Election Security Comes Down to Outdated Software
http://www.itbusinessedge.com/blogs/data-security/election-security-comes-down-to-outdated-software.html
Sue Marquette Poremba | Data Security | Posted 29 Aug, 2016
In the spring, I reached out to the last five presidential campaigns standing to ask why cybersecurity wasn’t a top priority in any speeches or policies. I got no response. I wasn’t too surprised by that, considering there hadn’t been any big cybersecurity news – well, nothing that would appear to affect the political landscape. That’s changed, of course, with the hacks into the DNC and the Clinton campaign. Now the FBI is warning that election systems are in jeopardy after election board websites in two states were hacked. As Wired described it: In its warning sent to state-level election boards, the FBI described an attack on at least one of those two election websites as using a technique called SQL injection. It’s a common trick, which works by entering code into an entry field on a website that’s only meant to receive data inputs, triggering commands on the site’s backend and sometimes giving the attacker unintended access to the site’s server. It’s not just a cyberattack that we need to be alert for. A Politico story showed exactly how easy it can be to physically hack elections, as well. A Princeton professor bought a voting machine used in a number of states, and within minutes, he was able to replace a few chips and added his own firmware to the machine that would allow the ballots to be manipulated. Someone with malicious intent, access to the location where machines are stored, and a little cyber-know-how could redirect the course of history. The problem with our voting system is very similar to the cybersecurity problem in many businesses today: The software is outdated and vulnerable. In a white paper released by the Institute for Critical Infrastructure Technology called “Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures,” the authors showed why voting systems are so vulnerable to an attack: Many electronic voting systems have not been patched for almost a decade because officials falsely believe that an airgap equates to security. In 2016, 43 states relied on voting machines that were at least 10 years old and that relied on antiquated proprietary operating systems such as Windows CE, Windows XP, Windows 2000, Linux, and others. Vulnerabilities for these operating systems are widely available for free download on Deepnet. Alternately, some GUI based script kiddies tools can automatically scan for Windows XP and Windows 2000 and exploit known vulnerabilities to deliver malicious payloads. Even if the officials did their due diligence and practiced moderate cyber-hygiene, Microsoft has not released a patch for Windows CE since 2013 or Windows XP since 2014. It sounds a lot like many of the problems that plague the Internet of Things, and businesses aren’t confident about addressing those security risks. Unfortunately, we tend to think about election cybersecurity every four years, during a presidential campaign, despite the fact that elections are conducted at least twice a year in most states, with primaries and general elections. Those of us who think about cybersecurity all the time know the ramifications that poor security efforts can have on a business and consumers. We don’t want poor cybersecurity to dictate the election results, so the question becomes, how do we make cybersecurity a point of discussion and what can be done to work on a fix? We have a little more than two months to figure it out.