US Officials Fear Ransomware Attack Against 2020 Election

The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election. From a report: These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials. "We assess these systems as high risk," said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet.

The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware, a type of virus that has crippled city computer networks across the United States, including recently in Texas, Baltimore and Atlanta. "Recent history has shown that state and county governments and those who support them are targets for ransomware attacks," said Christopher Krebs, CISA's director. "That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks."

Y2K all over again

[CaptQuark]

I think the secure backup crisis that many city and county governments are facing needs to be handled in the same way that the Y2K "crisis" was handled. Lots of information available on backup strategies, off-line storage, and recovery plans.

Many of the IT managers in small locations don't know how to securely backup their systems, how to harden them. and where to turn for accurate guidance. Securing their municipal servers along with their voting infrastructures should be a national campaign.

---

Re:

[Anonymous Coward]

seriously this isn't rocket science. It is one of the fundamental basics of running systems, it is like telling children to look both ways before crossing the road. If they are not currently knowledgable enough to do this they need to sack them and hire real IT people, hell most grad students would have enough knowledge to work out a viable backup strategy.

Re:

[twistedcubic]

Administrators at government offices and schools may not have the expertise to choose high quality I.T. staff, and/or may not provide an adequate budget to combat ransomware.
  My school district has insurance for this, and last year paid off the ransomers who encrypted the computers at one of our schools. This is about the best we can do, I think, until the insurance companies start charging too much.

Re:Y2K all over again

[PolygamousRanchKid]

Many of the IT managers in small locations don't know how to securely backup their systems, how to harden them. and where to turn for accurate guidance.

Oh that's easy! Turn to Kaspersky!

Re:Y2K all over again

[Anonymous Coward]

It should be! Sadly, in my locale we've done a bit of that. Mandated that all hardware is centrally stored, and managed by a centralized agency.

However, one sad thing is that governments don't pay what private enterprise does. Further, it isn't like governments are about "exciting" computing opportunities. Don't get me wrong, people are well paid here, and there are excellent benefits (pension, etc) with government work. It's just not the same bling as with private sector work.

So, you don't get the best and the brightest. In fact, I think government work is the last choice for many. And on top of this, there's a public trust element involved. Insane amounts of red tape, but red tape in the wrong areas for this type of work. Meaning, it's even MORE antagonizing. Worse, as an example, I did a bit of contract work for a government where backups weren't done, because:

1) A backup solution was bought and paid for, with massive site licenses (eg, $100k)
2) It didn't work (not usable with the chosen OS, systems)
3) Alternatives were NOT allowed, because it would demonstrate that the purchased backup solution did not function

Yeah. Someone would look bad, so even free alternatives were prohibited (rsync). "Don't do that!!", with hushed tones, when people found out I was doing my own backups. Regardless, I continued the practice, only to find out the day I left my short contract?

Backups were immediately disabled. Yeah. No joke.

So, not only is it an issue with talent, there's an issue with stupid politics.

Add to that, the fact that no computing device is secure, no switch, no firewall, no router, no computer... and connecting machines to the internet, that require things remain secret? Madness.

Re:Y2K all over again

[lrichardson]

Dude, had the same scenario at rather large bank ... the 'approved' backup solution was a p.o.s. ... maybe worked one day in five, ran for hours, and cost the department something over $20K/yr. But it was 'approved' .

I implemented a bittorrent solution, against the transaction log. Worked like a charm, boss was happy, his boss was happy because they wouldn't have to fork out for the annual license ...

... and then the group dedicated to scanning the system looking for naughty stuff saw this, and demanded I remove it. Arguments from me and my manager that a) it was being used for a legitimate purpose and b) the approved solution didn't work ... had zero effect. Bittorrent = File Stealing!!! No other interpretation possible in their minds.

Sadly, the database in question went on to become the 'system of record' for a large number of items, so they rolled it under one of their enterprise-level backup system ... in the $100K+/year range. What a waste of money. Point is, it isn't just government that does stooopid things ...

Re:

[AmiMoJo]

Their solution was obviously superior, especially in a highly regulated banking environment.

If your Bittorrent based backup failed, who would get the blame?

If their expensive and externally approved system failed there were plenty of scapegoats and responsibility for the failure was highly dispersed. Their collective arse was likely covered by a thick layer of certifications and SLAs.

Who cares if it worked, what matters is that it's somebody else's fault.

Re:

[Darinbob]

Governments get stuck in a catch-22. They spend more money on tighter requirements when bidding and then they're accused of wasting money; they spend less money and they get a contractor that's incompetent or is trying to fleece the govenrment; If they try to pick a contractor that's known to do a good job then they're accused of corruption by skipping the bidding process.

What may be needed is significant penalties for cheating on the bidding process or trying to slap on more and more costs just to line th

Re:

[drinkypoo]

They have to actually try. Y2k was easily handled (from the IT department perspective, if not the developers') but only if one bothered to update things. Backups are harder than that but either way you have to actually do the needful

Re:

[DaMattster]

This makes me wonder how they became IT managers in the first place.

Re:

[Train0987]

Every state does things differently. Where I am although there are local Registrar of Voters offices in every municipality and often share the same network resources they are handled by the state Secretary of State's office (and budget). Local IT Managers have zero say in their security or backup strategies.

Re:Y2K all over again

[jellomizer]

I don't see it as much as IT managers in small locations don't know how to securely backup their system. But are not given the resources to do such.

This is common across all of IT, Most security problems, is due to all the focus on making it meet the initial objective, then just patch the security in later on. Most programs and even websites, just trust the user interface layer to prevent bad security. Lets just set a text box filter to prevent a quote mark or XML reserved characters to make sure we don't get a SQL Injection error. Vs. a server side full validation of the data, where it finds faulty data and properly escapes them, makes sure that the data size is accurate... Isolating itself from other systems, and assuming every part of the system could be used as a rogue bot. Giving most people the option and pointing out security flaws, and giving people the ability to designs a security first system, they will come up with something good.

However the boss wants to see a Fancy UI the next day, not the weeks of security modeling and performance design.

Re:

[Train0987]

I tend to agree. All this fear-mongering smells a little like conditioning the masses for the next "Trump stole the election" narrative following 2020.

Re:Y2K all over again

[jbengt]

Personally, I think the net result of this "crisis" will look a lot like the Y2K thing, a whole lot of consternation, hand wringing and throwing money at the issue, absolutely zero problems seen.

So you think the government will actually tackle the problem and solve it?
Because, inflated hype aside, Y2K problems did not just fail to appear, they were real issues that were avoided through a lot of hard work.

Re:

[Darinbob]

Absolutely agree. Y2K was a real thing, it was not a hoax, not a scam by contractors, and absolutely not a joke. Actual problems manifested themselves, they were just on a smaller scale due to the problems being fixed.

Sadly, I still see things that are essentially Y2K problems being reinvented. People still using strings as dates in databases even where there's a built in date type. Other times infrastructure is goofy; as with standard 32-bit C libraries not supporting a 64-bit time format or an unsigne

Re:

[bobbied]

Y2K was more of a real thing than hacking the national election results by attacking the vote counting machines.

I'm saying that IF you believe that the vote count can be fundamentally changed by external hackers for a national election, you are like the Y2K prepper who was stocking up on gasoline, rice, tin fish and water purification tablets prior to January 1, 2000. As they sat in their shelters at the stroke of midnight expecting the lights to flicker off, still believing that all the hype was true, t

Re:

[Darinbob]

So there was not major social or economic upheaval due to Y2K. However there were many problems that did show up (often before that particular date). Oddities in credit card expiration dates, medical records, etc. Even 5 years ago I noticed that my recommended preventative medical dates listed that I needed several vaccinations in 2038 - coincidence, or a computer that couldn't use a later date?

So for hacking election machines - we probably won't see some earth shattering upset here, we won't have Sponge

Re:

[bobbied]

Personally, I think the net result of this "crisis" will look a lot like the Y2K thing, a whole lot of consternation, hand wringing and throwing money at the issue, absolutely zero problems seen.

So you think the government will actually tackle the problem and solve it? Because, inflated hype aside, Y2K problems did not just fail to appear, they were real issues that were avoided through a lot of hard work.

THE Government?

You are kidding right? You do understand that we are talking about thousands of individual governments, mostly at the county level, ALL "fixing the problem" as you say. How do likely do you suppose that is? This is government we are discussing, local government, fifetoms run by local people usually at the county level. There is no way you will heard them all into doing anything.

But you miss my point... I'm saying there is no REAL problem here with a cyber attack messing with enough of our

Re:

[jbengt]

Many of the IT managers in small locations don't know how to securely backup their systems, how to harden them. and where to turn for accurate guidance. Securing their municipal servers along with their voting infrastructures should be a national campaign.

Then the contractor who had that once really nice job has lost their billable hours. To the gov.

No. Those government contractors that were not successful bidders would lose their billable hours to government contractors that are (hopefully) more competent.
Of course, since this is government-procured work, the 2024 election would be over before the

HahAh, BURN suckers!... oops!

[Thud457]

I told ya'll should'a voted for John McAfee for Prezimadent in 2016, he could fix this easy.

Easy Peasy ...

[Retired ICS]

(1) Disable HTML e-mail.
(2) Disable JavaScript in the Browser.

There you go, all protected from 99.999% of attack vectors.

Re:Easy Peasy ...

[ShanghaiBill]

There you go, all protected from 99.999% of attack vectors.

A large percentage of attacks are inside jobs.

Many inside jobs are incorrectly identified as breaches from outside.

Many more inside jobs go undetected.

We should focus on robust security on all levels, and avoid fixating on "Russian hackers". The Russians are not the only, or even primary, threat.

Re:

[Opportunist]

As long as you can call office workers, claim you're their IT (or MS) and get them to do whatever you want, you don't really need to hack anything. When you can break in by phone, why bother with more sophisticated means?

Re:

[Opportunist]

This is basically why CEO fraud works. Megalomaniacs as CEOs that treat every time someone dares to ask for confirmation as insubordination and a challenge of their authority make that shit possible in the first place.

If you're a victim of CEO fraud, place the blame where it belongs: On the narcissist on the top.

Re:

[bobbied]

There you go, all protected from 99.999% of attack vectors.

A large percentage of attacks are inside jobs.

Actually, the majority of attacks are from the outside, the VAST majority. It's easy to do, fast and efficient, but it's rare when it succeeds. What you really mean is that a large percentage of SUCCESSFUL attacks are inside jobs. You see it's hard to count the number of actual attacks all we really can track are the ones we find and log and who keeps firewall logs for dropped inbound packets? Further, who looks at them? I dare say the vast majority of attacks go unlogged and undetected. Because of that,

It's mostly attachments that get people

[rsilvergun]

often times not even exes. Stuff like dodgy word docs and PDFs. It's difficult to get users to check every single attachment. Thousands if not millions will be sent and sooner or later somebody's over tired and not thinking and they get an email from Mike in accounting only it's not Mike in accounting it just says "Mike" on the header and blam, it's over.

If our elections were well run otherwise one or two outbreaks on a national scale wouldn't matter, but there's going to be so much voter suppression go

WTF?

[gravewax]

Why the fuck would they fear ransomware attacks? of all the things to fear this is the least dangerous assuming you aren't totally incompetent with backups. If they fear it then they are screaming loud and clear they have no clue how to operate critical systems.

Re:

[Retired ICS]

They do not have any clue how to operate critical systems, and that is the problem. This is perfectly clear from the following statement:

"It is imperative that states and municipalities limit the availability of information about electoral systems or administrative processes and secure their websites and databases that could be exploited," the FBI said ...

Security through obscurity has never worked in the past, and will never work in the future. The FBI should be publicly publishing all the information th

Re:

[AHuxley]

Re "limit the availability of information" is what is needed to protect the integrity of expected political coronations.
Match the lists of everyone who can "vote" with other gov data on citizens?
Find the people who have moved, are not/never will be US citizens, people who are inoperative/excised/deleted but always vote.

Re:WTF?

[ShanghaiBill]

I was once contacted by the FBI's "High Tech Taskforce" about a case they were working on. They were astoundingly clueless. As I was showing them evidence that I had, they were asking questions that a 3rd grader should know.

Then they told me that they needed to confiscate my laptop for evidence. I had to explain to them that the evidence they were seeing was not on my laptop, but was on a server 1000 miles away. They were baffled by this, and didn't believe me until I brought up the same webpages in a browser on one of their own laptops.

They were all "special agents", which in bureau lingo ironically means "generic agent" with no specialized training or expertise.

The head of the task force had a degree in history. The others were even less qualified.

This is the caliber of people we gave ensuring the integrity of our elections.

Re:

[Train0987]

I had to call in the FBI a few years ago following a ransomware attack, mainly as a CYA so we'd never be accused of covering it up. They sent a couple 19-year-old "special agents" who turned out to be contractors. All they did was take an image of the hard drive of the first infected PC (Patient Zero) and I had to help them do that.

Re:

[Ostracus]

The head of the task force had a degree in history. The others were even less qualified.

Read through that list [jamesaconrad.com] the next time one wants to play the "credential" game.

Never mind having a history degree is useful to many fields. [space-awareness.org]

Re:

[ShanghaiBill]

Read through that list [jamesaconrad.com] the next time one wants to play the "credential" game.

Everyone on your list either lived prior to 1900, or made their mark by collecting data, not through technical expertise.

Can someone with a liberal arts degree discover a rare fossil or find a comet with a telescope? Sure. You don't need a degree to get lucky.

Can they design an integrated circuit, or a create a quantum theory to explain dark matter? No.

Re:

[AHuxley]

Russia has small town USA experts who are going to show all the 200 year old "digital" voters doing their civic duty?
The small towns with a 120% digital turnout problem?
Digital eligible voters that outnumber the population stay on for generations.

Re:

[terminal.dk]

In Russia it is normal that quite a few voting locations has > 100% voters at the election.
Not sure if it is always the locations not happy with the current boss, where all the blank votes are filled in to support the KGB Spymaster himself.

Re:WTF?

[tinkerton]

Apart from this being a 'random boisterous claim which noone will bother to challenge' In the US it is normal that the budget of the candidates decides who becomes president and the budget is provided by wealthy supporters.
Trump was an exception because his budget was smaller than Clinton's , therefore his election was illegitimate.

Re:

[ISayWeOnlyToBePolite]

Why the fuck would they fear ransomware attacks? of all the things to fear this is the least dangerous assuming you aren't totally incompetent with backups. If they fear it then they are screaming loud and clear they have no clue how to operate critical systems.

I'm curious about how you figure this scheme will work. Once voters are greeted with the "transfer bitcoin to get your system back" you just hold off voting until a known safe backup is restored, and then what? Call back the voters who already cast their ballot?

Re:WTF?

[ISayWeOnlyToBePolite]

I am curious how you think a government run systems that are supposed to be secured and properly backed up should be concerned about ransomware. It indicates that a) they aren't secured and b) they aren't backed up. At that point fucking ransomware is the least of their trouble, actually it might be a blessing as better they are shutdown by ransomware than manipulated by those that could just as easily take control of the system.

Because Mitch won't let the senate vote on election security bills that connects to the 2016 election, a government authority is trying to be helpful and identify a threat without referencing the russians is my guess.

Re:

[Train0987]

Elections are STATE matters, not Federal. The Senate has nothing to do with them. Whatever bill you're talking about won't do squat nor pass constitutional muster.

Re:

[bill_mcgonigle]

So what. It's be challenged to SCOTUS, they'll uphold it, and men with guns will enforce it.

The Constitution has either given us the government we have or has been inadequate to prevent it.

Re:

[Train0987]

the Constitution has given the duty of holding elections to the STATES, however they see fit. If you don't like the way your state does its elections then you should get involved, not expect people from other states (me) to fix your problem for you.

Re:

[RespekMyAthorati]

If there is enough incompetance/corruption in another
state, that state could force the election to go against
what the people in your state voted.

Election viability is everybody's problem.

Re:

[jbengt]

They are talking about ransoming the voter-registration lists, for example, which, if it's done on election day, doesn't give back-ups enough time to solve the problem. That's why we should stick to paper.

Re:

[tlhIngan]

Why the fuck would they fear ransomware attacks? of all the things to fear this is the least dangerous assuming you aren't totally incompetent with backups. If they fear it then they are screaming loud and clear they have no clue how to operate critical systems.

Have you not been reading the news the past few months? You know, where states were paying the ransoms because they couldn't recover their systems? That should be a gigantic clue about how good their backup systems work.

Or even the latest attack in T

Re:WTF?

[gravewax]

honestly a ransomware attack in those scenarios would be a BEST CASE scenario as it would clearly indicate that the voting systems had been compromised so fully and completely that the votes can't be trusted. Far worse are those that get in and DON'T do something obvious like ransom the system. Once the system is compromised the data is all meaningless anyway as you can no longer trust it so the risk here is not ransomware. The core problem here is they are scared they have poor security and backup practises. These are definitely things to be terrified of, ransomware is one of the best results that can happen in these cases.

Re:

[Gilgaron]

It would allow the most chaos alongside a social media disinformation campaign. "X stole the election and faked the hack to cover it up!" "Arm yourselves, the brownshirts/antifa are coming!" Rationally, the worst case scenario is holding the election again, but the public discourse about such a thing would get messy fast.

Re:

[gravewax]

You want to see chaos, imagine someone altering the outcome of an election and then when the winner is announced demonstrate they had access to everything and changed votes.

Re:

[Gilgaron]

Restoring data from backup is easy, restoring audit trails and full metadata is a lot harder. For election results I'd hope the latter is important.

Re:

[hey!]

restoring audit trails and full metadata is a lot harder. For election results I'd hope the latter is important.

It would be if we had audit trails and metadata. But even if we had them, once it had been proven that attackers can access voting machines that means any purely *electronic* audit trail is worthless.

It's been argued that US election systems are impossible to hack because they're decentralized. You'd have to (the argument goes) attack 50 different organizations. That's basically BS. You don't have to hack 50 organizations, you need to attack systems in a handful of swing states to throw the Presidency an

Re:

[Train0987]

Theoretically a well-timed attack could disrupt an election. Election dates are known years in advance and those dates are mandated by law (or the Constitution). If one were able to cripple the right systems or servers on the right day backups wouldn't help. It takes time to restore and you can't just just say "the election is off for today, maybe we'll have it later in the week."

Re:

[cyberchondriac]

Ya gotta love how some butthurt political hack voted you to Offtopic because they don't like to see the truth, even though your post is absolutely on topic.

Re:

[tinkerton]

It is standard fare on here. But it is indeed my strong opinion and I consider it very much on topic.

A division of the Homeland Security?

[fredrated]

Uh oh, see previous article.

What is the problem ?

[terminal.dk]

Have lookups use a read-only copy of the database.
Updates should be submitted as batch files - which should be processed in a manner designed to remove anything that tries to cheat the database. Keep these files, so you can revert to a known good db, and roll forward all the stuff.
You could update the web-version of the database first, and delay updating the master.

Make sure firewalls are setup the right way. That is no access to the master database server except maybe RDP or VNC from a well known host. The master database can do outgoing connections to update copies of the database.

This is sound and proven design. The only risk is if backup has access to the machine. But better have the master initiate a copy of the database out, so that no incoming network openings are needed.

SAN complicates things only slightly. Control access tightly.

Nothing wrong in a master, and then update docs being applied batch, maybe near-realtime to the db used by the website. But of course it requires a good design, and more hardware. Avoiding Windows is a plus as well. And of course, the servers should only be able to access pre-approved websites. No general Internet access on any protocol for servers with critical data. IP filters in firewall, or names in a web proxy.

Are there no security architects in the US government ?

Nope, none

[rsilvergun]

One of the Republican heads of our Election Commission just resigned [thehill.com].

This is almost certainly a calculated political move. It leaves the agency unable to do much of anything. Our president will offer up insane candidates that will provide plausible deniability for the GOP when they're not appointed. Meanwhile the head of the Senate is blocking all votes [cbsnews.com] on election security. Meanwhile it looks like even open cheating [reuters.com] gets forgotten if you wait long enough for the news cycle to bury it.

To be blunt, one of our parties is opening cheating elections and nobody much seems to care. Since Clinton it hasn't mattered much who you vote for in America as both parties sold out. Those of us who haven't given up hope are banking on Bernie Sanders getting elected and ushering in an FDR style "New Deal", which if you're not aware was a time when one of our presidents "broke ranks" with his rich buddies and passed a ton of pro working class legislation. Bernie's not a rich guy by any means but unlike some of the other candidates (*cough*Joe Biden*cough* [politico.com]) he's free of the stink of corruption.

Liz Warren might work too, but nobody's 100% certain. She backed down in 2016 (Bernie wanted her to run against Hilary) and she's got some defense industry ties (mostly just bringing pork home to her state) so there's a concern she can be talked into playing ball, if only to save the economy from being held hostage by Wall Street. Still, even she's a vast improvement over any other alternative but Bernie.

Re:

[bill_mcgonigle]

> banking on Bernie Sanders getting elected

Dude, they're never going to let Bernie get the nomination. See Leon Panetta's emails. I mean, he's not even a Democrat so he really shouldn't be running. Plus he's too old.

Watch Tulsi Gabbard on Joe Rogan. She's the real deal. But they won't let her win either. She's the only one of that group who could hammer Trump in a debate. Watch her pummel Kamala Harris about locking up innocent black men as prosecutor.

I don't think they have a choice

[rsilvergun]

if they cheat him out of it this time there the party might just implode. Biden's likely to be polling at 10-15%, maybe less by January. They won't be able to sell that. They're already desperately trying to stop Bernie and Medicare for All. That's the main thing they're after. They all make a ton of money off our for profit healthcare system and don't want to lose it.

Re:

[jbengt]

if they cheat him out of it this time . . .

"They" didn't cheat him out of the nomination last time.

Re:

[bill_mcgonigle]

> Make sure firewalls are setup the right way. That is no access to the master database server except maybe RDP or VNC from a well known host.

Hai, I just hijacked your netblock with BGP.

Insist on a VPN using your own CA.

Re:

[bplipschitz]

This is terrible poetry. Just sayin.

Other types of hacks

[GigaplexNZ]

They only seem to be worried about visible hacks - ransomware would effectively be a denial of service, recoverable from backups. What about hacks that changes the result of the votes?

Re:

[ISayWeOnlyToBePolite]

Don't mention the 2016 russian hacks and a variation on the voting security bills proposed might pass Mitch (they already have the votes).

Re:

[GigaplexNZ]

3 years after the election, sure. Before the election, they had their head in the sand, claiming they're secure.

Re: Other types of hacks

[ISayWeOnlyToBePolite]

Although how much effort is put into maintaning security certainly differs between systems, I'd assume most consider their security at least good enough. What differentiates the 2016 voting system breaches is that ramped up security wich a majority agrees upon is stuck in bipartisanship.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Other types of hacks

[ISayWeOnlyToBePolite]

This is exactly my point. While a majority knows the voting system need more security one party has at least twice offered what they believe is a solution and has the votes to pass it. The other party has no solution as it would acknowledge the problem which is seen as potentially delegitimizing the president (although that part isn't true) and are just blocking and playing the blame game.

Re:

[bobbied]

They only seem to be worried about visible hacks - ransomware would effectively be a denial of service, recoverable from backups. What about hacks that changes the result of the votes?

Ah, the ever present "they didn't count the votes right" worry. Stop worrying.

Sure, the local vote count by your county might get hacked and might have the vote results skewed. However, that's just your county. The chances that enough key counties could be hacked and the vote counts adjusted enough to change the outcome of a national election and not be caught is exceedingly rare.

Each county in this country has their own election system and you'd have to penetrate enough of the key districts to actuall

Re:

[jbengt]

The attack would have to be hugely complex, deal with thousands of separate systems of hundreds of configuration types and be undetected.

The hacking of US elections being detected would work to the advantage of some foreign parties, as it would sow so much discord as to make faithful governance even more difficult than it has already become.

Re:

[jbengt]

Stop worrying.

It's attitudes like this that have me worried.

Good way to assure at least more time in office.

[deviated_prevert]

Fuck up the electoral system with idiotic insecure internet connectivity that somehow magically becomes hosed so the actual election results cannot be determined. Sounds like a very good way to stay in office a little longer. A sort of hanging chad wet dream for the current day Republicans and their Russian/mafia backers. It could take a switch to paper ballots and a rerun of the election to straighten things out if the results of the entire electronic voting system became unreadable even in a few strategic states. If the states that get hosed hold the magic margin of victory in the electoral collage the way it did last time then we would know that the whole scene has been rigged.

Re:

[rickb928]

At the least, segregate the polling system entirely. All you need from it, the end product, is a relatively few numbers. These are practical to be written down and walked to the reporting and distribution systems.

Of paper. Seriously, paper.

Re:

[cyberchondriac]

"The system is not rigged" Obama 2016
"He must accept the results of the election" Hillary Clinton 2016.

Russia Russia Russia!!
Oh, and the electoral college exists for good reason, to keep the United States a federalist republic of united States, not a monolithic big brother unitary government such as you favor. Because that's always worked out so well in history.

Re:

[Aat76H3QQE3r]

Sounds like a very good way to stay in office a little longer. A sort of hanging chad wet dream for the current day Republicans and their Russian/mafia backers

That all sounds good except for ignoring the historical data, which shows us ballot-stuffing, harvesting, and stealing primaries have traditionally been the domain of Democrats.

The attacks will only affect poor districts

[aberglas]

Terribly sorry, but your name has been is on the list that was ransom-wared. But try again next election.

Progress & regression

[xonen]

In old Greece, elections were held by putting a stone in a jar corresponding to your favorite person. These days, we got pencil and paper.

Then, someone suggested to vote by computer because it was 'faster and easier'. Now we waste a lot of effort trying to secure something. Lesson: more complex is not always better. Vote with pencil and paper and a lot of issues disappear. It's magic!

Re:

[93 Escort Wagon]

. Vote with pencil and paper and a lot of issues disappear. It's magic!

Sure, and then all Russia has to do is deploy teams of small paper-crumpling children to each polling place.

Re:

[bill_mcgonigle]

Those aren't paper-and-pencil paper ballots - they're punchcards humans had to make.

Where I live there are paper ballots that are marked with a pencil.

It's easy to understand, trivial to do accurate recounts, and the errors in counting are made up for with automatically free recounts for close elections.

The biggest complaint about this system is that it's hard to get volunteers to count ballots. I'd prefer to say that if nobody in your community will bother to help count, then we as a society just write of

Re:

[Train0987]

No, the biggest complaint is that the news networks don't want to wait for the pesky counting before announcing winners/losers on their election shows.

Re:

[PPH]

Where I live there are paper ballots that are marked with a pencil.

Pen in my state.

The biggest complaint about this system is that it's hard to get volunteers to count ballots.

They use OCR machines in my state. Very fast, questionable ballots can be kicked out for hand review and if there's an issue about the count they just run them through again.

Hand marked paper ballots

[Peter Simpson]

Unaffected by ransomware. Can be counted by hand. You're welcome. No charge.

Re:

[mark-t]

It's my understanding that the problem isn't with the vote counts, but rather the pushing of hearsay and falsified information as factual which is intended to bias the reader to registered voters in the months leading up to the election. The method may not singlehandedly win the election one way or the other, but it sure as hell can still affect the outcome, particularly if the race is already otherwise a close one.

Get in line

[Livius]

There are a lot of people who would do absolutely anything to prevent the true outcome of an election being known, temporarily if not permanently.

Criminals who are merely in it for money are not even close to the top of the list.

IT hiring

[fluffernutter]

When companies hire lawyers, do they make sure they have passed the bar? When companies hire accountants do they make sure they are certified? Why the hell don't they hire IT staff that know what the hell they're doing?

Re:

[DaMattster]

Certifications rarely mean somebody is a professional and can do the work. In my 20 years of IT, I have run into so many paper champions that can pass a test but when they actually have to do the work in the real world, fail miserably. Hiring in IT tends to be very tribal and is often more about who you know than what you know. Hell, think of the shitty lawyers out there that have passed the bar exam and the shitty realtors that have passed the real estate licensing exam. If you really want to, say hire a c

Re:

[fluffernutter]

I agree, but that's a problem with certifications in the IT industry. I'm not saying they should hire certified IT workers; I don't have any certifications either. I'm just saying they should seek out ones who know what they are doing. If the person doing the interview isn't up to the job than get someone who can.

Re:

[DaMattster]

It's an age old problem of hiring anybody in any industry. How do you really see past what they put on paper? One thing some companies do is contract to hire to let them evaluate the competence of somebody but that is often more expensive than hiring them outright; even then the person's real colors could show later on down the line.

Re:

[fluffernutter]

How do you really see past what they put on paper?

Easy, you interview them. Even in a telephone interview it is very easy to tell if they are talking off the top of their head or if they are looking up answers. You keep them off balance and the flaws come out. Are they giving quick answers? Are they elaborating? Do they know so much they go on until you have to stop them?

Proper job interviews aren't rocket science. You just need someone who knows the material and another person who knows people, or a person that knows both.

Fear

[DaMattster]

Since they're afraid, it shows that they're most likely wholly unprepared and suffer from a lack of competency in the first place.

Re:

[zm]

They aren't afraid.. they just want to keep the plebs sufficiently afraid.

Election security awareness

[Daralantan]

Funny how 4-5 years ago, it was only a small number of "tech-minded" people concerned about election security.

Come 2016's election, and we get:

Trump: If I lose it's due to hacks! Waahhh!!!
Most Everyone: Haha stupid sore loser fat orange baby Drumpf the election can't get hacked!
Trump wins election.
Most Everyone: OUR ELECTION WAS / IS / WILL BE HACKED OUR ELECTION WAS / IS / WILL BE HACKED OUR ELECTION WAS / IS / WILL BE HACKED OUR ELECTION WAS / IS / WILL BE HACKED OUR ELECTION WAS / IS / WILL BE

Read Only Malware.

[Ostracus]

Sounds like WORM [wikipedia.org] would have been a good start.

Serendipity the latest Humble Book Bundle is I.T. Security. [humblebundle.com] How about that?

This sort of attack could be ignored with Voter ID

[ravenshrike]

Voter ID + paper ballots = mostly secure elections. Then your only attack vectors are social engineering as practiced on the scale of Google and good old ballot stuffing. The latter of which can be eliminated with sufficient amounts of anti-tamper tape and cameras.

and if the vote is lost??? then what congress pick

[Joe_Dragon]

and if the vote is lost??? then what congress picks the winner? It comes down to the us supreme court?

Not complete solution but

[stabiesoft]

biz/gov could reduce the attack vector if they got rid of html email. Go back to plain old text. Clicking on links is catnip for most people and they just cannot resist. Make it harder and maybe they'll not be fooled into falling for the bait. And for most employee's get rid of their browser. If they need access to the internet, sure, but browsing cat video's or /. is not part of the job.

Ransom isn't enough

[Impy the Impiuos Imp]

This is potentially worse than you think. If they lock up vote totals for ransom, even if paid and unlocked, the votes are now queered and untrustworthy. Who knows what their code did to it while locking?

Worse still, if they gain enough accrss to encrypt, better still to sit quietly and change the results than lock for ransom, if that is their goal.

That's a nice election you got there!

[shanen]

That's a nice election you got there. Be a terrible shame if something happened to it.

Remember 2016? You're too late.

(Or maybe you feel that way about 2008, 2000, or various other years.)

Don't worry.

[Patent Lover]

Moscow Mitch won't let this happen.

Re:

[gtall]

Maybe. At least the RNC can get their money directly from the Kremlin. Moscow Mitch and Putin's Poodle will handle things from here.

Re:

[bill_mcgonigle]

Dude, even the NYT is admitting now that the RussiaGate kerfluffle was a kooky conspiracy theory.

Your new marching orders are to frame Trump as a racist.

This is literally a recap of the email from the Time's editor to his staff.

Re:

[Ostracus]

When was the last time the US had a South America style coup? "National Security" has never meant the other two branches have disappeared, even during war (especially during war).