As election year moves into the final stretch, news coverage wouldn't be complete without another mention of a politically motivated data breach or cybersecurity incident. Of course, several months ago the DNC's emails were compromised by hackers, resulting in the theft and exposure of 19,000 hacked emails and related documents. This pales in comparison, however, to the recent FBI announcement of data breaches involving both Illinois and Arizona's voter registration databases. If the controls critical to securing election systems continue to fail, how can participants in the democratic process be sure that their votes won't be hijacked?
As it turns out, crafty attack methods and sophisticated black hat tools are hardly necessary for compromising critical election systems. Using nefarious methods to influence votes is a cumbersome and inexact science—would it not be easier to just alter vote counts directly? So the question becomes: how safe are electronic voting systems from being hijacked by cyberattackers?
Different voting solutions are used in elections across the country, on all levels—city, state, and federal—so the answer varies per vendor. Additionally, these proprietary systems are typically exclusive to government institutions, for obvious reasons. However, as a measure of security fitness and enterprise resilience, these manufacturers' CSTAR ratings may ultimately translate into the security (or lack thereof) of the products they build and sell.
The Election Asssistance Commision (EAC) is the agency of the U.S. government responsible for accrediting voting system test laboratories and certifying voting equipment. The following leading vendors were selected from a list of 15 voting system manufacturers registered with the agency and meeting the requirements of Chapter 2 of the EAC’s Testing and Certification Program Manual.
Voting System Vendors
1. ES&S - 143 out of 950
Election Systems and Software (ES&S) is the largest manufacturer of voting machines in the United States, boasting customers in 4,500 localities in 42 states and two U.S. territories. Rhode Island, Washington, D.C., Maryland, and Colorado are a few states that use its systems.
Unfortunately, the company scored an alarmingly low CSTAR score due to a myriad of perimeter security flaws. For example, lack of sitewide SSL render its website vulnerable to man-in-the-middle (MITM) attacks, while the exposure of ports typically assigned to file sharing services and database communications give attackers additional potential attack vectors. A lack of DMARC and DNSSEC also contribute to ES&S' low score.
2. Unisyn Voting Solutions - 219 out of 950
Unisyn’s digital scan voting system is certified by the EAC to meet the Voluntary Voter Standards and Guidelines (VVSG), a set of specifications/requirements for determining if voting systems meet required standards. The company provides "the only systems with multi-tiered levels of security residing on a hardened streamlined Linux and Java platform," with all of their source code "available for review by trusted jurisdictions officials as part of a procurement process."
When vendor website security asssessment becomes a standard part of the procurement process, Unisyn will certainly be in trouble. Its paltry CSTAR score of 219 quantifies a myriad of security flaws: lack of sitewide SSL, server information leakage, exposed ports, and more.
3. Smartmatic - 808 out of 950
Election authorities from Los Angeles County, the most populous in the US, conducted a pilot test with Smartmatic to streamline and expedite election reports during California's June 7th Primary Presidential Elections. The Philippines' 2010 and 2016 Presidential elections also saw the use of Smartmatic's solutions in transmitting and tallying votes.
Relatively speaking, Smartmatic's security posture is decent—that said, a handful of security flaws like disabled HTTP Strict Transport Security, lack of secure cookies, and disabled DMARC make its security posture less-than-ideal.
4. Dominion Voting - 342 out of 950
Dominion is a century-old company with deep expertise in developing voting systems. Interestingly, the company traces its roots back to 1895 with the invention of the first direct recording lever machine—the original predecessor of the modern voting machine. The company's voting machines are currently used in 600 jurisdictions across 22 U.S. states.
Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common?
In 2015, the company was chosen as the sole provider for Colorado’s Uniform Voting System, part of the state's modernization efforts to improve the elections process and voter experience.
Despite its long heritage and pedigree, the company scored a dismal CSTAR score of 342. Similar flaws plague the company's website perimeter security controls. Lack of sitewide SSL, server information leakage, and disabled SPF and DMARC
5. OSET Foundation - 390 out of 950
The OSET Foundation aims to make elections software technology publicly available to enable verification, accuracy, security, transparency, and integrity in elections. Its ElectOS is an emerging open source framework of public election technology available free of charge to any jurisdiction to adopt/adapt and deploy.
Despite altruistic efforts in launching this initiative, the OSET Institute's website gets a dismal 390 CSTAR rating. Along with the usual security shortcomings like lack of sitewide SSL, SPF, and DMARC, the OSET Institute's website lacks HTTP strict transport security and HttpOnly Cookies—mechanisms that prevent credential hijacking and client-side script attacks, respectively.
6. Clear Ballot - 561 out of 950
Boston-based Clear Ballot develops cutting edge solutions for voting management, consolidation/reporting, and auditing. Various counties in Oregon, Florida, and Colorado are using its voting systems to power their elections.
The company scores an average CSTAR score of 561 for its semi-bolstered website perimeter security posture. No vulnerable ports are exposed—but common flaws like lack of SSL, HTTP Strict Transport Security, DMARC, and DNSSEC plague its web presence.
The existence of highly vulnerable U.S. election data systems only validate what we've known all along: that democracy is as fragile as the mechanisms that support it, electronic or otherwise. But unlike the Watergate scandal that ended Nixon's presidency over four decades ago, today's break-ins are carried out by perpetrators in remote locations, armed with highly sophisticated tools for digital breaking and entering. By the same token, state-of-the-art solutions like UpGuard's digital resilience platform are readily available to prevent otherwise undetected vulnerabilities and security flaws from leading to compromised votes. To get a feel for UpGuard's capabilities, try out the CSTAR risk grader web application and chrome extension to instantly validate the security posture of your website—or better yet, get a free UpGuard account today.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >