Security Experts:

Firm Analyzes China, Russia-based Supply Chain Risks of Electronic Voting Machines

Study Aims to Show Links Between U.S. Voting Infrastructure and Nations With a Proven Aptitude and Desire to Target Elections

The supply chain is an increasing concern for both business and government. It comprises the chain of suppliers providing components to product vendors -- and globalization has made it worldwide, deep and complex.

To date, almost all known examples of supply chain abuse have been software-based, with hackers abusing the software supply chain to gain access to larger or more prized targets. The NotPetya outbreak started as a Russian attempt to disrupt Ukrainian business through attacking its MeDoc accounting software supply chain. Numerous Magecart attacks have started with third-party software suppliers to the real target. The Texas ransomware outbreak started by compromising the targets' common managed services supplier. And perhaps most famously, the U.S. indicted two Chinese citizens with links to Beijing's security services for being members of the APT10 hacking group that PwC UK and BAE Systems tied to what it called Operation Cloud Hopper.

Hardware-based supply chain attacks have been more sparse -- but are potentially more harmful to the organizations that might use compromised hardware components. The most famous example is the Bloomberg accusation that a tiny micro-chip had been planted in computer equipment manufactured in China. The affected U.S. companies all subsequently denied the story, but Bloomberg has never retracted its claims. 

Interos has now investigated the depth of the hardware supply chain, looking specifically at one brand of electronic voting machine. Although the 2020 elections are top-of-mind for many security experts, the findings are probably indicative of many different hardware systems sold by U.S. and other western vendors.

One of the three main voting systems was selected, but not named in the Interos report, obtained by SecurityWeek. The firm analyzed three levels of the supply chain: Tier 1 being the suppliers of components to the vendor, Tier 2 being suppliers to the Tier 1 supplier, and Tier 3 being suppliers to Tier 2.

Interos was specifically looking for Russian and Chinese involvement in the supply chain. These are the two countries that combine a history of interference in U.S. elections and public opinion, with large scale hardware manufacturing and malware development capabilities. They are also two nations where the security services have a high degree of control over both native companies and foreign companies operating within their borders. There is no suggestion of any actual interference at any level, merely an indication of the possibility and the complexity of the chain involved.

Bear in mind that this is just one piece of niche hardware. Six of the Tier 1's 38 components come from companies based in China. Sixteen of 50 Tier 2 components come from companies based in China. Nine of 70 Tier 3 components also do so. "In total," notes the report, "19.6% (38) of the components in the first 3 tiers of Machine A's supply chain come from China-based companies." Components coming from China-based companies include control boards, AI processors, infrastructure software and touchscreens.

Many of the companies involved have locations in either China or Russia even when they are not manufacturing. Interos found that 13.57% of the suppliers within the first 3 tiers of supply have at least one location in Russia, while 56.43% have a location in China. "In total," says the report, "58.6% of companies within the first 3 tiers of Machine A's supply chain have locations in China, Russia, or China and Russia."

Interos highlights just two manufacturers that are within this supply chain. The first, a Tier 2 supplier, is a China-based corporation with locations in Russia. It provides hardware for the touchscreens provided by a Tier 1 supplier. This company's products, says Interos, "have received multiple awards from Chinese state-run entities like the National Radio and Television Administration (NRTA), the organization responsible for (among other things) censoring Chinese media."

The second example is a Shanghai-based company with locations in Russia, that provides machinery used by a major processor manufacturer to build processors that are incorporated into the voting machine.

Interos has not attempted to find any compromised components, nor suggests that any exist. The purpose of the study is to demonstrate the complexity of the modern supply chain, and to highlight the potential for abuse. "The complex and opaque nature of supply chains," it says, "means most companies, regardless of industry, may not even be aware of their product's connections to countries with a significant interest in influencing or disrupting their business."

This potential is not lost on other security firms. IOActive's chief operating officer Matt Rahman told SecurityWeek, "Diebold was one of the major manufacturers of electronic voting systems. They got acquired by Dominion, in Toronto. Some of the software and hardware components are developed in eastern Europe. We need to look at supply chain integrity, end to end."

On the Interos study, founder and CEO Jennifer Bisceglie, summarized, "Our study shows links previously not understood between America's voting infrastructure and countries with a proven aptitude and desire to target elections and the democratic process. Russia successfully interfered in the 2016 U.S. presidential election, and China has a history of launching cyberattacks in hopes of sowing discord in democracies. We must ensure similar attacks in future elections are thwarted, and that means outfitting organizations with the proper technology to vet all products in their voting infrastructure ecosystems."

Related: Intel's Compute Lifecycle Assurance Aims to Protect Platform Supply Chains 

Related: DUST Identity Emerges From Stealth to Protect Device Supply Chain 

Related: Mocana Launches Supply Chain Integrity Platform to Secure IoT, ICS Devices 

Related: Supply Chain Attacks Nearly Doubled in 2018: Symantec

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.