The Insecurity Of America's Old And Underfunded Voting Systems
TERRY GROSS, HOST:
This is FRESH AIR. I'm Terry Gross. I want you to think back to the computer you had 10 years ago. It's a long time in computer years, right? That old computer would be pretty out-of-date now. Well, consider America's voting infrastructure. Most of the electronic touch screens and optical scan voting systems are more than 10 years old. They're too old to download the latest security patches. Our election system was already hacked by Russia.
My guest Kim Zetter has been writing about our voting system's vulnerabilities since 2003, in the aftermath of the contested Bush v. Gore election. Last month, before the special election in Georgia between Democrat Jon Ossoff and Republican Karen Handel, Zetter wrote a long article in Politico about critical security problems in Georgia's election systems, which are representative of the larger problem. She's a former reporter for Wired and wrote the 2014 book "Countdown To Zero Day: Stuxnet And The Launch Of The World's First Digital Weapon."
Kim Zetter, welcome to FRESH AIR. You know, there's so much news to keep straight. So help us out here, if you will, and just sum up what we know about what was hacked by Russia in our voting system - in our election system.
KIM ZETTER: All we have right now are, you know, a few published reports that have coming out of intelligence agencies and news outlets. And those focus right now, not on the voting systems where the votes are cast or tallied but on voter registration systems, or, essentially, the servers that store voter registration databases and also, in one case in Florida, with a company that creates voting registration software and interacts with election officials.
And so what we know is that - from reports - is that hackers somehow connected to Russian intelligence accessed or probed those kinds of systems in 39 states. Now when we say probe, what we mean is that they are looking for - and sometimes it can be simply an automated scan, and they're looking for any kind of vulnerability in the server to see if they actually can get into it.
And that doesn't mean that they actually breached those. We know from one of the hearings on Capitol Hill that there were actually only two states where they breached the networks and looked like they were making attempts to either delete data or change data.
GROSS: So this could be laying the groundwork for a future attack.
ZETTER: Sure. And it - and in some cases, it can be a jumping off point to getting further into more critical systems. I'll just address, first of all, what you can do by getting into the voter registration databases. You could delete voters' records, or you could alter them in some way that creates problems for voters when they go to the polls that disenfranchises them. Maybe it indicates that they should be voting at a different polling place, and so they end up running around in the morning, from polling place to polling place, trying to find their correct polling place. Or officials tell them you're not registered.
So a lot of things can cause delays and backups and chaos. But sometimes these voter registration systems are connected to systems that are used to program the voting machines. Now, this shouldn't be the case. And in many cases, election officials will assure us publicly that that's not the case.
But security is very difficult to get right. And security is not - is sort of the enemy of efficiency. If you want to do things efficient, security is sort of against that because it requires you to take all of these extra precautions. And so quite often, you'll find that systems that should be separated aren't always securely separated.
GROSS: Now, you've emphasized that we know what we know largely through reporters uncovering it and through leaks that the reporters receive. Do you think that American citizens should know exactly what's going on with our voting and election system?
ZETTER: Yes. And I think that - I mean, you know, not just the public but election officials right now are in the dark as well. Those 39 states that were probed, you know, not all of that information has been disclosed specifically to the ones who were targeted there.
And I think that in some cases, you know, election officials don't have security clearances. So if there is more significant information that the intelligence agencies have, election officials right now aren't - and even secretaries of states, who are considered the top election official in most states - they don't have the clearances to actually get more information.
GROSS: Let's talk about some of the things you've added to our knowledge of what's gone wrong with our election system. You reported on Georgia's election system before the special election last month. And it was discovered inadvertently by someone named Logan Lamb, a cybersecurity expert, that there were problems in the electronic election system. Can you explain what he uncovered and how he did it?
ZETTER: Yeah. So this was entirely random. Logan got curious about - when the news reports came out in August that there had been some probes against voter registration databases, Logan got curious about the voting systems themselves. And he decided to approach some election officials in Georgia to see if he could actually get his hands on a machine. And he was told that there was an election center at Kennesaw State University in Atlanta that oversaw elections and voting machines in state.
So before he contacted them, he just decided to check out their website and see what all, you know, what are all of their functions? And in doing that, he discovered some files that he felt he shouldn't be able to access. And that included what looked like county-level files that were related to elections in 2016.
So he decided to write a random script, a program, to basically scrape the website and see exactly what was on there and what was available to him. And he did that during his lunch hour. He wrote the script, set it operating and went out to lunch. And when he came back, he discovered that it had downloaded about 15 gigabytes of data, a humongous amount of data, for every county in the state.
And that included the entire voter registration - voter roll for the state - for all of the nearly 6 million voters in the state. It also included some files that looked like they were database files from the voting system that would essentially include the tallies. It included a file that gave - it was in clear text; it wasn't encrypted - that listed passwords and usernames that election officials should use to sign into a central server on Election Day.
So there was a lot there that clearly shouldn't have been there, and he discovered that it had been configured incorrectly so that he could actually - it was supposed to be password-protected, but he could actually bypass - or his script bypassed any kind of password protection.
And he also discovered that the software used on the server had a 2-year-old security vulnerability that had been uncovered in 2014. It's actually a pretty severe vulnerability in that software, and a patch had been released almost immediately. And there were warnings at the time, back in 2014, that anyone who was using this Drupal software should update with the patch immediately. Or they should be - they should assume that they had already been hacked.
GROSS: So hackers could have gotten in as easily as Logan Lamb did. And they could have done a lot of damage.
ZETTER: They could have gotten, essentially, into the center systems, yes. Whether or not they could have actually gone into the software that's used on the voting machines and manipulated votes in some way, there's still some questions about that. And I don't think that Georgia has been very transparent about exactly the entire setup of how that server is configured.
GROSS: Have any changes been made since this was discovered?
ZETTER: Well, Georgia officials announced last week that they will be discontinuing the contract with the Center for Election Systems. They're renewing the contract for another year. And over the course of this next year, the secretary of state's office is working on moving that functionality that the center previously managed - moving that into the secretary of state's office. That, of course, creates new concerns because the secretary of state in Georgia is running for governor next year.
And so if you have a single voting system used throughout the estate, and the secretary of state's office - that governor candidate - his office is responsible for programming all of those machines, you need special assurances for voters that, within that secretary of state's office, those voting machines can't be manipulated to favor the outcome of either this secretary of state or any other candidate or secretary of state that might run for office in the future.
GROSS: Wow. So do you think that what happened in Georgia and the problems Georgia has had with its election system is representative of larger problems in the U.S.?
ZETTER: It is. The - you know, the specific circumstances in Georgia don't necessarily replicate elsewhere. Georgia is, you know, the only state that is using, statewide, these paperless, touch-screen voting machines made by Diebold. And it is the only state that I'm aware of that actually has some kind of outside university like this programming all of the state's machines.
There are other states, of course, that have different setups that are equally concerning. Many states will use sort of third-party companies - not a university, like in this case but a third-party company - that helps them program the machines, helps them set up and maintain machines. And so that's a concern as well, when you have, you know, not election officials themselves managing the machines and managing the election and managing the programming of those machines, but you have a third-party company that itself could be vulnerable to hacking in the way that Kennesaw State University's was.
GROSS: So one of the problems that we're facing, in terms of voting, is that 42 states - I think I have that number right - now use systems that are at least a decade old. The software is outdated. Microsoft no longer supports the software with security updates. So that - I mean, that's a really long time. It's so - and it - those systems are really out of date.
ZETTER: Yeah, and most of us replace our machines, right? We - at least every five years or so, if not sooner. You know, your laptop gets out of date pretty quickly - desktop system, as well. And so if you can imagine hardware that dates back to 2002 or earlier, and software. In the case of Georgia, the software that is currently on those voting systems is - was last certified in 2005.
And, of course, a lot of vulnerabilities have been uncovered in that software since then, as well. And so you can assume that this is sort of the state in a lot of different counties and jurisdictions across the country.
GROSS: And in terms of the technology being outdated, it's not just the system's technology. It's the actual voting machines we're talking about too this time around, right?
ZETTER: Yes, and also, the - many of these machines were certified years ago. And they were tested and certified under a voting system standard that didn't have security requirements in it. Now, as I point out in Georgia, those systems, that software and that hardware was certified under standards the last time in 2005.
Well, those standards have since been updated in 2015. But those standards - the new standards that actually have more security in them - only apply to new machines that would be purchased. So that doesn't apply, as you point out, to those 42 states that have equipment that's 10 years old. Those are still certified under standards that never had security in them.
GROSS: You know, elections are considered a state issue, not a federal issue. So every state has its own system. They can buy their own machinery. It could be run by different kinds of officials. So if you look at the big picture, like, who runs the elections in America?
ZETTER: Oh, this is a great question. And I think it's a question that - I think the answer is something that most Americans aren't aware of, and that is, it really depends on the jurisdiction where you are. In some cases, it is an elected official that is running the election, and doing the election management and actually doing the programming of the voting machines.
In quite a lot of cases, though, and in quite a lot of states, it is some third party. It is either - when I first started covering this in 2003 and for many years after that, the people actually running the elections were the voting machine vendors, like Diebold and Election Systems & Software. The election staff didn't have the technical knowledge or skill to be programming the machines. And Diebold would come in, or they would hire a local third-party company to act as their consultants, and would program the machines for election officials.
That's still the case, in many cases, that can't afford their own technical staff. And this is one of the issues that we have nationwide with the U.S. is that elections are notoriously underfunded. And in most cases, it does come down to a couple of people in a local election office, maybe supplemented during, you know, the high election season with outside workers that they bring in - hopefully, in some cases, with IT people that have a security background. In most cases, that's not the circumstance, though.
And so elections in some places are run by the people you want them to be run by. But in many places, they're run by people we just - we don't even know who they are.
GROSS: Let me reintroduce you here. If you're just joining us, my guest is Kim Zetter. She's an investigative journalist who's been covering cybersecurity, privacy and national security for more than a decade. She was a longtime reporter for Wired. She's also the author of the 2014 book, "Countdown To Zero Day: Stuxnet And The Launch Of The World's First Digital Weapon." We'll be back after this break.
This is FRESH AIR.
(SOUNDBITE OF NAOMI MOON SIEGEL'S "IT'S NOT SAFE")
GROSS: This is FRESH AIR. And if you're just joining us, my guest is journalist Kim Zetter, who has been covering cybersecurity, privacy and national security for more than a decade. She's a former reporter for Wired. We're talking about voting security and election systems security. She's been covering that extensively. She's been writing about that since around 2003.
After the Obama administration learned that Russia had hacked us, Jeh Johnson, who was then the Homeland Security director, wanted to help states protect their voting systems against cyberattack. What did he offer to do?
ZETTER: So he was offering to do both - basically, information sharing. And it's unclear to what extents, you know, the - at that late stage - the DHS could have helped states with because really, if you're going to assist states in securing their elections, that really involves doing some kind of risk assessment at a county level or at a state level. And that's not what DHS was doing.
I mean, you really need to come out and visit and see the setup and then advise about network operations and things like that. And so in that case, that wasn't what they were doing. But they were talking about information sharing and producing - distributing checklists of best practices, for instance, not connecting machines to the Internet and other things that they were advising states to do to secure their elections. But that's really not sufficient for what you would hope DHS or any other federal agency might do to help states secure elections.
GROSS: Nevertheless, some states objected to the help that Jeh Johnson was trying to give. What was the objection?
ZETTER: Right. So Georgia, in fact, was one of - there were only, I believe, two states that objected - Maine and Georgia - or Georgia primarily. And the objection there was an interference in states' rights. You know, in our country, elections are handled at the state and local level for, you know, states' rights reasons. We don't want the federal government interfering in elections.
And that's a legitimate concern in general, except that in this case, DHS wasn't asking to take over elections and wasn't looking to take over elections. But this is what Georgia was accusing them of doing - of somehow overstepping their authority and wanting to come in and seize the operations of the elections. And that really wasn't what DHS was doing.
There's a - it's a really misunderstanding of how DHS operates. And a better way to look at it is what DHS currently does with other critical infrastructure systems, known as industrial control systems. DHS has a special program for critical infrastructure and industrial control systems in particular, where they will come out, and they can do - help you do an assessment of the network.
And they will also - they have flyaway teams that will come out to you if you think that you've been hacked or breached. And they have these teams that will come out and help you do an assessment, forensic examination and consultation and things like that. So DHS really is in a much better position than most states - and certainly counties - to know what a secure setup should look like and to assess afterwards, as well, whether or not there has been a breach.
GROSS: So we know that Russia hacked our system. What are some of the concerns that cybersecurity experts have now about what Russia, or another malicious actor, might do in the 2018 midterms or the 2020 presidential election?
ZETTER: Well, I think that - you know, what we have is so far only evidence of them getting into voter registration databases - or at least targeting voter registration databases. And I think that - there has to be this caveat here - is that just because we don't see, or there - or no one has come out with evidence that the voting machines have been hacked doesn't mean that the more critical systems haven't been hacked. It's quite possible that there are adversaries - whether or not it's a nation state or simply other hackers - simple hackers, criminal hackers - in election systems.
We can't rule that out. And we also can't rule out that elections haven't already been manipulated in this way. We just don't have the capabilities, in many cases, to do forensic analysis of the machines. And we don't have the will, in many cases, to examine that. So when you see statements from election officials and from the federal government saying that there's no evidence that the votes were changed or that the voting systems were hacked, it has to be done with the caveat that, actually, no one really looked.
So there is concern then, if they haven't already done that in the past, that looking forward, in 2018 and beyond - that there is this great interest now in election systems. You know, once someone sets the example of what can be done, then that opens the gateway for a lot of other actors to explore further - to do the same kinds of things, either just going into voter registration databases, or to explore going further and trying to see if they can actually get into the voting machines and manipulate them.
GROSS: Well, Kim Zetter, thank you so much for talking with us.
ZETTER: You're welcome.
GROSS: Kim Zetter's article about Georgia's election system was published in Politico. She's also the author of the 2014 book "Countdown To Zero Day: Stuxnet And The Launch Of The World's First Digital Weapon." After we take a short break, we'll listen back to my 1990 interview with actor Martin Landau, who died Saturday. And Maureen Corrigan will review two comic novels. I'm Terry Gross, and this is FRESH AIR.
(SOUNDBITE OF TROPICAL DEL BRAVO'S "TAO TAO REMIX") Transcript provided by NPR, Copyright NPR.