Cyber Security

Cyber experts cite vulnerabilities in Washington, North Carolina voting security

Security gaps similar to, but much less porous than, those in Georgia’s voter registration system have been identified in Washington state, potentially providing bad actors ways to foul citizens’ eligibility to cast ballots in last week’s elections, cyber experts say.

And states such as North Carolina, which make their voter registration data widely available, could enable someone to change voters’ data by mail, they said.

Officials in both Washington and North Carolina expressed confidence they would spot any widespread tampering with voter registration records.

“Voters can rest assured that Washington’s election system is secure,” says the website of its secretary of state.

However, the cyber experts said Washington appears to have failed to plug all the holes after the U.S. Department of Homeland Security warned last year that Russian cyber operatives had downloaded voter records from Illinois’ database in advance of the 2016 presidential election and attempted to do so in 20 other states.

In “a small number of states,” the Russians “were in a position to” alter or delete voter registration information, the Senate Intelligence Committee said last May.

A National Academy of Sciences report on voting security earlier this year listed among its top recommendations the need for improved defenses to ensure the integrity of voter registration databases.

Illegally deleting or altering registration data could force a victimized voter to cast a provisional ballot. Whether the provisional ballot would count would hinge on a decision regarding the voter’s eligibility, as defined separately by each state.

In North Carolina, about 22,000 voters were offered provisional ballots this year, while the unofficial count in Georgia soared past 30,000. Washington officials did not provide this year’s total number of provisional ballots

The newly discovered security risks, in addition to long waits at some polling sites Tuesday due to equipment glitches and havoc that may have stemmed from voter registration irregularities, are sure to provide fresh fodder for watchdog groups. They want Congress to toughen defenses around Americans’ exercise of their most cherished democratic right.

Outside cyber experts this week were quick to identify lingering vulnerabilities in Georgia — and to a lesser extent, Washington, while expressing concern about North Carolina’s system providing for registration updates by mail. Officials in all three states said they subjected their software and equipment earlier this year to risk and vulnerability assessments by Homeland Security cyber technicians and got passing marks.

A Homeland Security spokesman referred a reporter to the states.

There may be no obvious clue to alert election officials when someone preys on the electronic systems, the experts said.

Georgia’s voter registration issues, the latest in a series of security vulnerabilities that heightened national attention on the state’s heated gubernatorial race, were first revealed days before the election by the investigative reporting web site WhoWhatWhy.org.

“The gaping vulnerability found in Georgia should be sending shock waves, not just in the Georgia secretary of state’s office, but in all the other states that are using the same technology,” said Susan Greenhalgh, policy director for the National Election Defense Coalition. “The vendor left a door wide open that allows an attacker, anywhere in the world, to execute a voter suppression operation using election technology.”

The vendor who installed Georgia’s computer programming has been identified as PCC Technologies, at the time a Connecticut-based firm. Cyber experts examined four states’ registration sites for McClatchy, including North Carolina and Washington, because PCC listed them along with Georgia among 15 states for whom it had performed work.

PCC recently was purchased by New Orleans-based GCR, Inc. GCR’s chief executive officer, Dan Cox, did not respond to phone messages.

Officials in both Washington and North Carolina said PCC did not program their voter registration databases, but the cyber experts said they still could see vulnerabilities.

They said hackers could get around authentication requirements in the voter registration system for Washington’s statewide vote-by-mail operation. If data were deleted, the affected voters would not be mailed ballots, creating significant challenges, especially if the voter failed to act before Election Day.

Beginning on Jan. 1, 2013, all voters were asked to provide one of the following types of Photo ID at their polling place.

In Georgia, computer code in online voter registration databases could have allowed a malicious party to electronically delete voters’ names or alter their addresses, as well as target a subset of voters based on their political leanings, the experts said.

Harri Hursti, a New York-based cyber expert who monitored Georgia’s election on Tuesday, said the design of its online registration system was acceptable 15 years ago. But today, he said, it would violate “every single manual” because it exposes “critical information” to any viewer.

“A high school student today would get an F if they made that kind of a project,” Hursti said in a phone interview.

Washington’s registration system is similar to Georgia’s, but has more protections, said Matthew Bernhard, a doctoral student in computer sciences at the University of Michigan.

After cyber experts pointed out vulnerabilities in Washington’s system several years ago, election officials added authentication requirements to prevent anyone from tampering with personal information on the secretary of state’s “MyVote” page without entering his driver’s license number or a state identification number and the date it was issued.

The state also added a step requiring the voter to select certain images to prove he is not a robot -- an improvement that Bernhard said should rule out an automated attack on the system.

Erich Ebel, a spokesman for Secretary of State Kim Wyman, said the the state has “a very robust election security protocol, both physical and electronic.”

“Our firewalls are state-of-the-art, and we have a number of other measures in place to identify, block and report suspicious activity,” he said.

Further, Wyman’s office has formed elections-security partnerships with Homeland Security, the FBI and other groups and agencies and is engaged in “a wide range of system testing, monitoring and detection,” Ebel said.

However, Bernhard and a prominent cyber expert who evaluated Washington’s security on condition of anonymity said there’s still a way for a bad actor to manipulate the system.

Driver’s licenses for residents of Washington and a number of other states are easily obtainable by using a tool on the web site Highprogrammer.com, which was created by computer geeks to show how easily systems can be breached.

Once armed with a driver’s license number and just one voter’s birth date, Bernhard said, it shouldn’t take many educated guesses to arrive at the license’s issue date. At that point it would be easy to download the entire voter registration database and obtain driver’s license numbers for large numbers of voters.

While guessing the issue dates of drivers’ licenses would take some time, Bernhard noted that “the kind of adversary we’re talking about is a nation state, where they have a roomful of people who could sit there and click through these messages to try to have a winning combination of data.”

In some election races, he said, “You wouldn’t have to change that many people’s voter registrations to have an effect on the election.”

Patrick Gannon, a spokesman for North Carolina’s elections board, said PCC worked only briefly for the state before its services were terminated. He said North Carolina government cyber technicians designed its online voter registration system.

Gannon acknowledged that a North Carolina law making widely available the state’s voter registration data, including personal information such as ages and addresses, could allow anyone to pluck names off the list, fill out a form and mail fake address changes to state or county officials.

Voters must sign mailed registration changes, and election officials are directed to ensure the signature on the updates matches the one on record, he said.

Such conduct is a felony, he said, and state officials have seen no signs of widespread fraud of this nature. If it occurred in large numbers, he said, “we believe that the county boards would notice and alert the state board, which would investigate.”

Georgia’s gubernatorial race drew national attention because of a stream of allegations that the Republican candidate, Brian Kemp, sought to suppress minority votes while continuing to serve as secretary of state and overseeing the election.

Among the problems spotlighted in Georgia: A security breach that could have allowed cyber intruders to tamper with the registration system and election management system over a six-month period in 2017 and early 2018, purges by state officials of more than a million names from the voter rolls, a freeze on some voters’ eligibility on grounds that the signatures on the initial record and updates didn’t match and the state’s use of aged electronic voting machines that lack a paper trail for use in audits or recounts.

Kemp, claimed a narrow victory over former state Rep. Stacey Abrams and on Thursday submitted to demands that he step down as secretary of state, saying he wanted to begin his transition to the governorship.

(CORRECTION: An earlier version of this story misstated the kinds of personal voter registration information that is made public in North Carolina. Ages and addresses of registered voters are made public.)

Greg Gordon: 202-383-6152, @greggordon2



  Comments