© 2017 The Texas Lawbook.
By Michael Titens of Thompson & Knight
(Nov. 16) – “Kenya Supreme Court Nullifies Presidential Election.”
That was the headline from Nairobi, Kenya in September. Despite reports from U.S. and European observers that the election itself was conducted properly, the opposition cited irregularities in the vote counting and reporting process. The opposition also alleged that the election results were hacked and manipulated.
Things are not so severe in the U.S., but hackers have been active here, too. An earlier article looked at various cyberthreats to the integrity of our presidential election, including voting machine vulnerabilities and hacks of voter registry data. Here are some updates.
Voting Machines
Experts correctly point out that voting machines are rarely connected to the Internet and that our decentralized and diverse voting system inhibits any efforts to alter election results. However, vulnerabilities still exist.
Organizers of this summer’s DefCon hacking conference in Las Vegas purchased used voting machines on eBay and set up a “Voting Village” where hackers could try to hack the machines. Within hours – and in some cases just a few minutes – every machine was hacked. One machine still had voter information on more than 600,000 Tennessee voters. Ideally, decommissioned voting machines should be wiped clean of all data before being sold.
These exploits do not prove that election results can be changed, but they do emphasize the importance of taking protective measures. At a Congressional hearing in June, experts recommended that outdated machines be retired, that data stored on machines be encrypted and protected, and that states use voting machines that produce a paper trail for verification.
Of course, cybersecurity experts made these same recommendations in 2016 and pointed out that vote tallying and reporting functions are also susceptible to attack. According to a Minneapolis Star Tribune report, the federal government shut down the experts’ push for last-minute changes before the 2016 Presidential election. Let’s hope more is done before the 2018 midterm elections.
Voter Information
Voter registries and related databases are attractive targets for hackers. They contain not only names, addresses and birth dates, but often voting history and party affiliation for millions of citizens. Safeguarding that information continues to be a challenge.
According to a report on Gizmodo.com, “a leading U.S. supplier of voting machines confirmed… that it had exposed the personal information of more than 1.8 million Illinois residents,” including driver’s license numbers and partial Social Security numbers. Apparently, the information was in a cloud-based database that was publicly available, no password required. The FBI is investigating whether anyone may have accessed and downloaded the information while it was available.
That incident is dwarfed by the database left exposed by Deep Root Analytics, a marketing firm that provides services to the Republican National Committee. The exposed database contains information on 198 million U.S. citizens, including addresses, birth dates and phone numbers, along with other information regarding voter preferences on a variety of issues. The database was exposed for nearly two weeks before the vendor set up a password and took other protective action.
Should we be alarmed by these incidents and others like them? While we know that personal information was left unprotected, we don’t know whether anyone accessed it. Also, much of the information was already publicly available.
So perhaps the most alarming aspect of these incidents is that sophisticated entities failed to take the most rudimentary steps to protect personal information they knew to be valuable. Designing hack-proof systems is hard; ensuring that data is encrypted and password protected is not.
To avoid an outcome like the one in Kenya, election authorities should redouble their efforts to implement more secure voter information, voting, vote counting and vote reporting systems for every election.
© 2017 The Texas Lawbook. Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.
If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.