Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Report highlights cyber risks to US election systems

A report out Wednesday says election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking

Via AP news wire
Wednesday 10 February 2021 17:05 EST
Voting-Election Security
Voting-Election Security (Copyright 2020 The Associated Press. All rights reserved.)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking, according to a report released Wednesday.

The report by the Center for Internet Security, a nonprofit that partners with the federal government on election security initiatives, focuses on how hardware and software components can provide potential entryways for hackers.

“We have to continue to get better," said Aaron Wilson, a co-author of the report. “We have to improve our defenses, as those that are on the other side are likely honing their attack strategy, as well.”

The 2020 election was deemed the “most secure” in history by a coalition of government cybersecurity experts and state and local election officials. There also is no indication that any election system was compromised as part of the hacking campaign that exploited an update of network management software from a company called SolarWinds. It was the largest cybersecurity breach of federal systems in U.S. history.

Despite that, election systems are vulnerable to the same risks exposed by the SolarWinds hack, the report said. It describes the risk of such an attack, in which hackers might infiltrate the hardware or software used in election equipment. Even if voting results aren't affected, such an attack could lead to confusion and undermine confidence in U.S. elections.

The nation’s decentralized system of election administration means voting technology varies from state to state and even county to county, providing multiple ways for malicious actors to gain access. The systems generally rely on components from third-party suppliers or use commercial, off-the-shelf hardware. Most also use proprietary software that may not be subjected to rigorous security testing.

"It's a complex mix of parts and suppliers, which creates very real supply chain risks," said Eddie Perez, global director of technology development at the OSET Institute, a nonprofit election technology research corporation.

The use of foreign suppliers for voting technology and related supply chain security has long been a concern. During a congressional hearing last year, executives with the three major voting machine vendors faced repeated questioning from lawmakers about the sources of the parts used to manufacture their voting machines, what steps they have taken to secure their products from tampering and what, if anything, can be done to use American-made parts.

The executives said the machines they manufacture include, to some extent, components from China but said using foreign suppliers isn’t unique to the voting equipment industry.

SolarWinds, a Texas company, was breached by suspected Russian hackers to deliver malware and gain access to networks of businesses and governments, including the U.S. departments of Commerce, Treasury and Justice as part of a large-scale cyberespionage campaign.

Brandon Wales, the acting director of the U.S. Cybersecurity and Infrastructure Security Agency, said recently there was “no evidence that any election systems were compromised” as part of the hack.

Election officials have spent years working to boost their cybersecurity defenses after it became clear in late 2017 that Russian hackers had scanned state and local voter registration systems in the run-up to the 2016 election — and penetrated a few. Tens of millions of dollars have been spent to educate and train state and local election officials, add security defenses such as firewalls, and conduct security reviews and testing.

Also Wednesday, the U.S. Election Assistance Commission approved the first update in 15 years to a series of voluntary guidelines used by most states to certify voting machines. The guidelines include several security improvements, including a recommendation for states to adopt a strategy to reduce supply chain risks.

___

Associated Press Writer Frank Bajak in Boston contributed to this report.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in