Georgia Secretary of State Brian Kemp is often quoted as skeptical about the threat of web-based attacks on the State’s computerized voting systems. The Secretary makes many such pronouncements, but he also professes to know few details of the underlying technologies. I suspect that Kemp’s knowledge base concerning such matters will disappear completely with the recently announced firing of Merle King and the incident-prone Center for Election Systems at Kennesaw State University. It was King who famously introduced the (incorrect) idea that Georgia’s voting machines were “air-gapped,” a measure that–even if true–would have little impact on the end-to-end security of the elections system.
When it comes to election hacking, low tech is always cheaper and, in most cases, it is much better.
I have already previewed some of the main vulnerabilities here, here, and here, but will have a lot more to say in the next few days about high-tech vulnerabilities. I want to use today’s post to point out that no self-respecting spy/hacker would resort to such exotic measures without first trying much less risky (and far less expensive) ways of hacking an election.
The human element is always the first choice in espionage.
Human espionage is an ancient art; in fact, it has even been called the oldest profession. Unfortunately, espionage is still alive and well in today’s post Cold War environment. If anything, it is even more rampant. Events in the news remind us of this, such as the recent arrests of two Lucent Technologies employees, and a catering employee of MasterCard International for the theft of trade secrets. Throughout history and in current times efforts to identify indicators of espionage have been made. Unfortunately these efforts have met with limited success. In every instance of espionage, the person involved had access to information. Understanding this, and the fact we have the ability to control access to computer file systems, is critical to protecting information
I will give just one of many examples that Russian election hackers are certain to know well. The U.S. government spends hundreds of millions of dollars on encryption technology aimed at thwarting even the most well-funded adversaries. This is one of the oldest ideas in information and communications security. It dates from the British cracking of German Enigma codes in World War II. The idea behind encryption security is that there should be a concrete price for technology that can be used to crack a code. For the British, that price was the cost of mounting the deciphering unit at Bletchley Park.
For modern hackers, the price tag is the cost of building a deciphering super computer. Those costs have soared over the last 25 years. In the 1980’s, a $20 million supercomputer would have been sufficient to hack into all but the most highly sophisticated encrypted communications. But it is an arms race, and today only National intelligence services and a few non-state actors are able to invest upwards of $500 million annually to reliably decrypt enemy communications.
One reason for this shift in strategy is that the most damaging breaches in history have been ridiculously easy to mount, and not all that expensive. Six million dollars would have done it. That was the total price tag for turning CIA intelligence officer Alrich Ames ($2.5M), FBI agent Robert Hanssen ($1.4M), U.S. Navy communications officer John Anthony Walker ($1M), and intelligence analyst Jonathan Pollard (a bargain at $50,000), all of whom became spies for foreign powers. Edward Snowden and Chelsea Manning, get thrown in for free.
I mention this point only because, among Logan Lamb’s and Chris Grayson’s discoveries when they stumbled into the unprotected servers at Kennesaw State, were files containing election day passwords. Brian Kemp claims the files were enrypted and password protected. Lamb and Grayson say no, and the the directories that I have seen myself back up the Lamb and Grayson accounts.
Either Kemp knows this and is simply lying to the public, or (more likely than not) he is ill-informed about what was going on the the Kennesaw operation.
Either way, why would a Russian attacker go through the trouble of mounting a web-based attack on voting machines when Georgia’s election officials simply handed over the election day keys to voting systems?