> “There’s nothing connected to the firewall that is exposed to the internet,” Gary Weber, vice president of software development and engineering for ES&S, told Motherboard. “Our [election-management system] is not pingable or addressable from the public internet.” This makes them invisible to bad actors or unauthorized users, he said.
> But Skoglund said this “misrepresents the facts.” Anyone who finds the firewall online also finds the election-management system connected to it.
> “It is not air-gapped. The EMS is connected to the internet but is behind a firewall,” Skoglund said. “The firewall configuration [that determines what can go in and out of the firewall]… is the only thing that segments the EMS from the internet.”
I mean, it may very well be that the firewall setup is secure (at least in theory). But to insist that it represents an air-gapped system, as if "air-gapped" was just a marketing buzzword with no actual meaning, is a whole other level of incompetence.
(of course, the quoted VP may actually be maliciously deceptive, but I'd argue that for all intents and purposes, the difference between malice and gross ignorance is relatively negligible when it comes down to the county official enduser)
The VP is speaking in layman’s terms to bolster the image of his company.
Even though the researchers are not allowed to probe beyond the firewall, others will not be subject to these constraints.
The federal govmt needs to step in to protect these systems as a matter of national security. Require the vendor to undergo third party security audits and not allow its use unless vulnerabilities are mitigated.