In February 2018, Election Systems and Software told the press that it had never installed remote-access software in any of the e-voting systems it has sold in the various US states or to local governments. In April, the company told Senator Ron Wyden’s office (D-OR), that it had sold pcAnywhere remote connection software “to a small number of customers between 2000 and 2006.” The good news about this disclosure is that the systems in question have all been retired and are no longer in use across the United States.
But the fact that this happened in the first place, combined with ongoing warnings about the generally poor state of e-voting security, speaks to the depth and breadth of the issues facing the United States’ e-voting system as the 2018 midterm election approaches. The fact that ES&S lied about its own previous behavior to the public until pressured by Senator Wyden’s office says little good about the civic responsibility these companies feel towards ensuring that voting is handled safely. It’s important — just not as important as minimizing any hint of corporate liability.
In this case, ES&S installed pcAnywhere software on election management systems, not voting terminals. While EMS hardware doesn’t actually collect votes, they’re typically used to program voting terminals and to tabulate results aggregated from those terminals. In short, compromising an ESM could be even more effective than individual terminals, depending on the nature of the breach and the capabilities of the software. But with that said, there’s some important differences between how Vice characterizes the situation and what ES&S says in its letter to Wyden. Vice writes: “ES&S customers who had pcAnywhere installed also had modems on their election-management systems so ES&S technicians could dial into the systems and use the software to troubleshoot, thereby creating a potential port of entry for hackers as well.” ES&S, however, maintains that “The use of the tool could only occur through approval by the customer, who had to initiate the remote connection.”
This isn’t a trivial distinction, and ES&S notes that none of the ESMs that it sold in this configuration are still operating today. But it’s also not the end of the problem — not by a long shot. The United States’ voting system is heavily atomized and administered at the local level, which means it’s mostly run by the Republican party, since the GOP controls far more counties in the United States than the Democratic party does. This atomization makes it extremely difficult to change votes as part of a massive coordinated campaign, and is one reason why allegations of vast swaths of illegal votes being cast have never withstood investigation — any attempt to alter election results within even a single state effectively requires compromising multiple counties across broad geographical areas, to say nothing of the difficulty of coordinating such an attack nationwide.
But the fact that the US system is generally resistant to certain kinds of attack doesn’t make it perfect against all of them. The atomized nature of our election system also means, for example, that we have absolutely no global standard when it comes to preserving a paper trail of how people vote to ensure that electronic records can be verified:
As the New York Times wrote in February:
In the 15 years since electronic voting machines were first adopted by many states, numerous reports by computer scientists have shown nearly every make and model to be vulnerable to hacking. The systems were not initially designed with robust security in mind, and even where security features were included, experts have found them to be poorly implemented with glaring holes.
This was true in 2016. It remains true as we move into the 2018 midterms. It’s not that ES&S has been caught having done something terrible — it’s not clear if Vice understands the difference between a system with a dial-up modem, in which the customer initiates the connection with a remote employee, and one in which the vendor can make that connection independently — but the company’s initial failure to be transparent on this issue is just the latest example of a problem that does date back decades. All the way back in 2006, Ars Technica was documenting massive problems with e-voting machines. Major flaws were still being found in 2015. They’re still being found today. It’s this fact — more than the question of what ES&S was shipping in 2006 — that ought to concern us.
The Biden Administration Pledges to Address the Semiconductor Shortage
Early on Thursday, a group of US chip designers and manufacturers sent a letter to the White House, asking that the government include “substantial funding for incentives for semiconductor manufacturing” as part of the overall COVID-19 economic recovery plan. The Biden Administration has now pledged to take action to help remedy the situation by “identifying…
The US Air Force Quietly Admits the F-35 Is a Failure
The Air Force has finally admitted that the F-35 is not the aircraft the military hoped it would be, though we doubt Ferrari would appreciate being compared with the F-35.
Microsoft Admits Some Bethesda Games Will Be Xbox Exclusives
Microsoft has admitted that at least some Bethesda games will be Xbox and PC exclusives.
Razer Synapse Bug Gives Windows Admin Access to Anyone Who Can Plug in a Mouse
You might want to keep an eye on your USB ports for the next few days. A security researcher has disclosed a disturbingly easy way to gain admin privileges in Windows 10 without a password, and for once, it's not Microsoft's fault.