Election integrity depends on security-challenged firms

It was the kind of security lapse giving election officials nightmares. In 2017, a private contractor left data on Chicago's 1.8 million registered voters -- including addresses, birth dates and partial Social Security numbers -- publicly exposed for months on an Amazon cloud server.

Later, at a tense hearing , Chicago's Board of Elections dressed down the top three executives of Election Systems & Software, the nation's dominant supplier of election equipment and services.

The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed there was no evidence hackers downloaded the data.

The Chicago lapse provided a rare moment of public accountability for the closely held businesses serving as front-line guardians of U.S. election security.

A trio of companies -- ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver; and Hart InterCivic of Austin, Texas -- sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia's 2016 election meddling.

The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.

In much of the nation, especially where tech expertise and budgets are thin, the companies effectively run elections either directly or through subcontractors.

"They cobble things together as well as they can," University of Connecticut election-technology expert Alexander Schwartzman said of the industry leaders. Building truly secure systems would likely make them unprofitable, he said.

The costs of inadequate security can be high. Left unmentioned at the Chicago hearing: The exposed data cache included roughly a dozen encrypted passwords for ES&S employee accounts. In a worst-case scenario, a sophisticated attacker could have used them to infiltrate company systems, said Chris Vickery of the security firm Upgard, which discovered the data lapse.

"This is the type of stuff that leads to a complete compromise," he said. ES&S said the passwords were only used to access the company's Amazon cloud account and "there was no unauthorized access to any data or systems at any time."

All three of the top vendors declined to discuss their finances and insist security concerns are overblown. ES&S, for instance, said in an email "any assertions about resistance to input on security are simply untrue" and argued for decades the company has "been successful in protecting the voting process."

Many voting systems in use today across the more than 10,000 U.S. election jurisdictions are prone to security problems. Academic computer scientists began hacking them with ease more than a decade ago, and not much has changed.

Hackers could theoretically wreak havoc at multiple stages of the election process. They could alter or erase lists of registered voters to sow confusion, secretly introduce software to flip votes, scramble tabulation systems or knock results-reporting sites offline.

There's no evidence any of this has happened, at least not yet.

The vendors say there's no indication hackers have penetrated any of their systems. But authorities acknowledge some election mischief or malware booby traps may have gone unnoticed.

On July 13, U.S. special counsel Robert Mueller indicted 12 Russian military intelligence operatives for, among other things, infiltrating state and local election systems. Senior U.S. intelligence officials say the Kremlin is well-positioned to rattle confidence in the integrity of elections during this year's midterms, should it choose to.

Election vendors have long resisted open-ended vulnerability testing by independent, ethical hackers -- a process identifying weaknesses an adversary could exploit. Such testing is now standard for the Pentagon and major banks.

While the top vendors claim to have stepped up their cybersecurity game, experts are skeptical.

In an April 2014 meeting with Colorado elections officials, ES&S objected to a new state requirement for vulnerability testing because it didn't allow for the results to be kept secret, Colorado Deputy Secretary of State Suzanne Staiert said in an interview. She said the company ultimately didn't seek certification because the system it was offering didn't meet state requirements.

ES&S did not directly respond to a query about this incident. A company spokeswoman said a review of company correspondence found no sign it resisted the testing requirement, although it did "ask clarifying questions."

"The industry continues to stonewall the problem," said Bruce McConnell, a Department of Homeland cybersecurity czar during the Obama administration. Election-vendor executives routinely issue assurances, he said, but don't encourage outsiders to inspect their code or offer "bug bounties" to researchers to seek out flaws in their software.

Sen. Ron Wyden, an Oregon Democrat, has long criticized what he calls the industry's "severe underinvestment in cybersecurity." At a July hearing, he accused the companies of "ducking, bobbing and weaving" on a series of basic security questions he'd asked them.

ES&S told The Associated Press it allows independent, open-ended testing of its corporate systems as well as its products. But the company would not name the testers and declined to provide documentation of the testing or its results.

Dominion's vice president of government affairs, Kay Stimson, said her company has also had independent third parties probe its systems but would not name them or share details. Hart InterCivic, the No. 3 vendor, said it has done the same using the Canadian cybersecurity firm Bulletproof, but would not discuss the results.

ES&S hired its first chief information security officer in April. None of the big three vendors would say how many cybersecurity experts they employ. Stimson said "employee confidentiality and security protections outweigh any potential disclosure."

Experts say they might take the industry's security assurances more seriously if not for the abundant evidence of sloppy software development, a major source of vulnerabilities.

During this year's primary elections, ES&S technology stumbled on several fronts.

In Los Angeles County, more than 118,000 names were left off printed voter rolls. A subsequent outside audit blamed sloppy system integration by an ES&S subsidiary during a database merge.

No such audit was done in Kansas' most populous county after a different sort of error in newly installed ES&S systems delayed the vote count by 13 hours as data uploading from thumb drives crawled.

University of Iowa computer scientist Douglas Jones said both incidents reveal mediocre programming and insufficient pre-election testing. And voting equipment vendors have never seemed security conscious "in any phase of their design," he said.

For instance, industry leader ES&S sells vote-tabulation systems equipped with cellular modems, a feature experts say sophisticated hackers could exploit to tamper with vote counts. A few states ban such wireless connections; in Alabama, the state had to force ES&S to remove them from machines ordered for one of its counties earlier this year.

"It seemed like there was a lot more emphasis about how cool the machines could be than there was actual evidence that they were secure," said John Bennett, the Alabama secretary of state's deputy chief of staff.

California conducts some of the most rigorous scrutiny of voting systems in the U.S. and has repeatedly found chronic problems with the most popular voting systems. Last year, a state security contractor found multiple vulnerabilities in ES&S's Electionware system that could, for instance, allow an intruder to erase all recorded votes at the close of voting.