This Part is about possible technical attacks on the voting machines, with participation from either insiders or outsiders. This had a great deal of focus in the last election. A great many accusations were leveled against Dominion and its partners and subsidiaries.
Articles have been written that claim the voting machine software has built-in ways to cheat, including ways to manipulate votes as they are being tallied to proportionally reduce the number of votes for a candidate. Apparently, within the software, you can actually assign a “weight” to votes for different candidates such that Candidate A’s votes were only worth 80% of Candidate B’s votes in the final tally of the voting. I have not checked this personally, but I have faith in the sources of this information.
I can’t think of any legitimate reason for a feature like this to be in voting software.
Additionally, federal officials have claimed that voting machines are not connected to the internet. Turns out some have been.
Why are we leasing voting machines that even have the capability to connect to the internet? We already understand the risks.
And of course, who has access to these machines? Is there an audit trail of when features are turned off and on, or when it is connected to the internet or not?
No, of course not. Nobody gets caught because they are impossible to catch. All tracks of tampering with the machine are easily erased.
Besides this, unless you already know that cheating has occurred and the FBI brings in technicians, you must rely on the manufacturer (some have already accused either managers or technicians of being complicit, how hard would they be to recruit?) to look at the machine for tampering. And by the way, it is will be in the voting machine leasing contract that no one except company technicians are allowed to inspect the machines.
So here are the attacks and my evaluation.
Activate the software that cheats for you – These are apparently features designed for Venezuela and other countries with institutionalized cheating, and sources have said they are present in all of the machines. They are just supposed to be turned off. If the machine happens to be connected to the internet, then this can be attacked remotely. If not, then attacked locally by a technician or a technician impersonator. Effectiveness – medium for machines modified locally (harder to scale that way), high for machines on the internet. Risk – low. While the counts will be off in a recount, there is no auditing trail to ensure no attacks have been made on the machine. Technicians to turn features on or off are hardly noticed, professional attackers would never be caught.
Attack through the internet connection – Additionally, an insider could activate the wireless internet connection to the voting machine. This is illegal, but if done it would allow someone outside the facility to change the vote counts. Even if the cheating software is not turned on, it is reasonable to assume that legitimate processes can be corrupted or tampered with. Effectiveness – High, if you are professional, i.e are wise enough to make subtle changes and cover your tracks. Risk – close to zero, (again assuming you are a professional). The problem is the lack of auditing or chain of custody verification. Again the recounts will be off, but that apparently doesn’t matter, since judges have ruled to accept the count anyway.
Hack the information process, or the computers at the counting center – The police and courts generally talk about “chain of custody.” That means that data has to be stored, data has to travel and data has to be analyzed. At every step, the data must be verified and sworn to. The diagram below is from the Dominion Voting Machine Manual. You can see that they try to handle a boatload of functions and workflows within their “Democracy Suite.” Any professional worth his salt is going to find numerous opportunities to intercept, change, corrupt or otherwise influence the election within this complex system.
The combination of a professional data thief and an election official would make this nearly risk free. This level of manipulation could easily become undetectable since the voting counts could be changed to match the actual votes cast. Effectiveness – high in a local election, medium in state or national levels. Risk – Low. Caveat, since I have not examined this workflow, I cannot assess the risk with certainly. I am assuming any vulnerabilities can be found and exploited.
My conclusion is that hacking the machines as an outsider attacking online voting machines (and succeeding workflow) is serious, but attacks on the machines involving an insider are serious and undetectable. Again, never underestimate the power of an insider to screw you over.
In Part 4, I will talk about mitigation and prevention. Believe it or not, it is not that difficult. Any security outfit worth its salt can tell you how to do this. The police and local prosecutors are familiar with “chain of custody.”
So the final question is “How do we secure the most valuable right of a Democratic society?”
https://www.cnn.com/2019/09/26/politics/hackers-voting-machines/index.html