A top maker of voting machines used in several states had reportedly installed remote access software that was vulnerable to hacking on election systems. Paired with the announcement last week of indictments against 12 Russian intelligence officers, for charges including hacking election systems and the companies operating them, this should be a call to action to assess and bolster the cybersecurity of electronic machines used at various stages of the voting process and make sure that these devices can be audited to guard against election interference and destabilizing allegations of such interference.
The company, Election Systems and Software, admitted to installing remote-access software pcAnywhere on election management machines that were sold to states between 2000 and 2006 in a letter to Sen. Ron Wyden, D-Ore.
That software allows for remote users to access a machine with pcAnywhere if the user is on the same network and has valid login credentials. By enabling remote access, the installation of such software means that a hacker could find a weakness in the code and access the machine whereas a machine without remote access enabled would require tapering to happen in person.
[Also read: Republicans worry about impact of Trump’s Russia comments on midterm elections]
Highlighting how this can become a problem, in 2012 it became clear that the source code for pcAnywhere had been stolen in 2006. Having the source code is especially valuable as someone looking to compromise the machine can then look for where system might be vulnerable to attack. Indeed, this seemed to have been significant worry as Symantec, the company that distributed pcAnywhere, warned all users to uninstall or disable the software due to security fears.
Adding to the concern, vulnerabilities to the pcAnywhere software had also been discovered that would have allowed malicious actors to access the system without credentials such as a username or password.
The latest date that the pcAnywhere software seems to have been used on an election machine was 2011. But more recently a University of Michigan professor J. Alex Halderman, found how voting machines could be compromised to “reprogram the machine to invisibly cause any candidate to win.” They also successfully created software that could spread from machine to machine and change election outcomes.
Even worse, on some machines there is no way to manually check election results. In remarks before the Senate Intelligence Committee, Secretary of Homeland Security Kirstjen Nielsen said that the lack of ability to audit results was a major concern: “If there is no way to audit the elections, that is absolutely a national security concern.”
These vulnerabilities must be taken seriously. Democracy depends on the legitimacy of elections and if the machines used in the voting process are not secure and there is no way to double check their results, that legitimacy is under threat. Both sides of the aisle would be wise to come together and push for the bipartisan, and now reintroduced and revised, Secure Elections Act which would, among other things, facilitate cooperation between local, state, and federal governments, provide money for security updates, and establish an advisory panel with experts in cybersecurity.
While likely to be an imperfect solution, enacting such legislation would help to restore confidence in voters and the legitimacy of American elections, while also signaling to the public that lawmakers take these issues seriously even when the president refuses to do so.
