Election Systems & Software CEO Tom Burt (right) looks at some of the company’s election equipment in the vendor display area at a National Association of Secretaries of State convention in Philadelphia in July. Experts say top election vendors have long skimped on security in favor of convenience and use proprietary systems, making it more difficult to detect election meddling. (AP Photo/Mel Evans)

Election Systems & Software CEO Tom Burt (right) looks at some of the company’s election equipment in the vendor display area at a National Association of Secretaries of State convention in Philadelphia in July. Experts say top election vendors have long skimped on security in favor of convenience and use proprietary systems, making it more difficult to detect election meddling. (AP Photo/Mel Evans)

US election integrity depends on security-challenged firms

Three companies that sell and service most election equipment have skimped on security, experts say.

  • By FRANK BAJAK AP Cybersecurity Writer
  • Monday, October 29, 2018 6:18am
  • Nation-World

By Frank Bajak / Associated Press

It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago’s 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server.

Later, at a tense hearing , Chicago’s Board of Elections dressed down the top three executives of Election Systems & Software, the nation’s dominant supplier of election equipment and services.

The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data.

The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security.

A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling.

The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.

In much of the nation, especially where tech expertise and budgets are thin, the companies effectively run elections either directly or through subcontractors.

“They cobble things together as well as they can,” University of Connecticut election-technology expert Alexander Schwartzman said of the industry leaders. Building truly secure systems would likely make them unprofitable, he said.

The costs of inadequate security can be high. Left unmentioned at the Chicago hearing: The exposed data cache included roughly a dozen encrypted passwords for ES&S employee accounts . In a worst-case scenario, a sophisticated attacker could have used them to infiltrate company systems, said Chris Vickery of the security firm Upgard, which discovered the data lapse.

“This is the type of stuff that leads to a complete compromise,” he said. ES&S said the passwords were only used to access the company’s Amazon cloud account and that “there was no unauthorized access to any data or systems at any time.”

All three of the top vendors declined to discuss their finances and insist that security concerns are overblown. ES&S, for instance, said in an email that “any assertions about resistance to input on security are simply untrue” and argued that for decades the company has “been successful in protecting the voting process.”

Stonewalling on security

Many voting systems in use today across the more than 10,000 U.S. election jurisdictions are prone to security problems. Academic computer scientists began hacking them with ease more than a decade ago, and not much has changed.

Hackers could theoretically wreak havoc at multiple stages of the election process. They could alter or erase lists of registered voters to sow confusion, secretly introduce software to flip votes, scramble tabulation systems or knock results-reporting sites offline.

There’s no evidence any of this has happened, at least not yet.

The vendors say there’s no indication hackers have penetrated any of their systems. But authorities acknowledge that some election mischief or malware booby traps may have gone unnoticed.

On July 13, U.S. special counsel Robert Mueller indicted 12 Russian military intelligence operatives for, among other things, infiltrating state and local election systems. Senior U.S. intelligence officials say the Kremlin is well-positioned to rattle confidence in the integrity of elections during this year’s midterms, should it choose to.

Election vendors have long resisted open-ended vulnerability testing by independent, ethical hackers — a process that aims to identify weaknesses an adversary could exploit. Such testing is now standard for the Pentagon and major banks.

While the top vendors claim to have stepped up their cybersecurity game, experts are skeptical.

“The industry continues to stonewall the problem,” said Bruce McConnell, a Department of Homeland cybersecurity czar during the Obama administration. Election-vendor executives routinely issue assurances, he said, but don’t encourage outsiders to inspect their code or offer “bug bounties” to researchers to seek out flaws in their software.

Sen. Ron Wyden, an Oregon Democrat, has long criticized what he calls the industry’s “severe underinvestment in cybersecurity.” At a July hearing, he accused the companies of “ducking, bobbing and weaving” on a series of basic security questions he’d asked them.

ES&S told The Associated Press that it allows independent, open-ended testing of its corporate systems as well as its products. But the company would not name the testers and declined to provide documentation of the testing or its results.

Dominion’s vice president of government affairs, Kay Stimson, said her company has also had independent third parties probe its systems but would not name them or share details. Hart InterCivic, the No. 3 vendor, said it has done the same using the Canadian cybersecurity firm Bulletproof, but would not discuss the results.

ES&S hired its first chief information security officer in April. None of the big three vendors would say how many cybersecurity experts they employ. Stimson said that “employee confidentiality and security protections outweigh any potential disclosure.”

Sloppy software and vulnerability

Experts say they might take the industry’s security assurances more seriously if not for the abundant evidence of sloppy software development, a major source of vulnerabilities.

During this year’s primary elections, ES&S technology failed on several fronts.

In Los Angeles County, more than 118,000 names were left off printed voter rolls. A subsequent outside audit blamed sloppy system integration by an ES&S subsidiary during a database merge.

No such audit was done in Kansas’ most populous county after a different sort of error in newly installed ES&S systems delayed the vote count by 13 hours as data uploading from thumb drives crawled.

University of Iowa computer scientist Douglas Jones said both incidents reveal mediocre programming and insufficient pre-election testing. And voting equipment vendors have never seemed security conscious “in any phase of their design,” he said.

For instance, industry leader ES&S sells vote-tabulation systems equipped with cellular modems, a feature that experts say sophisticated hackers could exploit to tamper with vote counts. A few states ban such wireless connections; in Alabama, the state had to force ES&S to remove them from machines in January.

“It seemed like there was a lot more emphasis about how cool the machines could be than there was actual evidence that they were secure,” said John Bennett, the Alabama secretary of state’s deputy chief of staff.

California conducts some of the most rigorous scrutiny of voting systems in the U.S. and has repeatedly found chronic problems with the most popular voting systems. Last year, a state security contractor found multiple vulnerabilities in ES&S’s Electionware system that could, for instance, allow an intruder to erase all recorded votes at the close of voting.

In 2014, the same contractor, Jacob Stauffer of the security firm Coherent Cyber, found “multiple critical vulnerabilities” in Dominion’s Democracy Suite that could allow skilled hackers to compromise an election’s outcome.

“These systems are Frankenstein’s monster, essentially,” Stauffer said.

The federal Department of Homeland Security began offering confidential vulnerability testing to vendors over the summer. But only one vendor has submitted to such testing, said an agency official who spoke on condition of anonymity because the official was not authorized to discuss the matter publicly.

Stalled innovation

More competition might help, but industry barriers to smaller vendors are “absolutely enormous,” said Larry Moore, president of upstart Clear Ballot. Its auditable voting system took two and a half years to win federal certification at a cost of $1 million.

Startups are hard-pressed to disrupt an industry whose main players rely heavily on proprietary technologies. ES&S and other vendors have jealously guarded them in court — and also unleash lawyers against election officials who purchase competitors’ products.

In October, ES&S sued Cook County, Illinois, seeking to void its $30 million, 10-year contract with a competitor. It also recently threatened Louisiana and Douglas County, Kansas, with lawsuits for choosing other suppliers.

Cook County Elections Director Noah Praetz said suing in defense of market share only chills competition in an industry with “horribly low” margins, especially considering limited government funding for election equipment.

“The market isn’t functioning real well in terms of bringing innovation,” he said.

Limited oversight

Elections are run by the states, whose oversight of suppliers varies. California, New York and Colorado are among states that keep a close eye on the vendors, but many others have cozier relationships with them.

And the vendors can be recalcitrant. In 2017, for instance, Hart InterCivic refused to provide Virginia with a paperless e-Slate touchscreen voting machine for testing, said Edgardo Cortes, then the state election commissioner.

In this year’s midterms — as in the 2016 election — roughly 1 in 5 voters will use such electronic machines. Their tallies cannot be verified because they produce no paper record.

Cortes decided to decertify all such systems. If anyone tried to break in and alter votes, he concluded, “there was really no way for us to tell if that had happened.” Hart InterCivic’s vice president of operations, Peter Lichtenheld, did not dispute Cortes’ account in July Senate testimony, but said its Virginia customers were already moving to newer machines.

At the federal level, no authority accredits election vendors or vets them or their subcontractors. No federal law requires them to report security breaches or to perform background checks on employees or subcontractors.

Election vendors don’t even have to be U.S. companies. Dominion was Canadian-owned until July, when a New York private equity firm bought a controlling interest.

Federal oversight is limited to the little-known Election Assistance Commission, a 30-employee agency that certifies voting equipment but whose recommendations are strictly voluntary. It has no oversight power and cannot sanction manufacturers for any shortcomings.

“We can’t regulate,” EAC chairman Thomas Hicks said during a July 11 congressional hearing when the question came up. Neither can DHS, even though it designated the nation’s election systems “critical infrastructure” in early 2017.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Nation-World

FILE - Britain's Queen Elizabeth II looks on during a visit to officially open the new building at Thames Hospice, Maidenhead, England July 15, 2022. Buckingham Palace says Queen Elizabeth II is under medical supervision as doctors are “concerned for Her Majesty’s health.” The announcement comes a day after the 96-year-old monarch canceled a meeting of her Privy Council and was told to rest. (Kirsty O'Connor/Pool Photo via AP, File)
Queen Elizabeth II dead at 96 after 70 years on the throne

Britain’s longest-reigning monarch and a rock of stability across much of a turbulent century died Thursday.

A woman reacts as she prepares to leave an area for relatives of the passengers aboard China Eastern's flight MU5735 at the Guangzhou Baiyun International Airport, Tuesday, March 22, 2022, in Guangzhou. No survivors have been found as rescuers on Tuesday searched the scattered wreckage of a China Eastern plane carrying 132 people that crashed a day earlier on a wooded mountainside in China's worst air disaster in more than a decade. (AP Photo/Ng Han Guan)
No survivors found in crash of Boeing 737 in China

What caused the plane to drop out of the sky shortly before it was to being its descent remained a mystery.

In this photo taken by mobile phone released by Xinhua News Agency, a piece of wreckage of the China Eastern's flight MU5735 are seen after it crashed on the mountain in Tengxian County, south China's Guangxi Zhuang Autonomous Region on Monday, March 21, 2022. A China Eastern Boeing 737-800 with 132 people on board crashed in a remote mountainous area of southern China on Monday, officials said, setting off a forest fire visible from space in the country's worst air disaster in nearly a decade. (Xinhua via AP)
Boeing 737 crashes in southern China with 132 aboard

More than 15 hours after communication was lost with the plane, there was still no word of survivors.

Former Rep. Matt Gaetz, R-Fla., center, arrives at the U.S. Capitol in Washington D.C. with Sen. JD Vance, R-Ohio, right, the vice president-elect, on Wednesday morning. Gaetz withdrew from consideration Thursday, saying he was an unfair distraction to the transition. (Haiyun Jiang / The New York Times)
Matt Gaetz withdraws from consideration as attorney general

“It is clear that my confirmation was unfairly becoming a distraction,” Gaetz wrote Thursday on X.

Attendees react after Fox News called the presidential race for Former President Donald Trump, during an election night event at the Palm Beach County Convention Center in West Palm Beach, Fla., on Wednesday. Trump made gains in every corner of the country and with nearly every demographic group. (Haiyun Jiang / The New York Times)
Donald Trump returns to power, ushering in new era of uncertainty

Despite criminal convictions and fears of authoritarianism, Trump rode frustrations over the economy and immigration.

Voters cast their ballots at a polling place inside the Weisman Art Museum at the University of Minnesota in Minneapolis on Election Day, Tuesday, Nov. 5 2024. Voters headed into polling stations on Tuesday in the closing hours of a presidential contest that both major parties said would take the country in dramatically different directions, capping a contentious and exhausting 107-day sprint that began when President Joe Biden abandoned his bid for a second term. (Caroline Yang/The New York Times)
Live updates: Georgia called for Trump

The Daily Herald will be providing live updates on national election developments throughout Tuesday.

Liam Payne performs during the Jingle Ball at Madison Square Garden in New York in 2017. Payne, who rose to fame as a singer and songwriter for the British group One Direction, one of the best-selling boy bands of all time, died after falling from the third floor of a hotel in Buenos Aires on Wednesday. He was 31. (Chad Batka / The New York Times)
Liam Payne, 31, former One Direction singer, dies in fall in Argentina

Payne rose to fame as a member of one of the bestselling boy bands of all time before embarking upon a solo career.

In this photo taken from video provided by the Ukrainian Presidential Press Office, Ukrainian President Volodymyr Zelenskyy speaks to the nation in Kyiv, Ukraine, Sunday, Feb. 27, 2022. Street fighting broke out in Ukraine's second-largest city Sunday and Russian troops put increasing pressure on strategic ports in the country's south following a wave of attacks on airfields and fuel facilities elsewhere that appeared to mark a new phase of Russia's invasion. (Ukrainian Presidential Press Office via AP)
Ukraine wants EU membership, but accession often takes years

President Volodymyr Zelenskyy’s request has enthusiastic support from several member states.

FILE - Ukrainian servicemen walk by fragments of a downed aircraft, in in Kyiv, Ukraine, Friday, Feb. 25, 2022. The International Criminal Court's prosecutor has put combatants and their commanders on notice that he is monitoring Russia's invasion of Ukraine and has jurisdiction to prosecute war crimes and crimes against humanity. But, at the same time, Prosecutor Karim Khan acknowledges that he cannot investigate the crime of aggression. (AP Photo/Oleksandr Ratushniak, File)
ICC prosecutor to open probe into war crimes in Ukraine

U.N. human rights chief Michelle Bachelet confirmed that 102 civilians have been killed.

FILE - Refugees fleeing conflict from neighboring Ukraine arrive to Zahony, Hungary, Sunday, Feb. 27, 2022. As hundreds of thousands of Ukrainians seek refuge in neighboring countries, cradling children in one arm and clutching belongings in the other, leaders in Poland, Hungary, Bulgaria, Moldova and Romania are offering a hearty welcome. (AP Photo/Anna Szilagyi, File)
Europe welcomes Ukrainian refugees — others, less so

It is a stark difference from treatment given to migrants and refugees from the Middle East and Africa.

Afghan evacuees disembark the plane and board a bus after landing at Skopje International Airport, North Macedonia, on Wednesday, Sept. 15, 2021. North Macedonia has hosted another group of 44 Afghan evacuees on Wednesday where they will be sheltered temporarily till their transfer to final destinations. (AP Photo/Boris Grdanoski)
‘They are safe here.’ Snohomish County welcomes hundreds of Afghans

The county’s welcoming center has been a hub of services and assistance for migrants fleeing Afghanistan since October.

FILE - In this April 15, 2019, file photo, a vendor makes change for a marijuana customer at a cannabis marketplace in Los Angeles. An unwelcome trend is emerging in California, as the nation's most populous state enters its fifth year of broad legal marijuana sales. Industry experts say a growing number of license holders are secretly operating in the illegal market — working both sides of the economy to make ends meet. (AP Photo/Richard Vogel, File)
In California pot market, a hazy line between legal and not

Industry insiders say the practice of working simultaneously in the legal and illicit markets is a financial reality.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.