Hacking Risk Prompts Police Escort for Electronic Votes - WhoWhatWhy Hacking Risk Prompts Police Escort for Electronic Votes - WhoWhatWhy

Fulton County, police, voting, memory card
Fulton County, Georgia, police to deliver memory cards with votes to a central location on Election Day. Photo credit: Adapted by WhoWhatWhy from Dave Conner / Flickr (CC BY 2.0) and KSU Center for Election Systems (PDF).

After cybersecurity concerns were raised during a recent federal court hearing on the state’s election system, Georgia’s largest county has announced it will no longer transmit voting results through phone lines. Instead, it will rely on police escorts to deliver “secure bags” of memory cards containing stored votes to a central counting location.

Fulton County, like the rest of the state, has been plagued by computer security concerns and other problems with its electronic voting system. The new policy appears to address at least one of those concerns. But county election officials are dismissing the move as window-dressing.

Related: Federal Judge Rules ‘No’ on Paper Ballots in Georgia

In August, election integrity groups sued Georgia election officials, asking the courts to replace current electronic voting systems with paper ballots. The groups — Georgians for Verified Voting and the Coalition for Good Governance — charged that computer failures and cybersecurity vulnerabilities were depriving millions of Georgians of the right to vote.

The issue at stake in the lawsuit against Secretary of State Brian Kemp, who is now the Republican candidate for governor, was whether or not Georgia’s voting machines are vulnerable to cyberattacks — including, in the case of Fulton County, the state’s population center, through phone lines.

Related: Voting Machine Company Admits Installing Vulnerable Remote-Access Software

Computer experts testifying in the lawsuit — and speaking and writing in the public arena — have long asserted that the use of phone lines to transmit vote results is one of many ways elections carried out without a paper trail can be exploited by increasingly sophisticated hackers.

“An employee reported that occasionally the phone lines leading into the tabulation server receive telemarketing calls.”

District Court Judge Amy Totenberg seemed to agree with the computer experts when she ruled in September that officials “had buried their heads in the sand” about cybersecurity in general, including a “host of serious security vulnerabilities permitted by their outdated software and system operations.” (Totenberg, however, did not require the use of paper ballots for the November elections, given the lack of time for the state’s 159 counties to make such a change.)

But Fulton County’s head of elections, Richard Barron, said he believes the state suggested the new policy of using police to transport votes to give the appearance that something is being done to address the problems with the state’s voting system, and insisted that there was nothing wrong with using the modems.

“Our IT department said the most secure part of the whole process is probably analog phone lines,” Barron told WhoWhatWhy on Thursday, minutes after announcing the move at the last meeting of the county’s Board of Registration and Elections before the November 6 midterms.

“This was done for appearances” at the request of Kemp, he added.

Barron’s testimony during the September hearing about cybersecurity made a similar point.

During that hearing, Barron was asked by an attorney for the plaintiffs, “Do you honestly not understand that hackers can get into the GEMS server through the phone modem?”

The GEMS, or General Election Management System server, is used for preparing paper and electronic ballots, counting votes, and making summaries of vote totals. “That is extraordinarily difficult to do,” replied Barron.

But computer experts disagree. “Phone calls are not unconnected to the Internet; the hacking of phone calls is easy (police departments with Stingray devices do it all the time) … [and] your calls go over parts of the Internet,” wrote Andrew Appel, computer science professor at Princeton University, in a blog on the subject.

One reason for plaintiffs’ concerns in the case was computer researcher Logan Lamb’s demonstration in August 2016 that he could gain access to the records of 6.7 million Georgia voters, as well as passwords for election supervisors and information about running elections.

Lamb sat in the front row of the courtroom when Barron gave his testimony.

“In my opinion, it’s not accurate,” Lamb said of the notion that analog phone lines are secure.

“They should not be using phone lines to communicate election results … [and] using armed officers is a safe way of ensuring chain of custody. It eliminates an entire route of possible attack.”

A colleague of his had expressed concern about the county’s use of phone lines to transmit vote tallies in an affidavit from the same lawsuit.

“In Fulton County,” Matt Bernhard, researcher at the University of Michigan, wrote, “votes are transmitted on election night from annexes via modem, meaning that all ballots from the annexes are sent unencrypted to the tabulation server.” What’s more, he noted, “an employee reported that occasionally the phone lines leading into the tabulation server receive telemarketing calls.”

“Given the vulnerabilities present in the machine,” he concluded, “any malware resident on these machines could very efficiently change election results.”

Five Cop Cars at Each Collection Center

.

Fulton County’s dramatic new plan involves stationing five cars with law enforcement personnel at each of five collection centers and delivering memory cards with votes to the Fulton County Election Center, where votes are tabulated every 15 minutes, starting at 8:00 pm.

Four of five Board of Registration and Elections members were present for the announcement. The same number of members of the public sat in the audience and, apart from WhoWhatWhy, only a local TV news station was present, which highlights how little attention is being paid to the crucial issue of election security.

Board member Vernetta Keith Nuriddin asked Barron about the cost of using law enforcement to move the memory cards instead of uploading them through phone lines, as well as how the change would affect the county’s ability to finish counting votes in a timely manner.

The county is 75 miles wide, and it is unclear how long it will take the cars to deliver the votes, and for the county to tabulate final results, Barron replied.   

But none of the board members asked if the new plan would actually enhance security. In a phone call following the announcement, Nuriddin said she had no comment on the issue. The secretary of state’s office did not respond to requests for comment.

Kemp’s office had urged the change, Bannon insisted during the meeting: “I gathered from conversations with Chris Harvey [state Elections Director] that it was better not to use modems.”

The county official later added in an email to WhoWhatWhy, “Even though it is secure to use analog modems … he [Harvey] was concerned about the optics.”


Author

Comments are closed.