Security Experts:

HR1 Bill Includes Provisions to Improve U.S. Election Security

The Democrat-controlled House of Representatives has unveiled its first Bill: HR1, dubbed the 'For the People Act'. It has little chance of getting through the Republican-controlled Congress, and even less chance of being signed into law by President Trump.

Nevertheless, HR1 lays down a marker for current Democrat intentions; and it is likely that some of the potentially bi-partisan elements could be spun out into separate bills with a greater chance of progress.

One of these is likely to include the section on election security. This has been a major issue since the meddling by Russian-state hackers in the 2016 presidential election, and the subsequent realization on how easy it would be for interested parties (both foreign hackers and local activists) to influence election outcomes.

This was highlighted in the 2018 mid-term election in Georgia. Concerns began in late August 2016, when security researcher Logan Lamb discovered registration details for 6.7 million Georgia voters were being held in a publicly accessible database. This data included voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.

Richard DeMillo, director of Georgia Tech's Center for 21st Century Universities, told SecurityWeek, "If I were a hacker trying to affect an election in this state, that's where I would start. Because once you have access to those databases, you can, for example, on election day send people to the wrong polling stations. I actually think that this is a line of attack that people haven't looked at which has to do with simply changing contact information for voters."

What made the situation worse was that when the database was eventually taken down, the log details were deleted. As a result, it is impossible to discover whether anyone other than Logan Lamb also accessed the database.

In the months leading up to the midterm elections, both the Coalition for good Governance and a group of Georgia citizens sued the Secretary of State Brian Kemp to force a return to paper-based voting. Their concern was that the 27,000 Diebold AccuVote DRE touchscreen voting units do not produce a paper audit trail. Given the ease with which such machines can be hacked and manipulated, the litigants argued that the accuracy of the vote could not be verified.

The court case failed, although the judge demonstrated sympathy towards the plaintiffs' arguments.

Three weeks before the election, five Georgia citizens went back to court to prevent Georgia officials from using "frivolous and arbitrary excuses to reject far too many mail ballots". The fear was that in a tightly-fought election -- as the Georgia race was for the midterms -- it would take relatively few rejected votes to decide the outcome.

Two days before the election it was reported that the online voter registration database was unsecured and vulnerable. "For such an easy and low hanging vulnerability to exist, it gives me zero confidence in the capabilities of the system administrator, software developer, and the data custodian," Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy. 

And even after the election, the arguments rumble on. On November 24, the Coalition filed a new lawsuit calling for a new election. It argued that lower voting for the Lieutenant Governor position "is a likely result of the touchscreen voting system malfunctions, and that the un-auditable system does not permit a reliable determination of the vote count."

The then Secretary of State for Georgia, and the man in charge of the elections, stood for and won the election for Governor of Georgia. Part of the court arguments against him can be ascribed to political bias by the plaintiffs -- but that doesn't change the facts of their concerns. With no paper audit trail from the voting machines, it is impossible to audit the election and confirm that nothing untoward happened with the votes.

It is against this background that part of HR1 contains a number of provisions designed to improve election security. This includes a requirement that any paperless voting systems are replaced, and will provide new grants to help states enhance election security. It will also place an obligation on election system vendors to report cybersecurity breaches.

While this will not become law in its current form within HR1, there are hopes that it will provide a bipartisan template for a future bill to improve the security of American elections.

Related: US Election Integrity Depends on Security-Challenged Firms 

Related: Microsoft Disrupts Election-Related Domains Used by Russian Hackers 

Related: U.S. Sanctions Russians for Hacking, Election Interference 

Related: Securing the Vote Against Increasing Threats 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.