Written by Greg Otto
The last few years have been an awakening for Election Systems & Software. Before 2016, very few people were publicly pressing the company to change the way it handled its cybersecurity practices. Now, the nation’s leading manufacturer of election technology has become a lightning rod for critics.
Security experts say the small number of companies that dominate the nation’s election technology market, including ES&S, have failed to acknowledge and remedy vulnerabilities that lie in systems used to hold elections across the country. Once left to obscurity, the entire ecosystem has been called into question since the Russian government was found to have interfered with the 2016 presidential campaign. While there has never been any evidence to suggest that any voting machines were compromised, the Department of Homeland Security and FBI recently issued a memo that all 50 states were at least targeted by Russian intelligence.
The peak of the criticism came after the Voting Village exhibition at the 2018 DEF CON security conference, where amateur hackers unearthed a bevy of flaws in the company’s tech. In a number of publications — including CyberScoop — ES&S disputed the notion that it didn’t take cybersecurity seriously, arguing its own due diligence was enough to satisfy any security worries. It didn’t help the Omaha, Nebraska-based company’s case when the Voting Village committee issued a report in September that found decades-old vulnerabilities in an ES&S ballot tabulator that has been used in elections in more than half of the states.
In light of these issues, some of the election tech manufacturers are trying to change course, and ES&S is the most public about its efforts. With the country gearing up for the 2020 presidential election, the company has revamped its security testing procedures, putting together a plan to let penetration testers from both the public and private sector evaluate the safety of its systems. Furthermore, ES&S and its competitors are communicating in an unprecedented way about committing to a certain level of standards that can lift the entire industry to a better security baseline.
While election tech companies often rely on the U.S. Election Assistance Commission Voluntary Voting System Guidelines as a roadmap for securing their products, ES&S is trying to take their efforts one step further.
“We believe that our internal testing and the testing that the government labs do to earn Election Assistance Commission certification, while thorough, is not answering our critics’ questions about independent testing,” Chris Wlaschin, ES&S chief information security officer, told CyberScoop. “We are doing absolutely all that we can to ensure the security and reliability of our equipment used in U.S. elections.”
Election security advocates are still wary on whether this newfound transparency will result in concrete changes. ES&S has been extremely litigious in the past when it comes to issues regarding its tech, which according to the company, has a 60 percent market share when it comes to voting system installations. Advocates who spoke with CyberScoop are wondering if these efforts are little more than a marketing ploy.
What’s Being Tested
Among the measures ES&S has taken is contracting with Iowa City, Iowa-based cybersecurity services provider ProCircular for a penetration test of the company’s DS200 optical scan ballot tabulator.
The DS200 is one of the newer machine’s in ES&S’s line of products. It reads either a hand-marked ballot or ballot that’s been marked through an interface such as a touchscreen. The device never connects to the internet, but election officers can configure the machines via USB drives that use a signed data key which complies with federal security standards.
One of the more popular pieces of equipment sold by the company, the DS200 was in use in 23 states during the 2016 election. That included the entire state of Maryland and all five New York City boroughs.
ProCircular’s team spent several weeks conducting penetration testing on the hardware, software, and way the device performed. The firm found the devices to be, in their words, “reliable and secure.”
“Coupled with the thousands of hours of security testing that ES&S performs as part of the EAC certification program, the ProCircular findings represent the commitment ES&S has to security and its ability to develop and deliver secure, reliable voting systems,” ProCircular told CyberScoop.
ProCircular did not release further details on the report due to a confidentiality agreement with ES&S. Such agreements are standard when a company undergoes a penetration test.
The company had also been in negotiations to turn over its entire suite of election management software to Boston-based Rapid7 for pen testing, but those conversations were shelved shortly before this story was published. Neither ES&S nor Rapid7 detailed why talks stalled.
However, ES&S already had found another organization that would pen test its ballot marking devices, ballot tabulators and election management software: the Department of Homeland Security. The effort was born after the company reached out to the department’s National Cybersecurity Assessments and Technical Services (NCATS) team about having their systems be a part of the office’s Cyber Hygiene program. Used by hundreds of organizations — including state and local election systems — the Cyber Hygiene program detects known vulnerabilities on internet-facing services and offers various penetration tests.
“That prompted us to ask if DHS could do penetration testing of an election system,” Wlaschin told CyberScoop. “[DHS officials] said they’ve never done it before, but were willing to try.”
In March, ES&S sent its products to a branch of DHS’s National Cybersecurity and Communications Integration Center (NCCIC) located at Idaho National Laboratory. The company expects a full report to be issued at the end of May.
Other election technology companies have had the same idea. In late March, San Diego-based Unisyn Voting Solutions announced its OpenElect suite of products had completed the Idaho National Lab’s testing.
Christopher Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency, told CyberScoop that tests like this are a force-multiplier for the outreach the agency is conducting ahead of the 2020 election.
“We’ve got to reach out and in part we can actually work with the vendors in that outreach,” Krebs told CyberScoop. “In a lot of cases, the vendors work with the local jurisdictions more so than the 50 Secretaries of State or the election directors do. So we’re taking a multi-pronged approach to actually getting to that real, true ‘last mile’ engagement.”
That engagement has been something of a priority for DHS’s cybersecurity offices since November 2016. Some of ES&S’s outreach, meanwhile, has concentrated on an entirely different branch of the government.
Let’s Make a Law
Regulation has been something of a buzzword in technology circles since the 2016 election. With social media giants like Facebook dealing with their own post-election scandals, there have been calls inside the greater tech industry for regulation that would set guardrails for the ways companies are to keep their users information private and secure.
ES&S seems to have taken a page from Mark Zuckerberg’s playbook. The company told CyberScoop that it’s working with “a set of Congressional staffers” on legislation that would shape an industry-wide coordinated vulnerability disclosure program in lieu of setting up a program that is only for their tech. The company refrained from naming the staffers since talks are at an introductory phase.
The company has been examining such a program for the past few months, collaborating with its competition on ways the industry could create bug bounty and coordinated vulnerability-disclosure programs. Company representatives from the three big election tech companies —ES&S, Dominion and Hart Intercivic — have attended numerous meetings or events over the past few months, including one set by the Information Technology Information Analysis and Sharing Center (IT-ISAC) where executives spoke with company officials who have set up bounty programs in the automotive, aviation and healthcare sectors.
While the company doesn’t need legislation to set up such a program, ES&S told CyberScoop it would prefer if a law forced the entire industry to follow a similar set of program guidelines.
“We want coordinated vulnerability disclosure and bug bounty programs to apply equally to all the vendors in in the industry,” Wlaschin told CyberScoop. “We don’t want ES&S to be out there alone.”
Dominion and Hart InterCivic told CyberScoop they are interested in figuring out a baseline that can work for the entire industry.
“We are supportive of an industry-wide program and working with other companies to make that happen,” Kay Stimson, Dominion Voting’s vice president of government affairs, told CyberScoop.
“Hart is committed to participating in a vulnerability disclosure program and is working closely with the IT-ISAC’s [Election Infrastructure Special Interest Group] and the Election Assistance Commission to develop a policy and build a secure channel for researchers to report security issues under a process that allows for the disclosure and mitigation of any discovered issues in an appropriate and timely manner,” Steven Sockwell, Hart’s vice president of marketing, told CyberScoop.
Is it real?
When told of ES&S’s efforts, reactions from numerous election security experts range somewhere between cautious optimism to mild incredulity. They told CyberScoop that it’s good that ES&S is making an effort, but the actions don’t quell the issues that have plagued the industry for years.
“It’s not about, ‘Is this thing secure?’,” said Jake Braun, CEO of Cambridge Global and an organizer of the DEF CON Voting Village, when told about the various penetration tests. “It’s about ‘Tell me the stuff I need to fix to make it more secure.’ Saying something is ‘secure and reliable’ is like ‘Well, I don’t know, compared to what?’”
Experts also told CyberScoop that the results of the penetration tests should be shared outside of the company.
“The real value would be in details that are made public,” John Sebes, co-founder and chief technology officer of the election technology research nonprofit OSET Institute, told CyberScoop. “To really assess the value of that statement, we’d need to see documents that described the extent and limits of the testing, what failure modes the testers should be seeking to create, and which attack methods are allowed and which are not.”
The likelihood of that happening is slim. Beyond the private companies refusing to break their confidentiality agreement, a DHS spokesperson told CyberScoop that the government will not be publicly releasing the Idaho National Laboratory report, since the testing is voluntary and confidential.
Even if the test results were made public, Braun pointed out that it wouldn’t address the machines that were independently tested at DEF CON. The M650, the ballot tabulator that was found to have a decades-old vulnerability, is still in use across the country.
Election security experts are not the only group ES&S is attempting to curry favor with. There are a number of lawmakers who have grown increasingly interested in the ways election technology vendors are protecting their infrastructure.
In March, a group of Democratic senators – Amy Klobuchar of Minnesota, Gary Peters of Michigan, Jack Reed of Rhode Island and Mark Warner of Virginia — sent a letter to the three largest vendors about their plans to improve their products’ security.
Throughout their responses — ES&S and Hart‘s letters can be read here, while Dominion’s has not been made public — the companies highlighted numerous ways its enhanced its security, even beyond what can be improved via cybersecurity. While none of the lawmakers have commented on the companies’ responses, Klobuchar has continued pressing the entire election ecosystem, issuing a letter asking appropriators to increase funding for the Election Assistance Commission.
“This proposed funding cut comes right before a presidential election and at a time when our intelligence officials continue to warn that our elections are under attack,” the letter reads. “Any further budget constraints could limit the EAC’s ability to fulfill its crucial mission, and without an increase in funds, the EAC will not be as effective as possible in its work with the Department of Homeland Security and state election officials to improve the security of our election systems.”
The funding battle shows that election tech companies may have no choice but to harden their systems on their own. The efforts already undertaken are indicative of what some believe is a genuine effort from companies like ES&S to recognize its prior faults and retool its efforts ahead of an election where it will be under the microscope like never before.
“They genuinely care about improving their security posture,” said ProCircular’s Warner. “It sounds a little fluffy but representative democracy is important to them and it shows in the work that we did together.”
Yet even with these efforts, there is only so much these companies can do from a technological standpoint. Another big issue in the wake of the 2016 election has been the push to embrace paper ballots and implement risk-limit auditing to elections as an added layer of security. Security experts have long said that the only way to truly verify an election’s integrity is through post-election audits — a task that is compounded when many of the vendors’ machines do not produce a paper ballot.
But no matter the issue, there are many more eyes on what the companies are doing.
“There is a very different threat vector for elections,” Dominion’s Stimson told CyberScoop. “Through DHS and through the collaborative efforts that have been happening, it’s provided a means for conversations to move ahead. Some are easier than others, obviously, but I think there has been progress on all fronts.”