It has been reported that just weeks ahead of the US midterm elections, security experts are warning that America’s voting systems are still vulnerable to being hacked. Attackers could manipulate the outcome of November’s votes which will establish the support that President Trump has in Congress for the rest of his term, according to those warnings.
Commenting on this, Tim Mackey, senior technical evangelist at Synopsys, said “The 2018 DEFCON Voting Village report highlights a clear disconnect between the security of the devices delivered by vendors and security expectations we as citizens have on our voting systems. Basic best practice training we deliver to employees about setting strong passwords for accounts and IT department processes for updating software flaws in a timely manner are clearly not being followed by those designing and administering voting machines. Part of the problem lays within the process of certifying voting apparatus. In the case of the M650 identified as actively in use within the state of California, it would’ve been certified to the California Voting Systems Standards (October 2014). While the cyber-threat landscape has evolved significantly since CVSS was approved, it is clear given the age of the components used within M650 that it was designed to meet the minimum bar within the standard. Given the costs associated with certification, it’s also very likely that once any device is certified it may have a longer than expected lifespan without update – and an increasingly insecure lifespan.
It is of course easy to identify issues within critical systems like our voting infrastructure, but far harder to address them. Within industry various standards exist for the certification of security surrounding everything from credit card data to health care records. These standards have requirements for periodic reassessments and foster a climate of continuous improvement. Breaches of security within companies are routinely reported in the media and, following a breach, responsible organisations take steps to mitigate any risks or changes in threats which were identified. This process of continuous improvement needs to apply to electronic election systems used in all democratic nations. In the US, were an agency like the Department of Homeland Security or National Security Agency to be tasked with performing an annual penetration test of all voting systems, and publish the results of those assessments; the voting public would retain confidence in the process while technology providers could improve their systems armed with expert security guidance. An annual assessment would have the added benefit of depoliticizing the effort.”