
Critical U.S. Election Systems Have Been Left Exposed Online Despite Denials - tysone
https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials
======
danso
It seems almost a given that these election software companies will have an
access configuration snafu that leaves them compromised in way similar to
Capital One or Equifax. But the article makes the case that the software
makers and county officials are confused as to the basic definition of "air
gap" (among other things):

> _“There’s nothing connected to the firewall that is exposed to the
> internet,” Gary Weber, vice president of software development and
> engineering for ES &S, told Motherboard. “Our [election-management system]
> is not pingable or addressable from the public internet.” This makes them
> invisible to bad actors or unauthorized users, he said._

> _But Skoglund said this “misrepresents the facts.” Anyone who finds the
> firewall online also finds the election-management system connected to it._

> _“It is not air-gapped. The EMS is connected to the internet but is behind a
> firewall,” Skoglund said. “The firewall configuration [that determines what
> can go in and out of the firewall]… is the only thing that segments the EMS
> from the internet.”_

I mean, it may very well be that the firewall setup is secure (at least in
theory). But to insist that it represents an air-gapped system, as if "air-
gapped" was just a marketing buzzword with no actual meaning, is a whole other
level of incompetence.

(of course, the quoted VP may actually be maliciously deceptive, but I'd argue
that for all intents and purposes, the difference between malice and gross
ignorance is relatively negligible when it comes down to the county official
enduser)

~~~
mikehotel
For context, Kevin Skoglund is “an independent security consultant who
conducted the research with nine others, all of them long-time security
professionals and academics with expertise in election security.”

The VP is speaking in layman’s terms to bolster the image of his company.

Even though the researchers are not allowed to probe beyond the firewall,
others will not be subject to these constraints.

The federal govmt needs to step in to protect these systems as a matter of
national security. Require the vendor to undergo third party security audits
and not allow its use unless vulnerabilities are mitigated.

------
mikehotel
Why doesn’t coordinated or responsible disclosure apply to election systems?

> The researchers reported the firewall IP addresses in August 2018 to the
> national Elections Infrastructure Information Sharing and Analysis Center
> (EI-ISAC)—a 24-hour watch center funded by the Department of Homeland
> Security and operated by the Center for Internet Security, a nonprofit
> established to develop and promote best practices in cybersecurity. The EI-
> ISAC provides election officials with security threat information and
> warnings, and told the researchers they would pass the information to where
> it needed to go, but the researchers never got any follow-up from the EI-
> ISAC.

> A spokesperson for the group would not tell Motherboard if the information
> was disseminated to the affected counties, but the researchers did see some
> county systems disappear from the internet. The Department of Homeland
> Security, which has been working with states and counties since 2016 to
> secure their election infrastructures, also declined to speak with
> Motherboard about the researchers’ findings.

------
jpgrace
I can't believe this isn't getting more attention! Aren't the leaked NSA tools
from 2017 designed to attack these exact Cisco firewalls?

------
lunias
Don't worry, they've got a firewall so hot that no hackers can get close
enough to hack it.

