Seemingly lost in the debate over Russian interference in 2016 is the fact that the Russians did infiltrate some of our most vulnerable systems. Reality Winner, formerly of the NSA, leaked a slide from the clandestine agency which was titled “Russia/Cybersecurity: Main Intelligence Directorate Cyber Actors, [REDACTED] Target U.S. Companies and Local U.S. Government Officials Using Voter Registration-Themed Emails, Spoof Election-Related Products and Services, Research Absentee Ballot Email Addresses; August to November 2016.”
We now know that at least 21 state systems were “probed” by Russian hackers, and the Russians gained access to at least one. However, our election system is wildly complex, and it includes a litany of private vendors servicing the public. Because capitalism, those private vendors are not subject to the same level of scrutiny as public resources are (and even that is incredibly lax), and that leaked NSA slide pointed the finger at VR Systems as one vendor who practiced poor cybersecurity and paid the price for it by being victimized by a phishing scheme. However, further reporting has proven that VR Systems is far from the only company struggling to keep up with our new reality.
Claire Malone covered this extremely serious problem at FiveThirtyEight in detail. Per Malone:
States have felt the heat for their sometimes poor cybersecurity practices, but private voting companies can also lag behind security industry standards. Recently, FiveThirtyEight learned that a webpage labeled “Client Web Portal” for Dominion Voting, one of the country’s leading manufacturers of voting machines, lacked basic SSL encryption, a standard security practice used to protect user credentials, passwords and other sensitive information. Vulnerabilities like that on a login page could lead to stolen passwords or the addition of malicious software or links to the site. When FiveThirtyEight reached out to Dominion to ask about the webpage, Kay Stimson, the company’s vice president for government affairs, said the page had been “identified for SSL encryption and other upgrades as part of a broader company initiative to enhance security protections for our online presence.”
Stimson couldn’t provide a specific timeline for the security enhancements, though she said the company was making improvements “as quickly as possible.” She said that Dominion’s chief security officer, Matt Horace, was running “both physical and cybersecurity functions for the company.” As of this publication, Dominion’s client web portal page that was flagged as being vulnerable appeared to be out of service.
The United States government is notorious for falling behind on technology. The VA’s endless backlog of paper records is a perfect example. Typically, technological concerns are waived away as unnecessary, asserting that government functioned just fine before the age of the internet, so those processes should still work today. A private company does not have the same luxury, and missing something as simple as SSL encryption is a gigantic red flag. The government has long proven that it will not lean on private firms to improve their technology, and so there is little (market) incentive for firms to improve their security, despite the fact that the integrity of our democracy literally depends on it. Election expert J. Alex Halderman highlighted the crux of the problem for FiveThirtyEight:
But Halderman also pointed out that private election companies are simply responding to the relatively unregulated marketplace in which they operate. “Somebody needs to produce and service election equipment, and the companies in this space simply respond to market and regulatory incentives. … The main problem is that our elections are largely administered by local governments, which have little to no cybersecurity expertise but are suddenly on the front lines of international conflict.”
Security is expensive in any form (although, SSL encryption is incredibly standard and it’s beyond alarming that Dominion Voting does not have it in place as of this writing). According to the rules of capitalism, unless something will make the business more money, there’s absolutely no reason to implement it. Because these companies tasked with aiding our elections are competing in a market where the only customer is the decrepit United States government, cybersecurity is not a priority—even in the wake of the biggest foreign attack on our elections in history. Let’s hope it doesn’t take another one for our government and its array of vendors to finally take their cyber-security responsibilities seriously.
Jacob Weindling is a staff writer for Paste politics. Follow him on Twitter at @Jakeweindling.