder comments in a political climate filled with them, House Rules Committee Chairman Pete Session (R-Texas) remarked, “Maybe the Special Counsel will announce something in two weeks: ‘Oh, here’s what the Russian indictments really are.’ If we learn something, authorizing committees will come right back to it and we’ll go to it.”

Of course, none of this should be taken to discourage anyone from voting. The only certain way to have your vote not count is to not vote at all. Voters, turn in your ballots. And elected officials, get your act together and fix election administration.


Originally published by the Brennan Center for Justice under a Creative Commons Attribution-No Derivs-NonCommercial license.

Comments

comments