The newest risks for state election systems: Russian owners and remote access
- By Sara Friedman
- Jul 17, 2018
Maryland officials are asking the Department of Homeland Security for help evaluating its election systems after learning that a vendor with whom the Maryland State Board of Elections was working for voting services and registration infrastructure had been acquired by a company linked to a Russian oligarch.
“While the information relayed to us did not indicate that any wrongdoing or criminal acts have been discovered, we are fast approaching an election in November, and even the appearance of the potential for bad actors to have any influence on our election infrastructure could undermine public trust in the integrity of our election system,” Gov. Larry Hogan said in a statement.
In a July 13 letter to DHS Secretary Kirstjen Nielsen, Maryland officials asked for help from the agency's Office of Cybersecurity and Communications to evaluate network security, audit network integrity and provide other technical support and guidance within the “shortest time possible” to allow for corrective actions before the 2018 elections.
State elections officials and federal lawmakers have been turning up the heat on election equipment vendors over the past 18 months, asking questions about the security of their systems. Officials from Elections Systems and Software admitted to Sen. Ron Wyden (D-Ore.) that the firm had installed remote-access software on "a small number" of election management systems sold from 2000 to 2006, Motherboard reported on July 17.
Wyden is an avid critic of elections system manufacturers, and he introduced legislation in June to require all states to use paper ballots and conduct risk-limiting audits. At least 60 percent of all ballots cast in the United States were tabulated using ES&S systems in 2006, according to Motherboard.
The pcAnywhere remote-access software is used by system administrators to conduct maintenance and make upgrades and help with technical support. Even though election management systems are supposed to be air-gapped systems for security reasons, ES&S equipment running pcAnywhere also had modems that allowed admins to dial into the systems, which could create an entry point for hackers.
The company quit installing pcAnywhere on election systems equipment in December 2007, but not before hackers had stolen the source code for the program and a critical vulnerability was discovered that let attackers take control of a system running pcAnywhere, Motherboard said.
A February analysis of the 2016 election by ProPublica found that over two-thirds of counties used machines that are over a decade old. For the 2018 election, most of those jurisdictions will be still be using that equipment.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.