The Complex Cybersecurity Landscape of U.S. Voting Systems: An In-Depth Analysis

The Complex Cybersecurity Landscape of U.S. Voting Systems: An In-Depth Analysis
Photo by Jon Tyson / Unsplash

The security of voting systems is a topic of critical importance in the U.S., especially as election integrity is fundamental to democracy. In recent years, a spotlight has been cast on vulnerabilities within the infrastructure of voting machines, especially those from major vendors such as Dominion Voting Systems, Election Systems & Software (ES&S), Hart InterCivic, and Smartmatic. This blog post explores the complexity of the cybersecurity landscape surrounding these voting systems, the challenges in securing them, and the implications for states and election officials in safeguarding democratic processes.

1. The Complex Landscape of Voting System Deployment Across States

One of the main complexities in securing U.S. elections is the decentralized nature of the voting infrastructure. Each state, and often each county, has the autonomy to choose its voting equipment and vendors. This means that a wide range of voting systems is in use across the country, from machines produced by Dominion Voting Systems, ES&S, and Hart InterCivic to systems like Smartmatic's Voting Solutions for All People (VSAP) in Los Angeles County. The diverse setup creates a patchwork landscape where different equipment, configurations, and security practices are in play.

For example, Dominion Voting Systems is used in 28 states, including many battleground states like Georgia, Michigan, and Arizona. Meanwhile, ES&S serves numerous jurisdictions, including large states like Texas and Florida. Hart InterCivic is prevalent in Texas and Oregon, while Smartmatic has a limited presence, notably in Los Angeles County. Each state, or even county, may have its unique combination of systems and configurations, complicating efforts to implement standardized security measures across the board​(CISA,CISA).

2. Recent Vulnerabilities and the Need for Robust Cybersecurity

The voting systems of these vendors have come under scrutiny due to several security vulnerabilities. Let's delve into some of the recent vulnerabilities discovered and the challenges they pose:

  • Dominion Voting Systems: ImageCast X Vulnerabilities (2022): The ImageCast X system, an in-person voting machine used by Dominion, was found to have multiple vulnerabilities. These include improper verification of cryptographic signatures, hidden functionalities that could allow attackers to gain elevated privileges, and a path traversal vulnerability that could enable arbitrary code execution. Such vulnerabilities highlight the risks of unauthorized access, data tampering, and potential election interference​(CISA,CISA,GitHub,GitHub).
  • Election Systems & Software (ES&S): ES&S machines, which are widely deployed in several states, have raised concerns over their use of wireless modems to transmit election results. While this practice helps streamline reporting, it could expose the system to man-in-the-middle (MITM) attacks, where attackers intercept or manipulate the transmitted data. Additionally, physical access to machines could allow attackers to exploit USB ports or outdated software to introduce malware​(CISA).
  • Hart InterCivic and Smartmatic: While there have been fewer public disclosures of specific vulnerabilities against Hart InterCivic or Smartmatic since 2020, these systems are not immune to security concerns. Hart InterCivic’s decision to partner with Microsoft to integrate ElectionGuard, an open-source software toolkit, is a step toward enhancing security. Meanwhile, Smartmatic's limited deployment in the U.S. means there have been fewer public tests or reports on its vulnerabilities compared to other vendors​(U.S. Election Assistance Commission).

3. The Multifaceted Approach Required to Secure Voting Systems

Securing voting systems against cyber threats is a complex task that requires a multi-layered approach. Here are several key facets involved in ensuring election security:

  • Software and Firmware Updates: Regular updates and patches are crucial for addressing newly discovered vulnerabilities. For example, after the discovery of vulnerabilities in Dominion’s ImageCast X systems, the Cybersecurity and Infrastructure Security Agency (CISA) recommended a range of mitigations, including applying software patches, maintaining a secure chain of custody, and enhancing physical security controls​(CISA,CISA).
  • Physical Security Controls: Many vulnerabilities can be mitigated with robust physical security measures. Ensuring that voting machines are stored securely, limiting access to authorized personnel, and using tamper-evident seals can reduce the risk of physical tampering. This is especially important given that many vulnerabilities, such as those affecting Dominion and ES&S machines, require physical access to be exploited​(CISA,U.S. Election Assistance Commission).
  • Audits and Verifiable Paper Trails: Implementing post-election audits and maintaining a verifiable paper trail are essential to detecting and correcting any discrepancies in vote tallies. Systems like VSAP, used in Los Angeles County, print a paper ballot that can be audited independently of the digital tally. This dual approach is critical for ensuring public confidence in the election results and providing a means to detect and respond to cyber threats​(U.S. Election Assistance Commission).
  • Encryption and Secure Transmission Protocols: Voting systems should use strong encryption and secure transmission protocols to protect data integrity during storage and transmission. Weaknesses in these areas could allow attackers to intercept or manipulate election data, compromising the election's overall security.
  • Coordination and Communication Among Stakeholders: Effective election security requires coordination between federal, state, and local agencies, as well as collaboration with vendors, security researchers, and independent auditors. Coordinated vulnerability disclosures (CVDs), as seen with Dominion’s ImageCast X, allow security flaws to be identified and addressed transparently and responsibly, enhancing overall security​(U.S. Election Assistance Commission).

4. Conclusion: Securing the Future of U.S. Elections

The landscape of U.S. voting systems is complex and challenging, with various devices and configurations spread across multiple jurisdictions. As demonstrated by the recent vulnerabilities discovered in major vendors' systems, securing these systems is not a one-size-fits-all solution. It requires a nuanced, multifaceted approach that includes rigorous cybersecurity practices, strong physical controls, continuous audits, and robust coordination among all stakeholders involved.

As the world continues to evolve technologically, so too must our approach to securing our democracy. By implementing a comprehensive and dynamic cybersecurity strategy, we can safeguard the integrity of our elections and ensure that every vote is accurately counted and protected from tampering.

Microsoft ElectionGuard

ElectionGuard is an open-source software toolkit developed by Microsoft that aims to enhance the security, transparency, and accessibility of electronic voting systems. It is designed to provide end-to-end verifiability, allowing voters and election officials to confirm that votes have been accurately counted while maintaining the secrecy of individual votes.

Key Features of ElectionGuard:

  1. End-to-End Verifiability: ElectionGuard enables end-to-end verifiability of elections, which means that voters can independently verify that their votes are correctly recorded and counted. This is accomplished through a combination of cryptographic techniques, including homomorphic encryption, which allows votes to be encrypted and tallied without decrypting individual votes.
  2. Cryptographic Proofs: The system uses cryptographic proofs to ensure that votes have been correctly counted and that no votes have been tampered with or modified. ElectionGuard generates a "tracker" for each voter, which can be used to verify that their vote was included in the final tally.
  3. Open-Source and Modular: ElectionGuard is open-source, allowing any interested party—such as election officials, developers, and security researchers—to review, modify, and implement the code. This transparency encourages public trust and enables continuous improvement of the system. It is also modular, meaning it can be integrated with existing voting systems to provide additional layers of security without replacing the entire system.
  4. Secure Voting Process: The software toolkit is designed to support various types of voting methods, including paper ballots, ballot marking devices, and remote voting. It offers the flexibility to be incorporated into different voting environments while maintaining a high security standard.

Microsoft’s Integration of ElectionGuard:

Hart InterCivic, one of the major U.S. voting system vendors, announced a partnership with Microsoft to integrate ElectionGuard into its voting systems. This collaboration aims to improve the security and transparency of the voting process by leveraging ElectionGuard's cryptographic techniques.

The integration of ElectionGuard into Hart InterCivic systems will allow the company to offer a secure and verifiable voting experience. Voters will be able to check that their votes were correctly counted without revealing their voting choices, while election officials will gain enhanced tools for auditing and verifying election results.

Benefits of ElectionGuard Integration:

  1. Improved Security: By implementing end-to-end verifiable systems, ElectionGuard reduces the risk of undetected tampering, hacking, or manipulation. Even if an attacker were to gain access to the voting system, they would not be able to alter votes without detection.
  2. Increased Transparency: The open-source nature of ElectionGuard allows for public scrutiny and auditing, building greater trust in the election results. Independent auditors can verify that the election process was conducted fairly and securely.
  3. Enhanced Accessibility: ElectionGuard is designed to be accessible for all voters, including those with disabilities. It supports a wide range of voting methods, which can be tailored to the needs of different jurisdictions and voters.

Future of ElectionGuard:

The development and adoption of ElectionGuard represent a significant step towards more secure and transparent elections. As the toolkit is further tested and integrated into more voting systems, it could help set new standards for election security and integrity worldwide.

For more detailed information, you can visit the ElectionGuard website or Microsoft’s ElectionGuard page.

Cloudflare Anthenian Project

Cloudflare has been actively involved in protecting U.S. election infrastructure through its Athenian Project, which provides free security services to state and local governments managing election-related websites. The project aims to secure voter registration websites, sites providing information on polling places, and platforms reporting election results. As of 2020, Cloudflare's Athenian Project was protecting 229 state and local government election websites across 28 states, and it continues to expand its services to more jurisdictions.

States Utilizing Cloudflare's Election Security Services

Several states and counties across the U.S. have deployed Cloudflare's services to safeguard their election infrastructure:

  1. Idaho: The Idaho Secretary of State joined the Athenian Project in 2018. Cloudflare’s tools have been instrumental in protecting Idaho's election websites, helping to block significant spikes in malicious traffic, such as a 100-fold increase in threat traffic during an attack targeting other state websites​(The Cloudflare Blog).
  2. Colorado: Officials in Colorado, including the Colorado Secretary of State’s office, have used Cloudflare to protect the state’s election infrastructure from DDoS attacks and unexpected traffic spikes. The Athenian Project has enabled them to maintain robust election security and performance, particularly during high-demand periods​(Connect, Protect and Build Everywhere).
  3. Alabama: The State of Alabama utilized Cloudflare’s services to protect its election website during its special general election for the U.S. Senate. The partnership ensured that the state’s website remained online and secure against increased traffic and potential cyberattacks during the election​(The Cloudflare Blog).
  4. South Carolina: Pickens County in South Carolina is another example where Cloudflare's Athenian Project helped maintain continuous uptime for the county's election website, particularly during critical election periods in 2018 and 2019​(The Cloudflare Blog).
  5. North Carolina: Rowan County, North Carolina, has also leveraged Cloudflare’s Athenian Project to handle significant increases in traffic during election seasons, helping to ensure their election sites remain secure and accessible​(Connect, Protect and Build Everywhere).

How Cloudflare Supports Election Security

The Athenian Project offers several critical security features, including:

  • Web Application Firewall (WAF): Protects against threats such as SQL injection attacks and cross-site scripting (XSS) by filtering and monitoring HTTP traffic between a web application and the Internet. Cloudflare's WAF uses both managed rulesets and custom firewall rules to mitigate various threats, ensuring that election websites can resist common attack vectors​(The Cloudflare Blog).
  • DDoS Protection: Shields websites from distributed denial-of-service (DDoS) attacks that could otherwise disrupt access to election information. This protection is crucial, especially during critical times like voter registration deadlines or election night when traffic spikes are common​(The Cloudflare Blog).
  • SSL/TLS Encryption: Simplifies the process of transitioning to HTTPS, which is vital for securing communications and data on election-related websites. Cloudflare provides dedicated, auto-renewed SSL certificates to participants, helping to encrypt data transmissions and protect voter information​(The Cloudflare Blog).

Conclusion: Strengthening Election Resilience

By providing these security services, Cloudflare helps state and local governments enhance the resilience of their election infrastructure. With the Athenian Project, states like Idaho, Colorado, Alabama, South Carolina, and North Carolina have improved their cybersecurity posture, protecting voter data and maintaining public trust in the electoral process. This support is essential in an era where the integrity of election systems is increasingly under threat from cyberattacks.

For more information about Cloudflare's Athenian Project and how it protects election websites, you can visit Cloudflare's Athenian Project page.

More Election Silicon Valley Partnerships:

In addition to Cloudflare and its Athenian Project, several other vendors and tools have been noted for their roles in protecting election infrastructure in the U.S. These companies and tools provide a range of cybersecurity services designed to safeguard voting systems, websites, voter registration databases, and other critical components of the election process.

1. Akamai Technologies

  • Akamai provides a comprehensive suite of security services, including DDoS protection, web application firewalls (WAF), and cloud security. Akamai's services are used to protect election websites, voter registration databases, and other public-facing election infrastructure from cyberattacks, such as DDoS attacks and web-based threats. Akamai’s global network helps mitigate large-scale attacks by distributing and absorbing traffic spikes across its servers.
  • Akamai's solutions have been employed by some U.S. states to enhance the reliability and availability of election websites during critical periods like voter registration deadlines and election days​(The Cloudflare Blog).

2. Amazon Web Services (AWS)

  • AWS offers several security services that can be leveraged to protect election systems. AWS Shield provides managed DDoS protection, while AWS WAF helps secure applications from web exploits. AWS also offers encryption services to protect data at rest and in transit, as well as logging and monitoring tools that can detect suspicious activities on election-related servers.
  • Several state and local governments use AWS for hosting election websites and services, ensuring scalability and security through AWS’s cloud infrastructure and its compliance with rigorous security standards​(The Cloudflare Blog).

3. Microsoft Defender and Azure Security Center

  • Microsoft offers multiple election security tools through its Defending Democracy Program, including Microsoft Defender for Cloud and Azure Security Center. These tools provide comprehensive security monitoring, advanced threat detection, and incident response capabilities. They help secure voting infrastructure, such as voter registration databases, by identifying and mitigating threats in real-time.
  • Microsoft has partnered with election officials and security agencies to protect election infrastructure from cyber threats. For example, its ElectionGuard initiative, which was integrated with Hart InterCivic voting systems, provides end-to-end verifiability of votes​(U.S. Election Assistance Commission).

4. Cybersecurity and Infrastructure Security Agency (CISA) Tools and Services

  • CISA, a part of the U.S. Department of Homeland Security, provides a range of tools and services to help state and local governments secure their election infrastructure. CISA offers technical support, vulnerability assessments, risk management, and incident response services. CISA also runs the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), which facilitates the sharing of threat intelligence among state and local election officials.
  • CISA’s efforts include deploying Albert sensors—specialized network monitoring devices—to detect and report malicious activity on state and local election networks​(The Cloudflare Blog).

5. CrowdStrike

  • CrowdStrike, a cybersecurity firm known for its threat detection and incident response capabilities, has provided support to election officials by monitoring for cyber threats and responding to incidents. CrowdStrike’s Falcon platform uses machine learning and behavioral analytics to detect potential threats in real-time.
  • CrowdStrike has partnered with several state governments and organizations to enhance election security, offering services to protect against both cyber espionage and cybercrime​(The Cloudflare Blog).

6. Palo Alto Networks

  • Palo Alto Networks offers a range of security tools, including Next-Generation Firewalls (NGFWs), Advanced Threat Protection, and endpoint detection and response (EDR) solutions. These tools can be used to protect election infrastructure by preventing unauthorized access, detecting malicious activity, and blocking sophisticated cyberattacks.
  • The company's Prisma Access provides secure remote access to election systems, while its Cortex XDR platform offers advanced detection and response capabilities to quickly identify and neutralize threats​(The Cloudflare Blog).

7. Google Project Shield

  • Google Project Shield is a free service that helps protect websites from DDoS attacks. It has been offered to election-related websites, including those run by state and local governments, to ensure they remain online and accessible during high-traffic periods, such as elections.
  • Google has partnered with multiple state governments to provide protection against DDoS attacks, particularly for smaller jurisdictions that might lack the resources to defend themselves against such attacks independently​(The Cloudflare Blog).

8. FireEye/Mandiant

  • FireEye (now part of Mandiant) provides cybersecurity solutions, including threat intelligence, managed detection and response (MDR), and incident response. FireEye has offered its expertise to election officials by helping them identify vulnerabilities, detect potential breaches, and respond to cyber incidents.
  • The company’s tools are used to monitor election systems for signs of attack, ensure compliance with best practices, and respond rapidly to any threats that arise​(The Cloudflare Blog).

9. Cloud-Based Security Solutions from Various Vendors

  • In addition to the above, several other cloud-based security solutions are being utilized to protect election infrastructure. These include services from companies like Symantec (Broadcom), Fortinet, and Zscaler, which provide firewall services, data encryption, secure web gateways, and other critical cybersecurity services​(The Cloudflare Blog).

Conclusion: A Multi-Vendor Approach to Election Security

The protection of U.S. elections relies on a multi-layered approach involving various vendors and tools. Each vendor brings different strengths, from cloud-based DDoS mitigation and web security to advanced threat detection and response. By combining these capabilities, election officials and security teams can better defend against the myriad of threats facing election infrastructure and maintain public trust in the democratic process.

For more information on how these tools and vendors help secure elections, visit the respective websites of the mentioned organizations or consult the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Further Reading and Resources:

By understanding the complexities and vulnerabilities inherent in our voting systems, we can better prepare to defend against cyber threats and maintain trust in our democratic processes.

Read more