While most of the the country has been focused on the waning days of summer vacation, splash pads, swimming pools, and back-to-school sales, the eyes of the political world were focused on a tiny slice of Ohio this week in a hotly contested special Congressional election. That election went off without a hitch, but that’s just one race. How will the hundreds of midterm elections unfold two months from now?
For MSPs, though, politics aren’t the issue, it’s the security. While MSPs have traditionally focused on finance, education, healthcare, and a variety of other vertical industries, elections are still managed by a patchwork of security methods. Diversifying and changing technology has left an opening for MSPs to play a role in elections, especially on the local level where government technology resources tend to be the thinnest.
A Role for MSPs
For instance, Floyd County, Indiana, a rural, hardscrabble patch of countryside in the southern part of the state, relies on an MSP, RBM Consulting, to manage its elections. County officials estimate a savings of a $25,000 per election — not a small amount for such a small county — by farming out the management to RBM.
Including overseeing the security of the election process, RBM also handles the ballot printing, software coding, logic and accuracy testing support, and election day/post-election day support.
RBM oversees elections in similar small locales across the Midwest, something that election experts say can help fortify the process.
“There is a role for MSPs within local boards of election, city/county clerks offices, and the offices of the Secretaries of State,” Phil Stupak, a former Obama appointee at the Department of Homeland Security, tells Smarter MSP. Stupak also served as elections counsel to the U.S. House of Representatives and staff attorney to the New York City Board of Elections. MSPs, unconstrained by bureaucracy, can offer a more muscular approach to election security, according to Stupak.
“MSPs offer the same security justification of every other as-a-service vendor, which is far superior to the abilities of most local elections offices,” Stupak says.
“#MSPs offer the same #security justification of every other as-a-service vendor, which is far superior to the abilities of most local elections offices” @SmarterMSP
That is an idea echoed by Dan Wallach, a computer science professor and elections security expert at Rice University. Wallach testified before Congress in September 2016, warning the U.S. House Committee on Science, Space, and Technology that American election systems faced “credible cyberthreats.” His comments were prescient in light of later findings by U.S. intelligence that Russia did attempt to manipulate the U.S. election.
“Governments tend to move very slowly in their IT practices, driven in part by tight budgets and in part by resistance to change,” Wallach told Smarter MSP.
Still some cloud services like Google’s G-Suite are, Wallach says, finding their way into the sector.
“Voting systems — both the front-end devices that voters interact with and the back-end systems that manage voters, ballots, and the rest — have generally been engineered toward older ways of IT operations,” Wallach says, adding that every county generally runs its own IT shop, with dedicated computers running dedicated voting applications.
“Those computers aren’t ever supposed to be connected to the internet, to protect them against security attacks,” Wallach says. He points to a recent incident with one large vendor where remote access software was installed on voting machines for remote tech support, providing an internet opening for possible attack.
“Suffice to say that ‘cloud’ voting, in whatever fashion, is a long way away from being considered sufficiently secure, or of being certified, for operations in real elections,” Wallach says.
Hackability of U.S. Elections
While Ohio voters were casting their ballots this week, thousands of would-be hackers were heading to Las Vegas to attend this year’s DEF CON gathering. Last year, hackers at the event proved their prowess at hacking into electoral systems, and little has changed since then. The systems remain so easy to hack that Jake Braun, executive director of the University of Chicago Cyber Policy Initiative, called it child’s play .
“It’s just so easy to hack these websites we thought the grown-up hackers in the vote hacking village wouldn’t find it interesting,” Braun told The Register. So beginning on Friday, Aug. 10, teams in three age ranges, 8 to 11, 12 to 14, and 15 to 16, will be let loose on replica American government websites that report election results.
Stupak pointed to the DEF CON convention as a prime illustration of the “hackability of elections” in the United States. Stupak says that an MSP’s strongest role in elections is in the support structure.
“MSPs best serve these offices by handling security for systems that do not directly touch voters/ballots as those should (in theory) be kept entirely offline. MSPs are likely a far better method of securing local networks while leaving election machine security to security by design architecture,” Stupak says.
The best protection is to keep as many things offline and on paper as possible, but even that isn’t a guarantee of a secure election, Stupak says. Stupak uses the 2000 election as an example of an election that was pure paper not working properly. He says the more secure elections combine old-fashioned paper with digital redundancy.
“The benefit is that few, if any, mission-critical machines need to be online, and all should have a paper backup. Unfortunately, not all states have mandated a paper backup. Additionally, even if a machine shouldn’t be online doesn’t mean that it cannot be nor that it is invulnerable even if it is kept offline,” Stupak says.
The weaknesses in the current election system, according to Stupak, include:
- The removal of select voters from poll books precluding them from voting
- Non-paper backed machines improperly recording a vote
- A paper ballot counting machine rendering the incorrect final tally and not being checked by risk-based auditing
- A man-in-the-middle hack of the state and/or press vote total announcement to sow confusion as to who won the election.
The digitization of democracy has left a wide attack surface with clear vulnerabilities. If the trend toward online solutions continue, then MSPs will have more and more opportunities to offer their expertise to safeguard democracy.