Lessons Learned: Voting machine security

Small business takeaways

By Laura Haight
Originally published as the Digital Maven in Upstate Business Journal

We are now fewer than 60 days away from the midterm election. No matter which political party – if any – you align with, you know this is a crucial election.

But how secure is it?

There is a lot of news about voting and election security, about social media memes, foreign actors divining influencing campaigns to move voters in one direction or another. But I want to focus on something a lot closer to home: Voting machines.

It’s been a bad year for Election Systems and Software (ES&S), the Nebraska company that manufactures the iVotetronic voting machines used in every county, every precinct of South Carolina.

First they were hacked by ethical hackers in 2017, then the admin password to the iVotetronics machines was posted on Twitter. In July, the company was forced to admit it had installed remote-access software on some election-management systems it sold over a period of six years, including 2005 when South Carolina installed the iVotetronics. That software, pcAnywhere, had a known vulnerability at the time ES&S deployed it. Fast forward to early August, when another group of ethical hackers at the Defcon hackathon asked ES&S to work with them in their efforts to hack into their machines again. ES&S refused, drawing some unwanted attention and criticism from a few U.S. senators.

Not good, ES&S. And not great for South Carolina, either. But, apart from the very real policy and security issues that the state must address, there are lessons any business can learn from this.

Lesson 1: Embrace bad news

Sixty percent of small businesses were hacked in 2017. That percentage has stayed relatively steady for the past three years and shows no signs of slowing. So if you think you haven’t been hacked, you probably just don’t know it yet. In fact, that was the very strong message that then-FBI director James Comey had for businesses in 2014. The good thing about being hacked is you can do something about it. Your eyes are open. You will (or should) start looking for the weaknesses that were exploited and testing those that weren’t.

Being hacked doesn’t make you special and it doesn’t (always) reflect poorly on you. What it gives you is a chance to fix things. But you can’t fix what you don’t know. That’s why so many security-aware companies now choose pre-emptive audits, security reviews, and penetration testing of hardware, software and employees.

ES&S’s reluctance to assist the same hackers who hacked their machines last year begs the question: Why? Don’t you want the world – and every state where you want to sell more equipment – to know that your machines are secure?

Lesson 2: Self protection is often self defeating

It’s not the crime, it’s the coverup. That’s a lesson we should have learned from Watergate in 1974. Regardless of what the law requires, companies are far better off proactively notifying customers and clients of any incident.

Customers appreciate honesty, for one thing. A proactive communication gives you an opportunity to outline the positive steps you are taking. For example, you’ve probably received emails from companies that have expired all the passwords, requiring you to update your password after a hack. This is a pain, but it is a positive step a company can take to protect your information even after a potential hack. I say potential because while companies may know that hackers got in, they may not have clear visibility into what hackers took out.

Juxtapose that against Experian, which waited six weeks to notify its 145 million customers that all their sensitive data had been exposed. It was Experian’s actions after the hack that most seriously damaged its reputation.

ES&S doesn’t get any points with its customers or the public by having a tech reporter uncover a lie and then refuse to answer questions about it. Rip the bandage off and stop the bleeding.

Lesson 3: Humanware is the last, best line of defense

We put a lot of trust – and a lay a lot of blame – in hardware and software. But we often neglect the number one risk in every business, nonprofit, and government agency: an authenticated user. Every hack that has ever occurred has been made possible by the actions or inactions of a user. Spare no expense on hardware? Get the latest innovations in intrusion detection software? That will prevent a high percentage of attacks. But it takes just one click by one user to defeat it all.

The corollary is also true: Users are the best defense against any hacking. The limited accessibility to the voting machines mitigates human intervention. The state, generally given poor grades on election security by the Center for American Progress, did get good marks on protecting the voter registration database.

The small army of volunteer poll workers and poll managers who staff voting places are there to protect the vote, not imperil it. My one experience as a poll watcher reinforced that for me.

It also reinforces my belief that users who feel they matter, who feel they are important, who understand that they are, in fact, the Maginot Line between cybercriminals and their company’s assets, customers, clients, and intellectual property are worth every effort and every expense a company puts into training and reward.

Lawson Wetli, president of the League of Women Voters of Greenville County, is on the frontlines of the discussions of election security. Her focus for the next 55 days is firmly on humanware. “If you are worried about security, show up on November 6. Become a poll worker, or a poll watcher (for your respective political party).” Wetli notes that the current equipment is nearing the end of its useful life, that a lawsuit filed against the state demands that outdated equipment be replaced with funding from the federal and state governments, and that new voting machines must have redundant paper backup systems so the vote can be full reconciled.

New equipment isn’t coming in the next two months. “Where we have power,” she says, “is putting a spotlight on this issue for 2020 to make sure we fund appropriate election equipment with auditable, voter verifiable results. That we have a system we can be proud of moving forward.”