CNET’s Dan Patterson interviewed Cris Thomas, house rogue, international technique lead at IBM X-Power Purple, in regards to the myths and realities of hacking election computer systems. The next is an edited transcript of the interview.
Marketing campaign 2018: Election Hacking is a weekly collection from TechRepublic sibling websites, CBS Information & CNET, in regards to the cyber-threats and vulnerabilities of the 2018 midterm election.
Dan Patterson: Cris Thomas, house rogue, you’re the international technique lead for IBM’s X-Power Purple. In the present day we’re speaking about voting machines and election hacking. Cris, everybody has this worry, particularly once we take into consideration the pc parts that make up a voting machine, that, whereas that is the primary vulnerability of elections and election safety. Let’s bust some FUD, right here. What are the myths versus realities of hacking election machines?
Cris Thomas: I imply, it is a good level that you simply introduced up, that they are truly election computer systems. Numerous occasions folks use election machines, once they’re actually working Home windows. They’ve USB ports. They’re precise computer systems. It is one thing to bear in mind whenever you’re considering and speaking about this matter.
A number of the myths that we’re taking a look at are that, though voting computer systems, themselves, are very weak, and have a number of vulnerabilities and are very prone to assaults, most of these assaults require bodily entry to the machine. You may’t assault them over the web, as a result of they are not related to the web. The hacking of a voting laptop, is one thing that has been introduced up again and again. It is actually, the chance is admittedly small.
SEE: Data safety coverage (Tech Professional Analysis)
Dan Patterson: What number of various kinds of voting programs exist? Or jurisdictions? In the event you had been an attacker, how would you goal every a type of programs?
Cris Thomas: Nicely, there’s over 9,000 totally different precincts throughout the nation. That is one of many advantages of our system, is the truth that it is so distributed. It has a really giant assault floor. That makes it a little bit bit extra resilient, than if it was only one system in all places. That forces an attacker to then, research and be taught vulnerabilities in every totally different… not solely the bodily , but in addition, the insurance policies and procedures in place in that space. That makes it very troublesome for an attacker to conduct a widespread assault in opposition to a voting election.
Dan Patterson: Stroll me by means of what must occur to focus on one machine, as a substitute of these 9,000? If I am an attacker, a nefarious actor, and I am decided to assault one machine, stroll me by means of that assault.
Cris Thomas: Nicely, ideally, in all probability what would occur is that somebody would come up with a type of machines earlier than election day. Purchase it on eBay. Steal it. Purchase it legitimately from the producers, nevertheless you’ll go about getting that system.
Then, you’ll pull it aside. Analysis it. Strive to determine the place the vulnerabilities are, and what assaults are legitimate in opposition to it. Then, on election day, or earlier than election day, you would wish bodily entry to that machine to hold out your assault. Then, hopefully, you may change a number of votes, nevertheless many votes undergo that one machine. I volunteer as a ballot employee in my precinct, regionally in Pennsylvania. In my precinct we have now 1,000 voters, perhaps 500 of them present up. Now we have two machines. That is 250 votes per machine. If I can assault one machine, I am at finest, can solely affect 250 votes. Then, there are normally checks and balances in place that might discover that there are 250 votes which were modified. That will be caught earlier than it was counted.
See:IT chief’s information to huge knowledge safety (Tech Professional Analysis)
Dan Patterson: What I am getting from you, is that, perhaps, hacking an election machine, or an election laptop, voting machine’s perhaps not probably the most environment friendly solution to flip an entire election. What, then, can be the objective, the aim, of concentrating on voting machines?
Cris Thomas: It is vital to do not forget that, whereas the voting laptop, or voting machine, itself, might not be the precise goal, we nonetheless must safe these programs. That stated, one of many objectives of an attacker is likely to be to trigger worry and uncertainty and doubt, the FUD, as you talked about earlier, to trigger mistrust within the system by the American public.
Dan Patterson: Who would need to do this?
Cris Thomas: Lots of people. I am certain america has a number of enemies on the planet, and lots of people, a number of totally different nations and states want to trigger chaos in our democracy. Who precisely is doing it, is the topic of in all probability numerous intelligence companies, not one thing I am, particularly, an skilled in.
Dan Patterson: Ought to we think about election machines, voting computer systems, vital infrastructure?
Cris Thomas: That is a great query. One of many advantages, I feel, of the truth that we have now 9,000 totally different jurisdictions, is the truth that we have now 9,000 totally different setups and programs and computer systems, and insurance policies and process in place. This makes it very troublesome for an attacker to be taught all these totally different adjustments. If we nationalize the elections and consolidate into one or two or three totally different programs, that enormously reduces the assault floor, and offers an attacker that rather more of a bonus. As well as, the Structure says that elections are a accountability of the states. If we nationalize these elections, we have now to take that into consideration.