Election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking, according to a report released Wednesday.
The report by the Center for Internet Security, a nonprofit that partners with the federal government on election security initiatives, focuses on how hardware and software components can provide potential entryways for hackers.
“We have to continue to get better," said Aaron Wilson, a co-author of the report. “We have to improve our defenses, as those that are on the other side are likely honing their attack strategy, as well.”
The 2020 election was deemed the “most secure” in history by a coalition of government cybersecurity experts and state and local election officials. There also is no indication that any election system was compromised as part of the hacking campaign that exploited an update of network management software from a company called SolarWinds. It was the largest cybersecurity breach of federal systems in U.S. history.
Despite that, election systems are vulnerable to the same risks exposed by the SolarWinds hack, the report said. It describes the risk of such an attack, in which hackers might infiltrate the hardware or software used in election equipment. Even if voting results aren't affected, such an attack could lead to confusion and undermine confidence in U.S. elections.
The nation’s decentralized system of election administration means voting technology varies from state to state and even county to county, providing multiple ways for malicious actors to gain access. The systems generally rely on components from third-party suppliers or use commercial, off-the-shelf hardware. Most also use proprietary software that may not be subjected to rigorous security testing.
"It's a complex mix of parts and suppliers, which creates very real supply chain risks," said Eddie Perez, global director of technology development at the OSET Institute, a nonprofit election technology research corporation.
The use of foreign suppliers for voting technology and related supply chain security has long been a concern. During a congressional hearing last year, executives with the three major voting machine vendors faced repeated questioning from lawmakers about the sources of the parts used to manufacture their voting machines, what steps they have taken to secure their products from tampering and what, if anything, can be done to use American-made parts.
The executives said the machines they manufacture include, to some extent, components from China but said using foreign suppliers isn’t unique to the voting equipment industry.
SolarWinds, a Texas company, was breached by suspected Russian hackers to deliver malware and gain access to networks of businesses and governments, including the U.S. departments of Commerce, Treasury and Justice as part of a large-scale cyberespionage campaign.
Brandon Wales, the acting director of the U.S. Cybersecurity and Infrastructure Security Agency, said recently there was “no evidence that any election systems were compromised” as part of the hack.
Election officials have spent years working to boost their cybersecurity defenses after it became clear in late 2017 that Russian hackers had scanned state and local voter registration systems in the run-up to the 2016 election — and penetrated a few. Tens of millions of dollars have been spent to educate and train state and local election officials, add security defenses such as firewalls, and conduct security reviews and testing.
Also Wednesday, the U.S. Election Assistance Commission approved the first update in 15 years to a series of voluntary guidelines used by most states to certify voting machines. The guidelines include several security improvements, including a recommendation for states to adopt a strategy to reduce supply chain risks.
Associated Press Writer Frank Bajak in Boston contributed to this report.