Director Robert Kolasky
National Risk Management Center
National Programs and Protectorate Center
Department of Homeland Security (DHS)
245 Murray Lane, SW
Washington, DC 20528-0075
Chair Tom Hicks
Vice Chair Christy McCormick
U.S. Election Assistance Commission (EAC)
1335 East West Highway, Suite 4300
Silver Springs, Maryland 20910
October 2, 2018 Sent via EMAIL and US Mail
Dear Director Kolasky, EAC Chair Hicks and EAC Vice-Chair McCormick,
In the last two years reports of unprecedented cyber threats against U.S. election infrastructure have blanketed the news and rattled public confidence. DHS Secretary Nielsen recently stated, “[t]here is little doubt that adversaries and non-state actors continue to view elections as a target for cyber and influence operations,” warning “[o]ur democracy itself is in the crosshairs.”[1] We must recognize that foreign nation states and other bad actors targeting U.S. elections are highly motivated and possess significant financial and technical resources.
Against the background of these profound threats, we as members of the computer science, cybersecurity, and election integrity communities are writing to convey our grave concerns regarding the use of public telecommunications and wireless technologies—such as cellular modems—in voting machines, despite repeated warnings and chronicled incidents of their risky deployment. We urge both the U.S. Election Assistance Commission and Department of Homeland Security to caution state and local election officials against using wireless and cellular communication and recommend suspending use of wireless modems in voting machines for the upcoming elections.
We are directing this request to EAC and DHS because these agencies are leading the federal effort to share information on the threat of cyber attacks on election infrastructure with state and local officials that administer elections and there appear to be profound misconceptions regarding the use of cellular modems that should be corrected.
Many of the voting machines currently in use around the country can connect to public telecommunications networks (principally the Internet) using an embedded or integrated wireless cellular modem or in cases of standard PCs through their integrated Network Interface Controller (NIC). These voting machines use wireless cellular modems to transmit unofficial post-election results. Computers that aggregate election results may be equipped with modems or wireless network interfaces to receive those results. To justify the use of cellular modems in election systems, many will assert that cellular modems operate on a network separate from the Internet and that use of these modems does not expose voting systems to the public Internet. This assertion is not accurate.
Modern cellular modems (unlike older wired analog modems) use IP packets, IP addresses, and IP routers, and in fact, are part of the Internet. The LTE protocol commonly used in cellular (wireless mobile) networks has known vulnerabilities that are subject to exploitation. There also are published reports of attackers rerouting network traffic to foreign nations by exploiting known weaknesses in the Border Gateway Protocol (BGP) that certain types of network routers employ to direct Internet data traffic.[2] Moreover, a cellular device can be fooled into connecting to false mobile cell towers (such as Stingray surveillance devices[3]) to cause a server disruption, and if there is improper authentication of a connection, there could be false reports from devices impersonating precinct voting machines.
Network infrastructure consists of many interconnected systems, some of which are publicly exposed. Data can be routed through foreign infrastructure even if both ends of the communication are in the U.S. Importantly, cellular networks are typically beyond the security control of election officials and the federal government.
Even when using hardware and software defenses common problems such as outdated software, misconfiguration, and human error can leave critical election infrastructure vulnerable. Attacks such as denial of service, data manipulation, malware infection, and remote access can be made with anonymous execution and enormous scale.
In short, they can wreak havoc on an election.
Connecting to the public networks even briefly during machine maintenance, programming, pre-election testing, poll worker training, or on Election Day can make the system vulnerable to attacks that could impact current or future election results.
The convenience of transmitting vote totals online does not outweigh the need of the American people to be assured their votes will be accurately transmitted and counted.
Therefore, we recommend discontinuing the use of wireless technology for transmitting vote totals given the current threats and these inherent, unresolved vulnerabilities.
We strongly urge the Department of Homeland Security and the U.S. Election Assistance Commission to caution states against using wireless modems in voting machines and offer the following recommendations to all state and local election officials:
1. Voting system components—from vote capture and tabulation machines to election management systems—should not be connected to the Internet, cellular network, or other public telecommunications infrastructure at any time, even temporarily, from the time of manufacture until end of life.
2. Election administrators should discontinue the electronic transmission of election results from vote tabulation devices and adopt procedures for the physical delivery of election results, either on digital media such as memory cards, thumb drives, or on paper to election management systems.
3. Cellular modems within voting systems should be physically removed, and not simply disabled by software means.
These recommendations do not imply that posting of unofficial election results on properly configured and protected public accessible government web sites should be stopped.
We do not wish to imply that discontinuing the use of wireless modems in voting systems will ensure their security. Many other attack vectors still exist. We recognize the only way to ensure resilience in voting systems is by requiring voter-verified paper ballots and robust, manual post-election audits of the paper ballots.
The undersigned thank you for your service and your immediate attention to this critical national security issue. We stand ready to work with you to protect our nation’s election infrastructure from all threats, foreign and domestic.
Sincerely,
Common Cause
Electronic Privacy Information Center
Electronic Frontier Foundation
National Election Defense Coalition
Protect Democracy
Dr. Andrew W. Appel,
Eugene Higgins Professor of Computer Science
Princeton University
Ron Bandes
President, VoteAllegheny
Dr. Duncan Buell
NCR Professor in Computer Science and Engineering
Dept of Computer Science and Engineering
University of South Carolina
Cindy Cohn
President, Electronic Frontier Foundation
Dr. Richard A. DeMillo
Charlotte B. and Roger C. Warren
Chair of Computing
Georgia Institute of Technology
Dr. Aleksander Essex
Assistant professor of software engineering
Western University, Canada
Lowell Finley
former Deputy Secretary of State, California
Dr. Juan E. Gilbert
Andrew Banks Family Preeminence Endowed Professor & Chair
Computer & Information Science & Engineering Department
University of Florida
Susannah Goodman
Director, Election Security
Common Cause
Susan Greenhalgh
Policy Director, National Election Defense Coalition
Dr. J. Alex Halderman
Professor of Computer Science & Engineering
Director, University of Michigan Center for Computer Security & Society
University of Michigan
Dr. Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
Dr. Kyle Jamieson,
Associate Professor of Computer Science
Princeton University
Dr. Joe Kiniry
Principal Scientist
Galois
Gregory A. Miller
Chief Operating Officer
OSET Institute, Inc.
Dr. Peter G. Neumann
Chief Scientist
SRI International Computer Science Lab
Mark Ritchie
former Secretary of State, Minnesota
Dr. Ron Rivest
Institute professor
Massachusetts Institute of Technology
Marc Rotenberg
President, Electronic Privacy Information Center (EPIC)
Dr. Avi Rubin
Professor, Computer Science
Technical Director
Information Security Institute
Johns Hopkins University
Bruce Schneier
Fellow and Lecturer
Harvard Kennedy School
Larry Schwartztol
Counsel
Protect Democracy
E. John Sebes
Chief Technology Officer
OSET Institute, Inc.
Anthony A. Shaffer
Vice President for Strategic Initiatives and Operations
London Center for Policy Research
Kevin Skoglund
Chief Technologist
Citizens for Better Elections
Professor Eugene H. Spafford
Executive Director Emeritus, CERIAS
Purdue University
Dr. Philip B. Stark
Professor of Statistics
Associate Dean of Mathematical and Physical Sciences
University of California, Berkeley
Dr. Dan S. Wallach
Professor, Department of Computer Science
Rice Scholar, Baker Institute for Public Policy
Rice University
Luther Weeks
Computer Scientist
Executive Director
CTVotersCount
Dr. Daniel M. Zimmerman
Principal Researcher
Galois
*Affiliations are for identification purposes only and do not imply institutional endorsement.
[1] “DHS Secretary: Russia Continues to View US Elections as a Target of Cyberattacks” Veronica Stracqualursi, CNN, July 14th, 2018 https://www.cnn.com/2018/07/14/politics/dhs-secretary-kirstjen-nielsen-russia-2018-midterm-elections/index.html
[2] For a clear and concise introductory treatment of BGP and network traffic routing complete with illustrations and videos, see: https://blog.cdemi.io/beginners-guide-to-understanding-bgp/
[3] For an introductory overview of these devices, see generally, MSI-catcher, https://en.wikipedia.org/w/index.php?title=IMSI-catcher&oldid=856220555