Voting machine security reports highlight ongoing fight

A long-awaited report on the cybersecurity vulnerabilities of election machines in Georgia was finally released alongside another report on Wednesday, but the two sides of a long-running dispute over the security of the state’s election machines can’t agree on what conclusions to draw.

The first report — by University of Michigan professor J. Alex Halderman and Auburn University assistant professor Drew Springall, who helped him — outlined several cybersecurity flaws, the most critical of which they say could be exploited by malicious hackers to change votes and alter election outcomes. Importantly, Halderman said there’s no evidence that the vulnerabilities have actually been used by malicious hackers to change votes or steal an election.

Another report by research nonprofit MITRE — which Dominion Voting Systems brought on to evaluate the Halderman report — downplayed the seriousness of the vulnerabilities, concluding that they were “operationally infeasible.”

The dueling reports emerge from a long-running court battle over Georgia voting equipment that began in 2017 and illustrates a years-long fight over election security.

A plaintiff in that case, the Coalition for Good Governance, got Halderman and Springall to evaluate Dominion’s ImageCast X Ballot Marking Devices. The two professors “discovered vulnerabilities in nearly every part of the system that is exposed to potential attackers,” in the words of Halderman.

Georgia officials have been touting MITRE’s report. They have insisted that the machines in question are secure and they say they will not update them until after the 2024 elections.

One authority that’s got no stake in the court battle, the Cybersecurity and Infrastructure Security Agency, said last year that the vulnerabilities Halderman and Springall found “present risks that should be mitigated as soon as possible.”

On Wednesday, CISA Executive Director Brandon Wales said in a statement: “Working closely with the security researchers, the voting system vendor, and election officials, CISA was able to responsibly disclose actionable mitigations addressing certain vulnerabilities, which affected versions of Dominion Voting Systems’ software used in ballot-marking devices deployed in several states. To date, we have no evidence that these vulnerabilities were exploited and no evidence that they affected any election results.”

The Election Assistance Commission also touted that it had certified fixes to the identified vulnerabilities. “Working alongside other federal partners, the need to quickly identify and respond to vulnerabilities to our voting systems is critical,” the four commissioners — Chairwoman Christy McCormick, Vice Chair Ben Hovland, Donald Palmer and Thomas Hicks — said in a statement.

Claim vs. claim

The 2021 report by Halderman and Springall had been sealed until Wednesday over security concerns. A federal judge last week allowed a redacted version of the report to be released.

The most severe vulnerability they found was a software flaw that would allow hackers to spread malware from machine to machine, via a county’s central election management system (EMS), according to Halderman.

“This attack is especially dangerous because it is scalable — a single intrusion to the EMS computer in a county office could affect equipment in polling places over a very wide area,” Halderman wrote in a blog post (emphasis his). “Attackers do not need access to each individual machine.”

Installing that malware would allow hackers to change votes without being detected, the report concluded.

Meanwhile, Georgia Secretary of State Brad Raffensperger (R) and Dominion both declared the MITRE report — with its opposite conclusions — vindicated them.

“The MITRE report confirms that Georgia’s election infrastructure is secured by the toughest safeguards,” Raffensperger said in a statement. “For years, election deniers have created a cottage industry of ever-shifting claims about conspiracies to change votes, steal elections, and undermine voter confidence. This report says it all: voting machines do not flip votes. Cast ballots are counted as the voter intended. Georgia elections are secure.”

“The MITRE report concluded that none of the alleged vulnerabilities listed in Plaintiff's Expert Report would allow a bad actor to change the outcome of an election, particularly given scale considerations,” reads a statement on Dominion’s website.

But according to Halderman, that logic is flawed. For one, Mitre didn’t have access to the Dominion voting equipment or software like he and Springall did.

MITRE’s report also makes a flawed assumption about insider access to voting equipment, according to Halderman.

MITRE said it “assumes strict and effective controlled access to Dominion election hardware and software.”

In 2021 in Coffee County, Ga., forensics experts working for lawyers allied with former president Donald Trump copied virtually every component of the Dominion equipment. (Georgia officials ultimately said they would replace the county’s voting equipment.)

A Coffee County official apparently described other physical security issues.

Access to equipment — like in Coffee County — is what’s needed to carry out the attack on the most severe vulnerability that Halderman described, he said.

What’s next

It would take tens of thousands of hours to update nearly 45,000 pieces of Georgia voting equipment, Raffensperger explained last year, and he wants jurisdictions to focus their energy on running elections through the 2024 election cycle. In the meantime, there will be pilots in Georgia to test the updates, he said.

“Election deniers and those with similar claims in the courts may want us to irresponsibly move faster to make this change,” Raffensperger said. “However, I have told our team we will move in a responsible, deliberate, and mature way that will put the needs of voters and our election workers first. I’m an engineer. To build a solid structure, you need a strong well laid foundation. That is what this plan does.”

But Halderman says that’s a bad approach. “Announcing this is worse than doing nothing at all, since it puts would-be adversaries on notice that the state will conduct the presidential election with this particular version of software with known vulnerabilities, giving them nearly 18 months to prepare and deploy attacks,” he said.

Still, no one who takes Halderman’s research seriously should jump to the conclusion that hackers have successfully compromised elections. Halderman said nothing in his findings provide anything like evidence that the 2020 election was “stolen.” It’s just that risks exists going forward, depending on how everyone reacts.

“We’re sorry to be the bearers of bad news when trust in elections is already low, but the public needs accurate information about election security,” Halderman said. “Whether our findings ultimately strengthen or weaken public trust will depend on how responsible officials respond.”

The keys

Russian hacking unit identified as key player in destructive malware attacks

The Russian group responsible for deploying the infamous WhisperGate malware that wiped Ukrainian government systems last year has been identified as an active and distinct unit within the Russian Main Intelligence Directorate (GRU), AJ Vicens reports for CyberScoop.

In a report out Wednesday, “Microsoft concludes that a group it is calling ‘Cadet Blizzard’ is behind a wave of attacks since February 2023 targeting not only Ukraine, but also NATO member states providing military assistance to Ukraine,’” Vicens writes.

“WhisperGate masqueraded as ransomware. Once it was activated, and once the computer was turned off and on again, a fake ransom note appeared, warning that the user’s hard drive had been corrupted and demanding $10,000 via bitcoin to restore it,” our colleagues Ellen Nakashima and David L. Stern previously wrote.

The ransom note was a ruse because victims would not be given any way to recover files.

The activity is the first time newly distinct operations have been identified within GRU’s cyber operations, the report says, adding that its emergence “is a notable development in the Russian cyber threat landscape.”

The group has focused heavily on broader operations outside Ukraine, targeting governments, law enforcement units, nongovernmental organizations, tech service providers and emergency services since at least 2020.

The outcomes of some Cadet Blizzard operations “are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation,” Microsoft said.

FCC launches privacy and data protection task force

The Federal Communications Commission (FCC) on Wednesday launched a task force aimed at “rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors,” according to an agency announcement.

Loyaan Egal will address current-day security challenges, including data breaches and The Privacy and Data Protection task force led by Enforcement Bureau Chiefwill address current-day security challenges, including data breaches and supply chain vulnerabilities linked to communications equipment.

“Connection is no longer just convenient. It fuels every aspect of modern civic and commercial life. To address the security challenges of this reality head-on, we must protect consumers’ information, ensure data security, and require cyber vigilance from every participant in our communications networks,” agency chair Jessica Rosenworcel said.

The announcement marks an expansion of FCC scrutiny into communications privacy and security, areas that have been often led by agencies devoted to consumer protection and cyberdefense.

Cyber insurance premiums jumped 50 percent in 2022 amid increased ransomware attacks

U.S. cybersecurity insurance premiums skyrocketed 50 percent in 2022 as organizations demanded more financial coverage for ransomware attacks, Marnie Munoz reports for Bloomberg News.

Munoz writes: “Premiums collected from policies written by insurers reached $7.2 billion in 2022 and tripled in the past three years, ratings firm AM Best said in a study released this week.”

“Ultimately, the coverage provided to insureds may be decided by the risk appetite of the insurer, and to a certain extent, the coverage that reinsurers are willing to provide,” AM Best associate director Fred Eslami told Bloomberg.

Artificial intelligence systems and ransomware attacks that have amassed throughout 2023 will only increase demand for coverage, added AM Best senior industry analyst Christopher Graham .

AI is poised to be a boon for cybercriminals , our colleague Joseph Menn reported last month.

Cyber insurance has been a hotly debated topic in the cybersecurity world. While organizations seeking to shield their assets have increasingly turned to cyber insurance products, providers tend to include several carveouts in their policies.

A New Jersey appellate court in May rejected several insurance groups’ argument that pharma giant Merck suffered a cyberattack under warlike conditions, allowing the company to receive insurance payouts in connection to the 2017 NotPetya malware attack.

Global cyberspace

MeriTalk convenes a discussion on Zero Trust security frameworks at 1 p.m.

Michael Vickers speaks at a Center for Strategic and International Studies event on Former Undersecretary of Defense for Intelligencespeaks at a Center for Strategic and International Studies event on U.S. intelligence operations tomorrow at 12 p.m.

