Russians Are Targeting Private Election Companies, Too -- And States Aren't Doing Much About It

The American election system is a textbook example of federalism at work. States administer elections, and the federal government doesn’t have much say in how they do it. While this decentralized system has its benefits, it also means that there’s no across-the-board standard for election system cybersecurity practices. This lack of standardization has become all the more apparent over the past two years: Hackers probed 21 state systems during the lead-up to the 2016 election and gained access to one. But the federal government and states don’t appear to have made great strides to ensure that this doesn’t happen again. To do so, they’d need to deal with not only their own cybersecurity deficits but also those of the private companies that help states administer elections.

Voting machine manufacturers and the makers of election software and electronic poll books (which are lists of eligible voters) are crucially intertwined with state election systems. All states, to some extent or another, rely on these private companies for election products. But despite the central role these companies play, state regulations of them are relatively lax. That’s a problem, especially at a time when these companies are, along with state governments, targets of foreign agents of chaos.

The recent indictment of Russian military intelligence officers as part of special counsel Robert Mueller’s investigation aligned with previous reports that VR Systems, a company that provides electronic poll books and voter registration management systems to eight states, had been hacked via a phishing scheme aimed at compromising employee login credentials. The compromise of VR Systems allowed the hackers to create convincing emails for phishing attacks, this time on state election officials who used the company’s products. Many state officials appeared not to learn of the compromise until news reports about it last summer. Emails obtained by The Intercept reveal that state officials who use VR Systems responded to the breach by seeking guidance from the Department of Homeland Security.

States have felt the heat for their sometimes poor cybersecurity practices, but private voting companies can also lag behind security industry standards. Recently, FiveThirtyEight learned that a webpage labeled “Client Web Portal” for Dominion Voting, one of the country’s leading manufacturers of voting machines, lacked basic SSL encryption, a standard security practice used to protect user credentials, passwords and other sensitive information. Vulnerabilities like that on a login page could lead to stolen passwords or the addition of malicious software or links to the site. When FiveThirtyEight reached out to Dominion to ask about the webpage, Kay Stimson, the company’s vice president for government affairs, said the page had been “identified for SSL encryption and other upgrades as part of a broader company initiative to enhance security protections for our online presence.”

https://fivethirtyeight.com/features/russians-are-targeting-private-election-companies-too-and-states-arent-doing-much-about-it/