Do the Russians have the Voting Machines Source Codes?

On February 28th, the Senate asks what NSA and Cyber Command are doing about Russian election interference. Admiral Rogers’s answer, in brief, is that his organizations lack the authorities to do much (that he can openly discuss, that is).

US senator grills CEO over the myth of the hacker-proof voting machine
Nation’s biggest voting machine maker reportedly relies on remote-access software.

WASHINGTON (Reuters) – Two Democratic senators on Wednesday asked major vendors of U.S. voting equipment whether they have allowed Russian entities to scrutinize their software, saying the practice could allow Moscow to hack into American elections infrastructure.

The letter from Senators Amy Klobuchar and Jeanne Shaheen followed a series of Reuters reports saying that several major global technology providers have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government.

The senators requested that the three largest election equipment vendors – Election Systems & Software, Dominion Voting Systems and Hart Intercivic – answer whether they have shared source code, or inner workings, or other sensitive data about their technology with any Russian entity.

They also asked whether any software on those companies’ products had been shared with Russia and for the vendors to explain what steps they have taken to improve the security of those products against cyber threats to the election.

The vendors could not immediately be reached for comment. It was not immediately clear whether any of the vendors had made sales in Russia, where votes are submitted via written ballots and usually counted by hand.

“According to voting machine testing and certification from the Election Assistance Commission, most voting machines contain software from firms which were alleged to have shared their source code with Russian entities,” the senators wrote. “We are deeply concerned that such reviews may have presented an opportunity for Russian intelligence agents looking to attack or hack the United States’ elections infrastructure.”

U.S. voters in November will go to the polls in midterm elections, which American intelligence officials have warned could be targeted by Russia or others seeking to disrupt the process.

There is intense scrutiny of the security of U.S. election systems after a 2016 presidential race in which Russia interfered, according to American intelligence agencies, to try to help Donald Trump win with presidency. Trump in the past has been publicly skeptical about Russian election meddling, and Russia has denied the allegations.

Twenty-one states experienced probing of their systems by Russian hackers during the 2016 election, according to U.S. officials.

Though a small number of networks were compromised, voting machines were not directly affected and there remains no evidence any vote was altered, according to U.S. officials and security experts.

Related reading:

Top intel official says US hasn’t deterred Russian meddling (Fifth Domain) “I believe that President (Vladimir) Putin has clearly come to the conclusion that there’s little price to pay and that therefore, ‘I can continue this activity,‘” Adm. Mike Rogers, director of both the U.S. Cyber Command and the National Security Agency, told Congress.

Senators: Cyber Command should disrupt Russian influence campaigns (Fifth Domain) Senators pressed Cyber Command on how they can use their national mission force to combat Russian cyber intrusions.

Rogers: CyberCom lacks authority, resources to defend all of cyberspace (FCW) The outgoing NSA and U.S. Cyber Command chief told lawmakers CyberCom is not sitting on its hands when it comes to potential Russian cyber interference, but it lacks the authority to do more absent additional presidential direction.

NSA: Trump’s Lukewarm Response on Russia Will Embolden Putin (Infosecurity Magazine) NSA: Trump’s Lukewarm Response on Russia Will Embolden Putin. Expect more election interference, Cyber Command boss warns

Decoding NSA director Mike Rogers’ comments on countering Russian cyberattacks (Washington Examiner) It’s not as simple as ‘I’m not authorized to do anything.’

*** Footnotes:

Electronic Systems and Software:

1. In 2014, ES&S claimed that “in the past decade alone,” it had installed more than 260,000 voting systems, more than 15,000 electronic poll books, provided services to more than 75,000 elections. The company has installed statewide voting systems in Alabama, Arkansas, Georgia, Idaho, Iowa, Maine, Maryland, Minnesota, Mississippi, Montana, Nebraska, New Mexico, North Carolina, North Dakota, Rhode Island, South Carolina, South Dakota, and West Virginia. ES&S claims a U.S. market share of more than 60 percent in customer voting system installations.

The company maintains 10 facilities in the United States, two field offices in Canada (Pickering, Ontario; and Vancouver, British Columbia) and a warehouse in Jackson, Mississippi.

2. Dominion Voting Systems is a global provider of end-to-end election tabulation solutions and services. The company’s international headquarters are in Toronto, Canada, and its U.S. headquarters are in Denver, Colorado. Dominion Voting also maintains a number of additional offices and facilities in the U.S. and Europe.

Dominion’s technology is currently used in 33 U.S. states, including more than 2,000 customer jurisdictions. The company also has 100+ municipal customers in Canada.

3. Hart InterCivic Inc. is a privately held United States company that provides elections, and print solutions to jurisdictions nationwide. While headquartered in Austin, Texas, Hart products are used by hundreds of jurisdictions nationwide, including counties in Texas, the entire states of Hawaii and Oklahoma, half of Washington and Colorado, and certain counties in Ohio, California, Idaho, Illinois, Indiana, Kentucky, Oregon, Pennsylvania, and Virginia.

Hart entered the elections industry in 1912, printing ballots for Texas counties. (Side note: As Republican and Democratic state legislators hustle to pass a law moving Georgia toward paper ballot voting technology, election integrity advocates said they’re concerned a bill that already cleared the state Senate could lead to a new vulnerability in Georgia’s next voting system, if it becomes law.

One way a new system might work is through a touchscreen computer similar to those currently used in Georgia. It would print a paper ballot with a visual representation of a voter’s choices so they themselves can check for accuracy.

In some systems, counting the votes means scanning an entire image of the ballot that may include a timestamp and precinct information.

In other systems, barcodes or QR codes on a ballot would correspond with the voter’s choices, which can make counting easier and faster for election officials, said Peter Lichtenheld, vice president of operations with Hart Intercivic, one of several election technology companies that hired lobbyists at the statehouse this year.)

*** The text of the letter to the three vendors is below:

The full text of the senators’ letter is below:

Dear Mr. Braithwaite, Mr. Burt, and Mr. Poulos:

Recent reports of U.S. IT and software companies submitting to source code reviews in order to access foreign markets have raised concern in Congress given the sensitivity of the information requested by countries like China and the Russian Federation. As such, we write to inquire about the security of the voting machines you manufacture and whether your company has been asked to share the source code or other sensitive or proprietary details associated with your voting machines with the Russian Federation.

The U.S. intelligence community has confirmed that Russia interfered with the 2016 presidential elections. As a part of a multi-pronged effort, Russian actors attempted to hack a U.S. voting software company and at least 21 states’ election systems. According to the Chicago Board of Elections, information on thousands of American voters was exposed after an attack on their voter registration system.

Foreign access to critical source code information and sensitive data continues to be an often overlooked vulnerability. The U.S. government and Congress have recently taken steps to address some cyber vulnerabilities, including by banning the use Kaspersky Lab, a Moscow-based cybersecurity firm that has maintained a relationship with Russia’s military and intelligence sectors, from all U.S. government computers. Now, we must also ensure the security of our voting machines and associated software.

Recent reports indicate that U.S. based firms operating on U.S. government platforms gave Russian authorities access to their software. In order to sell their software within Russia, these companies allowed Russian authorities to review their source code for flaws that could be exploited. While some companies maintain this practice is necessary to find defects in software code, experts have warned that it could jeopardize the security of U.S. government computers if these reviews are conducted by hostile actors or nations. U.S. tech companies, the Pentagon, former U.S. security officials, and a former U.S. Department of Commerce official with knowledge of the source code review process have expressed concerns with this practice.

In addition, Russia’s requests for source code reviews have increased. According to eight current and former U.S. officials, four company executives, three U.S. trade attorneys, and Russian regulatory documents, between 1996 and 2013 Russia conducted reviews for 13 technology products from Western companies, but has conducted 28 such reviews in the past three years alone.

As the three largest election equipment vendors, your companies provide voting machines and software used by ninety-two percent of the eligible voting population in the U.S. According to voting machine testing and certification from the Election Assistance Commission, most voting machines contain software from firms which were alleged to have shared their source code with Russian entities. We are deeply concerned that such reviews may have presented an opportunity for Russian intelligence agents looking to attack or hack the United States’ elections infrastructure.  Further, if such vulnerabilities are not quickly examined and mitigated, future elections will also remain vulnerable to attack.

In order to help the security and integrity of our systems and to understand the scope of any potential access points into our elections infrastructure, we respectfully request answers to the following questions:

  1. Have you shared your source code or any other sensitive data related to your voting machines or other products with any Russian entity?
  2. To your knowledge, has any of the software that runs on your products been shared with any Russian entity?
  3. What steps have you taken or will you take in order to upgrade existing technologies in light of the increased threat against our elections?

The 2018 election season is upon us. Primaries have already begun and time is of the essence to ensure any security vulnerabilities are addressed before 2018 and 2020.

Thank you for your attention to this matter, and we look forward to working with you to secure our elections.

Sincerely,

 

Posted in China, Citizens Duty, Cyber War, Department of Homeland Security, DOJ, DC and inside the Beltway, FBI, NSA Spying, Presidential campaign, Russia, The Denise Simon Experience, Trump Administration, Votes voting, Whistleblower.

Denise Simon