The political instability that has resulted from Russian meddling in the 2016 US presidential elections has put the focus on voting machines as a national security vulnerability, Douglas Lute, a former US permanent representative to NATO, said at the Atlantic Council on October 10.
“I don’t think I’ve seen a more severe threat to American national security than the election hacking experience of 2016,” said Lute. There is a “fundamental democratic connection between the individual voter and the democratic outcome” of an election, he said, adding: “If you can undermine that, you don’t need to attack America with planes and ships. You can attack democracy from the inside.”
Russian President Vladimir Putin “added to the political gridlock in Washington today, all at very low cost to him,” said Lute. “In military terms, this is the classic definition of a threat.”
According to Lute, “the technical vulnerabilities… raise this to a national security issue.”
There is evidence that, exploiting the outdated technologies and institutional loopholes in the US voting process, Russia intervened in the 2016 US presidential election on behalf of one candidate. The investigation into the extent of that intervention and possible collusion between the Kremlin and the administration of US President Donald J. Trump is ongoing.
“The forensics will come out,” said Lute, but the damage has been done.
“Russia learned a lot from a series of probing attacks in 2016,” he said, adding: “They were somewhat surprised by how out of date and how vulnerable the technology is.” Lute claimed that this raises the chances of a future attack. According to Lute, the threat is also heightened by the fact that “others watched. If Russia can attack our elections, so can others.”
“For these reasons,” he said, “the security of the US election process should be a top national security issue.”
Lute delivered a keynote address at the Atlantic Council to call for a sense of urgency among policymakers and all stakeholders able to play a role in the solution to insecure voting machines. He also highlighted the findings presented in the DEF CON Report on Cyber Vulnerabilities in US Election Equipment, Databases, and Infrastructure, launched at the Council, which help to shed light on the technological dimensions of this national security threat. Ultimately, as Lute writes in the foreword, “this report makes one key point: our voting systems are not secure.”
According to Lute, the threat to US democracy is not a distant one, “because Putin has already demonstrated he can do this.”
“We would never accept this level of vulnerability in any other national security system,” Lute insisted, calling for US lawmakers to take steps to remedy the situation. “This can’t be about party politics,” he said.
Lute presented an action plan, to be executed by both the hacker community and the diplomatic national security community, which will lay out a road map for securing voting machines. This group, the Center for Internet Security convening group, will, within the next two months according to Lute, draft a set of best practices for electoral cyber security, educate the US Congress on the issues, and facilitate their implementation.
“With these experts assembled, we pretty much know what we have to do and we have got to get that set of best practices… out to where the rubber meets the road,” said Lute.
A number of the experts who will be involved in the process joined Lute at the Atlantic Council. Harri Hursti, founding partner at Nordic Innovation Labs and one of the organizers of the DEF CON Voting Village; Jeff Moss, founder of DEF CON and a nonresident senior fellow in the Atlantic Council’s Cyber Statecraft Initiative; Sherri Ramsay, senior adviser to the chief executive officer at CyberPoint International; and John Gilligan, chairman of the board at the Center for Internet Security, participated in a panel discussion to elaborate on the technical vulnerabilities which have escalated to a national security threat. They furthered this idea by presenting lessons learned from DEF CON’s 2017 Voting Village, a convention designed to allow hackers to test the vulnerabilities in the US voting system.
According to Hursti, the greatest takeaway from the Voting Village was the demonstrated vulnerabilities of the outdated technology used to safeguard US democracy. “Every voting machine we have is hackable,” he said, and participants at DEF CON swiftly proved his point, hacking and manipulating machines within minutes. Hursti described how attempts to raise the alarm on the vulnerabilities of voting machines were frequently met with the rebuttal that hacking may be possible, but it takes time, and too much to pose a real threat. However, he said, it has been demonstrated that this is not the case.
The discourse around vulnerable voting machines is not new in the hacker community, said Moss. “What’s new is the attention on [voting machines] and the importance they now play in our democracy,” he said. “This isn’t going away, it’s only going to accelerate,” Moss cautioned.
He described how DEF CON’s report and Voting Village are initial steps taken “in trying to change the narrative” around the issue. “Ballot boxes were only recently classified as critical infrastructure,” Moss said, adding that policymakers should “pay as much attention to the ballot box as to the bullet box.”
The inherent vulnerabilities in outdated technologies are exacerbated by the fundamentally insecure supply chain and chain of custody involved in creating voting machines, said Ramsay. If nefarious actors aim to attack US democracy, their more focused target is the voting machines themselves, she said.
Voting machines are no more than hardware powered by software, said Ramsay, and susceptible to manipulation by any individual involved in their manufacture.
While nation states have attempted to manipulate elections for years, according to Ramsay, criminals, terrorist groups, and other nefarious actors also have the technical capability and financial resources to execute such an attack on democratic processes. When it comes to the voting machines themselves, “the supply chain is a great infection vector for them to do that,” said Ramsay.
She described how anyone targeting US voting machines “could manipulate an insider involved in the manufacturing process,” forcing them to produce the software for voting machines with malware implanted from the outset of the process. From there, infected systems would make their way to the United States.
“Through a handful of simple attacks to manufacturers not in the United States, the Russians could hack the US elections without ever leaving the Kremlin,” said Braun. For this reason, Moss called for a full review of the entire system involved in producing a voting machine, a test which has never taken place.
Such a full review, which could potentially be conducted as part of DEF CON 2018, would help to shed light on the scope of the issue and, according to the panelists, further educate policymakers on the need to address this national security threat, and soon.
Rachel Ansley is an editorial assistant at the Atlantic Council.