Monday, July 23, 2018

Voting-machine maker, with remote-access feature, was involved in Alabama's 2002 governor's race -- where Don Siegelman votes disappeared -- and might have made it easier for Russians to hack 2016 race

ESS office in Birmingham
News broke last week that officials with the nation's largest manufacturer of voting software admitted they produced systems in the 2000s that included a remote-access feature. Now we've found evidence that the company, Omaha-based Election Systems and Software (ESS), was involved in the controversial 2002 Alabama governor's race -- the one where incumbent Democrat Don Siegelman was declared the winner, only to have some of his votes disappear overnight due to a supposed "computer glitch," giving the election to Republican Bob Riley.

The ESS story made headlines because of revelations about Russian officials in indictments that Special Counsel Robert Mueller brought recently. But it has profound implications for Alabama, adding to the already considerable evidence that the 2002 election was stolen. For good measure, the company has an office in Birmingham, in the Oxmoor area.

What does a remote-access feature mean for a voting system? It means someone away from the voting site could interfere with the tabulations -- and they likely would get away with it. U.S. Sen. Ron Wyden (D-OR) received a letter from ESS officials in April, confirming some of their systems allowed for remote access. It did not take Wyden long to realize that was a bad sign for election security.

The Web site broke the ESS story last Tuesday From the story by reporter Kim Zetter:

The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ESS sold them. . . .

ESS is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company's machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ESS election-management systems. It’s not clear why ESS would have only installed the software on the systems of “a small number of customers” and not all customers, unless other customers objected or had state laws preventing this.

How did Wyden react to news about remote-access on ESS systems? With alarm -- and concern about the company's apparent stonewalling. Writes Zettner:

Wyden told Motherboard that installing remote-access software and modems on election equipment “is the worst decision for security short of leaving ballot boxes on a Moscow street corner. . . .

“ESS needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” he told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cyber security questions, you have to ask what it is hiding.”

Don Siegelman
 As Wyden's reference to Moscow indicates, the ESS story has international implications, thanks to the Mueller indictments:

Even if ESS and its customers configured their remote connections to ESS in a secure manner, the recent U.S. indictments against Russian state hackers who tried to interfere in the 2016 presidential elections, show that they targeted companies in the U.S. that make software for the administration of elections. An attacker would only have had to hack ESS and then use its network to slip into a county's election-management system when the two systems made a remote connection.

As for the 2002 Alabama election, ESS's involvement has been a matter of published record for some time. From an article at In These Times, by reporter Bev Harris:

In the Alabama 2002 general election, machines made by Election Systems and Software (ESS) flipped the governor’s race. Six thousand three hundred Baldwin County electronic votes mysteriously disappeared after the polls had closed and everyone had gone home. Democrat Don Siegelman’s victory was handed to Republican Bob Riley, and the recount Siegelman requested was denied. Three months after the election, the vendor shrugged. “Something happened. I don’t have enough intelligence to say exactly what,” said Mark Kelley of ESS.

When I began researching this story in October 2002, the media was reporting that electronic voting machines are fun and speedy, but I looked in vain for articles reporting that they are accurate. I discovered four magic words, “voting machines and glitch,” which, when entered into a search engine, yielded a shocking result: A staggering pile of miscounts was accumulating. These were reported locally but had never been compiled in a single place, so reporters were missing a disturbing pattern.

I published a compendium of 56 documented cases in which voting machines got it wrong.

How do voting-machine makers respond to these reports? With shrugs. They indicate that their miscounts are nothing to be concerned about. One of their favorite phrases is: “It didn’t change the result.”

Except, of course, when it did.

Did a vulnerable system change the result of the Alabama 2002 governor's race? Was Bob Riley ever the legitimate governor of Alabama? Reasonable people have been asking those questions for 15 years or so. The latest reports on ESS provide even more reasons to ask those questions.

No comments: