Experts Review Claims Some Election Systems Left Vulnerable
WASHINGTON — After an investigative report from VICE claimed dozens of election systems were left exposed to hackers online, cybersecurity experts are evaluating their claims.
The report revealed researchers found what they believe to be “backend” election systems in at least six Florida counties were at some point connected to the Internet, sometimes for months at a time.
“I think there’s a pretty high probability that some number of these election systems have inadvertently been online,” said Tom Gann, chief public policy officer with global cyber security firm McAfee.
Gann explained the report highlights what is at stake when systems are connected to the internet.
“A hacker that is sophisticated can detect that system online and even within a few minutes can infiltrate it with advanced Malware and do real damage. Our view is election systems should never be online, ever,” he said.
Challenges to the reports findings
We reached out to all the Florida counties named in the VICE article. Several are disputing the report because they have been unable to independently verify specific IP addresses discovered by researchers.
“I was not contacted by Ms. Zetter or anyone from VICE prior to the article being published, so I was not afforded the opportunity to confirm or refute the IP address attributed to our organization in the article,” said Pasco County Supervisor of Elections Brian Corley in an email.
“I have been in contact with Florida Secretary of State Laurel Lee and it is my understanding that the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) is working to provide the IP addresses reference in the article so we can independently verify,” he added.
Flagler County Supervisor of Elections Kaiti Lenhart pointed out the connection accessed by the researchers may not be one even affiliated with their elections.
“The connection believed to be found in Flagler County could easily be any one of many government agency servers here at our location, or it could be our office network connection,” she wrote in an email.
“Until more detailed information is presented, including dates, times and the IP address believed to be in Flagler County, there is no reason to assume our tabulation server has ever had any established connection to the Internet outside of planned modem testing or during an active election cycle when results are being transmitted from Election Day polling sites,” she added.
Trying to identify potential problems now
The majority of election officials maintain the vote tabulation server is held in an isolated network with no internet access.
However, unofficial results are transmitted using wireless modems from polling places. Gann admits that method isn’t necessarily secure and could lead to a discrepancy between unofficial and official tallies.
“If you can’t do early reporting of an initial result to the media, that may be a reasonable precaution to take. There’s a tradeoff — people like early returns and reporting, but you can get a pretty good sense of where things stand through exit polling data,” he said.
With the presidential election on the horizon, experts say identifying problems now is key.
“For election officials out there, if your systems were online and you feel embarrassed about it, get over it, just work to get it fixed,” Gann said.
The team of researchers did not find any reason to believe any of the systems it explored have been compromised by hackers. However, experts are highlighting the need for states to have multiple ways of verify results with a paper trail.