There’s a lot at stake in the upcoming midterm elections. Control of both houses of Congress is realistically up for grabs, as are dozens of governorships across the country and thousands of state legislative seats from Alaska to Florida. So the security and integrity of American voting systems is an issue of paramount concern.
It’s into this environment that the Vice publication Motherboard reports Election Systems & Software (ES&S), the nation’s leading manufacturer of voting machines, recently admitted to a prominent Democratic lawmaker that it installed remote access software on election-management systems for years.
What ES&S Admitted To
In a letter to Senator Ron Wyden (D-OR), ES&S acknowledged in April that it installed pcAnywhere – which is a popular piece of remote access software – on the election-management systems of, in ESS’ words, “a small number of customers between 2000 and 2006.”
Remote access software allows the installer to gain access to a system remotely. This access allows administrators and technicians to conduct maintenance or troubleshoot a system from a distance – for example, there’s a good chance your personal computer has remote access software installed so that its manufacturer can fix any problems that might arise.
However, election-management systems and voting machines are supposed to be cut off from the Internet (and any machines connected to the internet) in order to keep them secure. ES&S systems with pcAnywhere installed also had modems, providing hackers or other security threats with a potential point of access.
This is troubling for multiple reasons. First, ES&S said in February that it had never installed remote access software on its systems. Second, pcAnywhere has a rather checkered security history: hackers stole the source code for pcAnywhere in 2006, and in 2012 a flaw in pcAnywhere was discovered that would allow hackers to seize control of a system with the software installed on it.
The Extent of the Problem
It’s important to understand that the pcAnywhere software was not installed on voting machines themselves – the terminals on which voters cast their ballots. Instead, ES&S was working with election-management systems, which are themselves incredibly vital – these systems are usually housed in county offices, tabulate results from multiple voting machines and even program those machines.
As such, it’s important that these systems are secure.
Frustratingly, ES&S passed up several opportunities to detail the extent of the problem. The company said it stopped installing the pcAnywhere software in 2007 in response to voting standards released by the Election Assistance Commission. But ES&S did not explain:
- What settings were used to secure communications
- What types of passwords were used to secure these systems
- Whether security audits had been conducted
- Which counties had the pcAnywhere software included
Furthermore, ES&S did not send a representative to answer election security questions at a hearing of the Senate Committee on Rules and Administration.
Why This Matters
Senator Wyden expressed concern at the revelations, telling Motherboard that the installation of the software was, “the worst decision for security short of leaving ballot boxes on a Moscow street corner.”
When we picture a compromised election, we tend to imagine hackers outright changing vote totals or manipulating voting machines to record a vote for Candidate A as a ballot for Candidate B. But such a wild, conspiratorial scenario isn’t the only way an election can be tampered with. Special prosecutor Robert Mueller’s recent indictments of Russian intelligence officers documented these agents’ attempts to infiltrate the systems of companies that provide the hardware and software that support our entire election system.
Further, we have known for months that Russia successfully infiltrated voter rolls in multiple states.
Unfortunately, state-level responses to these breaches have varied widely, and many state officials have resisted attempts to document these security failures. Perhaps the most striking example of this dynamic occurred in Georgia, which has one of the most vulnerable election systems in the country. Mueller’s indictments stated that Russian intelligence officials probed county-level election websites in Georgia in 2016.
Secretary of State Brian Kemp refused assistance from the Department of Homeland Security before the 2016 election. And on July 24, he became the Republican Party’s candidate for governor in the 2018 election.