Because the Home and Senate proceed to look at the wave of disinformation across the 2016 presidential election, issues across the safety of voting programs study one thing much more germane to the U.S. democratic system.
In early October, Senate Intel Committee member and Oregon Senator Ron Wyden issued a letter to the nation’s six main voting machine makers calling on them to challenge particulars on their safety practices and assurances that they had been taking voting integrity severely transferring ahead.
Abiding by the October 31 deadline, voting machine makers Dominion Voting, Election Methods & Software program (ES&S) , 5 Cedars Group, Hart InterCivic and Unisyn Voting Options have responded, although a few of the particulars are removed from reassuring.
Dominion Voting studies that it “just isn’t conscious of any incidents during which an attacker has gained unauthorized entry to our inside programs, company information or buyer information” nor has it been knowledgeable by the FBI or Homeland Safety of any such intrusion.
Unisyn acknowledged that it has undergone penetration testing by a third-party 4 instances within the final 5 years, and handled “a majority of the findings” since, however has not suffered any breaches throughout that point.
ES&S mentioned that it had “zero information” of any form of intrusion pertaining to its voter registration software program or tabulation tools, a discovering that it corroborated with DHS in a gathering following the crucial infrastructure designation for election programs. “Senator, we additionally perceive that your inquiry seeks to establish if our firm was the goal of recognized cyber assaults throughout the 2016 election cycle. In response to that query we’ve got no indication that our inside infrastructure was compromised in any approach,” the corporate added.
Dominion acknowledged that it doesn’t have a Chief Info Safety Officer as a delegated safety level individual, noting that “our Director of IT, EVP of Engineering and others at present lead our cybersecurity and danger mitigation efforts.” The corporate didn’t specify what number of workers work solely on info safety past stating that it has “many workers who play a task.” Unisyn acknowledged that “the corporate’s IT Director and System Architect cooperate to satisfy the roles and duties equal to that of a [Chief Information Security Officer],” additionally declining to state what number of workers are solely devoted to info safety.
Dominion dismissed a query round how the corporate handles unsolicited vulnerability studies, claiming that as a result of that entry is strictly restricted that any unsolicited entry would end in felony prosecution. Unisyn indicated that it retains up with safety points affecting exterior software program it makes use of, like within the case of Heartbleed, nevertheless it didn’t specify any course of by which exterior safety researchers may convey flaws to gentle.
In its letter, Hart InterCivic clarified that it doesn’t present voter registration programs as a few of the different corporations do, blaming the media for “creating confusion amongst readers” by conflating voter registration programs with voting machines. Hart InterCivic factors to studies that solely voter registration programs have been compromised, and within the course of makes gentle of potential threats to voting machines themselves. The corporate ignores most of Sen. Wyden’s questions and goes on to make the doubtful declare that as a result of state legal guidelines differ, heterogeneity in voting machine programs is a characteristic, not a bug, and the shortage of uniform federal requirements for these programs makes them safer.
In its letter, Oregon-based 5 Cedars Group, a smaller firm amongst business giants, indicated that its expertise doesn’t face lots of the issues that the unique letter brings up. “Due to the way in which the Oregon Secretary of State workplace designed the method again in 2007, at no time are ballots posted on a 5 Cedars server,” the corporate writes. “We additionally by no means obtain any voter registration information, marked ballots or some other doc that may be of curiosity to a hacker.”
Oregon is exclusive in that the state makes use of a vote-by-mail system and 5 Cedars make distant accessible vote by mail ballots for state residents with disabilities. Senator Wyden has been a vocal proponent of extending an Oregon-style vote by mail system nationwide, calling for laws round vote by mail in 2016 and once more with the Vote by Mail Act in 2017. Vote by mail programs are understood to each enhance voter turnout considerably and to remove dangers related to decentralized polling stations, although at the moment broad bipartisan assist for such a invoice seems unlikely attributable to a partisan divide over points like voter suppression and largely substantiated claims round voter fraud.
Sen. Wyden’s authentic questions seem beneath:
1. Does your organization make use of a Chief Info Safety Officer? If sure, to whom do they immediately report? If not, why not?
2. What number of workers work solely on company or product info safety?
three. Within the final 5 years, what number of instances has your organization utilized an out of doors cybersecurity agency to audit the safety of your merchandise and conduct penetration assessments of your company info expertise infrastructure?
four. Has your organization addressed all the points found by these cybersecurity consultants and carried out all of their suggestions? If not, why not?
5. Do you might have a course of in place to obtain and reply to unsolicited vulnerability studies from cybersecurity researchers and different third events? What number of instances prior to now 5 years has your organization obtained such studies?
6. Are you conscious of any information breaches or different cybersecurity incidents during which an attacker gained unauthorized entry to your inside programs, company information or buyer information? If your organization has suffered a number of information breaches or different cybersecurity incidents, have you ever reported these incidents to federal, state and native authorities? If not, why not?
7. Has your organization carried out the very best practices described within the Nationwide Institute of Requirements and Know-how (NIST) 2015 Voluntary Voting Methods Tips 1.1? If not, why not?
eight. Has your agency carried out the very best practices described within the NIST Cybersecurity Framework 1.zero? If not, why not?
Featured Picture: Joe Corridor/Flickr UNDER A CC BY 2.zero LICENSE (IMAGE HAS BEEN MODIFIED)