American voting machines are full of foreign-made hardware and software, including from China, and a top group of hackers and national security officials says that means they could have been infiltrated last year and into the future.
DEFCON, the world’s largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines.
The report, to be unveiled at an event at the Atlantic Council, comes as the investigation continues by four Hill committees, plus Justice Department special counsel Robert Mueller, into Russian meddling in the 2016 elections, on top of the firm intelligence community assessments of interference.
Though the report offers no proof of an attack last year, experts involved with it say they’re sure it is possible—and probable—and that the chances of a bigger attack in the future are high.
“From a technological point of view, this is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part.”
Often, voting machine companies argue that their supply chain is secure or that the parts are American-made or that the number of different and disconnected officials administering elections would make a widespread hack impossible. The companies also regularly say that since many machines are not connected to the internet, hackers’ ability to get in is limited.
But at the DEFCON event in Las Vegas, hackers took over voting machines, remotely and exposed personal information in voter files and more.
Las Vegas was a timed event to prove a point. But the hackers say that taking the machines apart in the months since has exposed deeper vulnerabilities. Parts and programs that could easily be embedded with malware and sleeper commands are being incorporated from all over the world, from suppliers and shippers without clear security measures.
That easily opens the possibility that a country with large resources and a long-term view—like Russia—could get access.
It sounds like science fiction, or at least “Ocean’s 11,” but cybersecurity experts are frantically waving their hands, trying to get Americans to see that in foreign capitals, the American voting system just looks like easy opportunity.
Ramsay, who’s been talking with DEFCON about the report but isn’t a formal advisor, pointed out the U.S. is exposed well beyond voting machines, with the same “supply chain” issue creating risks to the electrical grid, the banking system and beyond. She pointed to the Ukrainian power grid’s being shut down twice in the last two years, which researchers have said looks like either Russia flexing its muscle against a rival country, or worse, practicing for a larger American attack.
Security experts and some lawmakers investigating Russia’s digital meddling in the 2016 election have called on voting machine vendors to offer up their code outside for inspection, but the firms have resisted.
The DEFCON report findings are especially compelling in light of the Department of Homeland Security’s recent notification to 21 states last month of Russian attempts to intervene in the 2016 elections.
“We can now definitively say that the Russians could hack our entire elections, remotely, all at once,” said Jake Braun, a former DHS official who’s now the CEO of Cambridge Global Advisors.
Some measures to combat these issues would be complicated, like changing the entire manufacturing process for the machines, and discarding any that have ever been connected to the internet or lack an audit process. Some are as basic as changing a password —the report states that one machine “was found to have an unchangeable, universal default password – found with a simple Google search – of ‘admin’ and ‘abcde.’”
Though President Donald Trump has repeatedly dismissed talk of election hacking attempts, concerns are mounting that Russia and others are already moving to the next incursion.
“What really concerns me is having suffered these probing attacks last year, we may be in for an even more sophisticated, more potentially effective assault next time around—and oh, by the way, others were watching,” said Ambassador Doug Lute, a retired Army lieutenant general who served as the permanent representative to NATO from 2013-2017.
Lute wrote the introduction to the DEFCON report, and said that from watching Russian President Vladimir Putin in action, he is anxious about what looks likely to come based on what he’s already seen, and feels like alarms should be ringing about voting in the 2018 midterms.
“It felt eerily familiar to Russian military tactics,” Lute said. “And it felt very uncomfortable in terms of how little time we have.”
This article originally appeared in Politico, October 9, 2017.