Gajus - Fotolia

Lack of cybersecurity standards leaves election process vulnerable

Hackers continue to exploit vulnerabilities in the U.S. political technology, highlighting the need for cybersecurity standards and guidelines to help protect voter information.

The 2016 election season has been unique for reasons beyond the U.S. presidential candidates: For the first time, widespread reports of cyberattacks on voting systems and hacks of political organizations' correspondence are disrupting -- and influencing -- the U.S. election process.

The trend began in July, when Wikileaks published a collection of emails from the Democratic National Committee. Wikileaks would not reveal the source of the leak, but the Department of Homeland Security and the Office of the Director of National Intelligence have recently stated that they are "confident" that the government in Russia is directly responsible for the recent cyberattacks on political organizations involved in the election process, including the one on the Democratic National Committee.

Both Secretary of Homeland Security Jeh Johnson and Director of National Intelligence James Clapper have suggested that Russian cyberattacks are meant to interfere with and influence the U.S. election process. But proving that Russia is behind these cyberattacks will not prevent political officials from employing weak cybersecurity processes.

Cybersecurity is instrumental to protect against these bad actors who wish to exploit vulnerable computer systems, and stronger standards for cybersecurity must be stressed -- and stiff penalties need to be enforced -- in order to ensure compliance. Blaming Russia may be a form of misdirection as it could be any entity, and the problem will always be the same: Our U.S. political officials and organizations will continue to remain vulnerable if they ignore cyberthreats and refuse to implement even the most basic cybersecurity standards.

Outdated election tech

The problem is compounded by another sobering fact: The current U.S. voting infrastructure is a compilation of older, unsophisticated technology blended with newer digital electronics that often don't work well together. This system requires patching -- much like an operating system that constantly needs updating to prevent newly discovered vulnerabilities from being exploited.

As a result, cybersecurity for our political process is not just about protecting our political representatives' emails, but also about protecting the methods and machines we use to count the votes. The older the computer and operating system, the more vulnerable it is, and the same applies to voting machines. For instance, there is a voting machine in use in Louisiana, New Jersey, Virginia and Pennsylvania that has been in use since 1990 and hacked by a college professor -- to draw attention to the device's high vulnerability level -- in seven minutes.

Besides being able to completely take over a voting machine, a hacker could delete the registrations of voters or conduct a Denial of Service attack on registration databases.

Additionally, the physical security of the machines themselves is very weak; the lock on the voting machine hacked by the college professor -- the Sequoia AVC Advantage -- was picked in about seven seconds by one of the professor's students. The Sequoia machine hacked by the professor also had unsoldered ROM chips on the motherboard, which he easily wedged out -- making it simple to replace them with ones programmed by a hacker. For example, the firmware on these chips could be programmed to throw off the machine's results, altering the tally of votes.

Electronic voting machines are the property of privately owned corporations, and the software that is run on them is proprietary. As cybersecurity professionals attempt to study the voting machines, they are faced with a lack of cooperation from the voting machine companies that view the machine code as intellectual property. As a result, they're stymied in efforts to research how best to protect the data the machines collect -- further hindering the development of universal cybersecurity standards for voting machines.

Election cybersecurity standards lacking

There is also a broad diversity of voting jurisdictions, and currently there is no single standard or body that regulates the security, compliance and even execution of what happens on election day. The voting process is managed at the state level and, much like education standards, varies across the country. The National Institute of Standards and Technology and the Election Assistance Commission have put together some standards for voting, but they are voluntary guidelines that are not enforced by a regulatory compliance process.

Besides being able to completely take over a voting machine, a hacker could delete the registrations of voters or conduct a denial-of-service attack on registration databases. Cyberattacks on personally identifiable information could deter future voters through fear of identity theft and would erode public confidence in elections.

CIA Director Michael Hayden and former Homeland Security Secretary Michael Chertoff have suggested that election boards need to increase the level of cybersecurity to what is used in securing critical infrastructure such as the electrical grid.

It's clear that the path to implementing country-wide cybersecurity standards won't be easy. Outdated technology, independently operated voting jurisdictions and even political discourse will be huge obstacles to the development of universal U.S. election cybersecurity standards. But there is no doubt these standards need to be explored, or the integrity of the U.S. election system risks being called into question as digital-age elections continue. 

About the author:
Daniel Allen is a Research Fellow at the Center for Climate and Security, where he focuses on the intersection of strategies for cybersecurity and climate change security risks. He is also President of N2 Cyber Security Consultants, LLC, and is a U.S. Army/Desert Storm veteran and a high school science and climatology instructor. He holds a Master's Degree in Cyber Security and Information Assurance from National University, designated by the National Security Agency and the Department of Homeland Security as a "National Center of Academic Excellence in Information Assurance Education."

Next Steps

Concerns for U.S. election after voter databases breached
Hacks of voter data raises questions of tampering, election security
Russian hackers suspected of election data breaches, White House considers response 

Dig Deeper on Industry-specific requirements for compliance