It was an assurance designed to bolster public confidence in the way America votes: Voting machines “are not connected to the internet.”
Then Acting Undersecretary for Cybersecurity and Communications at the Department of Homeland Security Jeanette Manfra said those words in 2017, testifying before Congress while she was responsible for the security of the nation’s voting system.
So many government officials like Manfra have said the same thing over the last few years that it is commonly accepted as gospel by most Americans. Behind it is the notion that if voting systems are not online, hackers will have a harder time compromising them.
But that is an overstatement, according to a team of 10 independent cybersecurity experts who specialize in voting systems and elections. While the voting machines themselves are not designed to be online, the larger voting systems in many states end up there, putting the voting process at risk.
That team of election security experts say that last summer, they discovered some systems are, in fact, online.
“We found over 35 [voting systems] had been left online and we’re still continuing to find more,” Kevin Skoglund, a senior technical advisor at the election security advocacy group National Election Defense Coalition, told NBC News.
“We kept hearing from election officials that voting machines were never on the internet,” he said. “And we knew that wasn't true. And so we set out to try and find the voting machines to see if we could find them on the internet, and especially the back-end systems that voting machines in the precinct were connecting to to report their results.”
Skoglund and his team developed a tool that scoured the internet to see if the central computers that program voting machines and run the entire election process at the precinct level were online. Once they had identified such systems, they contacted the relevant election officials and also provided the information to reporter Kim Zetter, who published the findings in Vice’s Motherboard in August.
The three largest voting manufacturing companies — Election Systems &Software, Dominion Voting Systems and Hart InterCivic — have acknowledged they all put modems in some of their tabulators and scanners. The reason? So that unofficial election results can more quickly be relayed to the public. Those modems connect to cell phone networks, which, in turn, are connected to the internet.
The largest manufacturer of voting machines, ES&S, told NBC News their systems are protected by firewalls and are not on the “public internet.” But both Skoglund and Andrew Appel, a Princeton computer science professor and expert on elections, said such firewalls can and have been breached.
“AT&T and Verizon and so on try and protect as best they can the security of their phone network from the rest of the internet, but it’s still part of the internet,” Appel explained. “There can still be security holes that allow hackers to get into the phone network.”
The 35 systems Skoglund’s team found represent a fraction of total voting systems nationwide, though he believes they only captured a portion of the systems that are or have been online. Earlier this week, Skoglund showed NBC three election systems were still online even after officials had been told they were vulnerable.
For election systems to be online, even momentarily, presents a serious problem, according to Appel.
“Once a hacker starts talking to the voting machine through the modem, the hacker cannot just change these unofficial election results, they can hack the software in the voting machine and make it cheat in future elections,” he said.
The National Institute of Standards and Technology, which provides cybersecurity frameworks for state and local governments and other organizations, recommends that voting systems should not have wireless network connections.
Skoglund said that they identified only one company among the systems they detected on line, ES&S. ES&S confirmed they had sold scanners with wireless modems to at least 11 states. Skoglund says those include the battleground states of Michigan, Wisconsin and Florida.
While the company’s website states that “zero” of its voting tabulators are connected to the internet, ES&S told NBC News 14,000 of their DS200 tabulators with online modems are currently in use around the country.
New questions about voting machines as 2020 election approaches
DEC. 19, 201902:30NBC News asked the two other major manufacturers how many of their tabulators with modems were currently in use. Hart said that it has approximately 1,600 such tabulators in use in 11 counties in Michigan. Dominion did not respond to numerous requests from NBC News for their sales numbers.
'Vulnerable to hacking'
With the 2020 presidential election only ten months away, Appel and Skoglund believe all modems can and should be removed from election systems.
“Modems in voting machines are a bad idea,” said Appel. “Those modems that ES&S [and other manufacturers] are putting in their voting machines are network connections, and that leaves them vulnerable to hacking by anybody who can connect to that network.”
The state of Michigan is currently grappling with this issue. Since the 2016 election, Michigan authorized $82 million dollars to upgrade its election systems. Some of that money was spent on tabulators with wireless modems. But now, some state officials worry that the machines may pose a security risk and are pushing to have the modems removed.
Others are not so sure, and the state has set up an advisory committee.
Jake Rollow, director of communications for the Michigan Department of State, said in a statement to NBC News, “Even though the results are unofficial, if these unofficial results were disrupted or manipulated, it could still cause confusion on Election Day.”
"The department will consider the advisory commission’s recommendations to improve the security of the process," Rollow continued. "The specific steps taken would depend on the recommendation and the timeline required to make changes effectively.”
Last fall, when ES&S gave NBC News an exclusive tour at its headquarters in Omaha, Neb., Chief Executive Officer Tom Burt defended using modems when asked about the Sprint and Verizon modems seen in ES&S's testing area.
“There’s a small percentage of jurisdictions in the country -- a lot of them are in Florida -- who have decided they want to modem unofficial results to the election office,” he said. “Generally speaking, the media in those locations are kinda clamoring to get unofficial results as quickly as possible.”
When asked if the desire for speed was at odds with accuracy and security, Burt said, “it’s not my place to judge that.”
NBC News reached out to the Department of Homeland Security, which declined to comment on the topic of modem security in voting machine tabulators and scanners.
No hay comentarios:
Publicar un comentario