The Curious Case of Georgia's Voting Machines (or How I Learned to Stop Worrying and Love Paper Ballots)
During August 2016, private cybersecurity researcher Logan Lamb discovered 15-gigabytes worth of voter registration data and other sensitive information could be readily downloaded from the website of Kennesaw State University. [https://www.cnn.com/2018/08/14/polit...ta/index.html]
Following his discovery, Lamb emailed the executive director of KSU's election center, Merle King, to alert him about the vulnerability.
Internal emails show KSU's technology staff acknowledged the elections system had "40+ critical vulnerabilities" in October 2016.
Lamb and a colleague checked the website more than six months after his original discovery, he says, the vulnerabilities remained. Lamb's colleague notified a KSU faculty member, who then alerted the university's technology services office, which finally firewalled the website in March 2017, according to the lawsuit and a KSU report filed in court.
A KSU statement in March 2017 stated that, based on a briefing by the FBI, there was no indication of illegal activity and no personal information was misused. The university said university employees "immediately isolated the server and contacted the Office of the Secretary of State" when its officials were notified in March.
Kemp called the breach "deeply concerning," and although he announced plans to end the arrangement with the center, his office renewed the KSU contract to manage the election system one last time in July 2017.
A letter from the state attorney's office sent in October revealed KSU staffers had wiped the election system's hard drives, deleting potential evidence relevant to the lawsuit
Charles Amlaner, a former vice president for research at KSU who signed some of the university's contracts, said Kemp's office did not include data security specifications in its election-system contracts with KSU for years. He said he found that unusual because most other government contracts involving sensitive data he has reviewed have contained multiple pages outlining security requirements.
A review of two contracts by CNN found that only after the breach's exposure in 2017 was language inserted mandating that the center "implement data security policies that adhere to all current IT policies."
Kemp also blasted efforts by the Department of Homeland Security under the Obama administration to label states' voting systems "critical infrastructure" in 2016, which would enable the federal government to give states cybersecurity assistance. He has described the proposed designation as federal government overreach.
Richard DeMillo, a Georgia Tech professor who studies election security and computer science, said he is concerned by the absolute assurance with which Kemp talks about Georgia's election system's security because there's no evidence the state has conducted a forensic review of all its servers.
Worryingly, Georgia is one of 14 states that use electronic voting machines that do not leave a paper trail that can be audited after an election and is one of five states that exclusively use the machines. [https://www.npr.org/2018/09/12/64680...ting-machines]
Interestingly though, at a U.N. Security Council meeting in New York late August, Haley called on Congo to abandon its plan to use the machines for the first time in favor of paper ballots — what she called a “trusted, tested, transparent and easy-to-use voting method." And earlier this year, she said: “These elections must be held by paper ballots so there is no question by the Congolese people about the results. The U.S. has no appetite to support an electronic voting system.” [https://www.washingtonpost.com/news/...6b47ec9594d2/]
Six prominent information-security experts who took part in DEF CON's Voting Village in Las Vegas [in September] issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. "Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election," the authors of the report warned.
[https://arstechnica.com/information-...oral-college/]
Georgia isn't the first state to have security problems with their election machines. The Advanced Voting Solutions WinVote machine used in Viriginia, dubbed "America's worst voting machine," came equipped with this simple password even as it was used in some of the country's most important elections. AVS went out of business in 2007, but Virginia used its insecure machines until 2015 before dropping them for scrap metal. That means this vulnerable hunk of technology was used in three presidential elections, starting with George W. Bush's re-election in 2004 to Barack Obama's in 2012. [https://www.cnet.com/g00/news/defcon...ing-machines/]
What are your thoughts? Should election systems be considered critical infrastructure as proposed by President Obama in 2017 or is this federal overreach as mentioned by Kemp? Should we change systems to use only paper ballots?