This weekend’s news that Georgia’s voter registration system has been likened to “an open bank safe door” paints a bleak picture of the state of election security as we enter the midterm’s final day. According to Who.What.Why.:
“A series of security vulnerabilities have been discovered that would allow even a low-skilled hacker to compromise Georgia’s voter registration system and, in turn, the election itself. It is not known how long these vulnerabilities have been in place or whether they have already been exploited.”
The fact that five security professionals took a trivial amount of time to identify that the “My Vote Page” system within Georgia’s voting infrastructure was vulnerable is only part of the issue.
The most troubling issue from my standpoint is exactly what Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy — that “Instead of holding the custodian of the data responsible for not protecting it, the people who find the flaw are attacked.”
With the millions of unfilled cybersecurity jobs and the push towards automation, it’s no surprise that voting systems are vulnerable. The growth of crowdsourced security and its adoption across the government demonstrates that there is hope for building a highly-skilled army to defend against the potential adversaries who try to leverage vulnerabilities.
Outside of a few bright spots, Federal, State and Local governments need to improve their cybersecurity efforts. But without a plan in place, today’s news from Georgia is a grim reminder that, collectively, we are not taking this threat seriously enough.
Georgia’s laissez faire approach to cybersecurity is alarming, but not unexpected, from a state which voted for laws that would have criminalized routine security research. It was only a Governor’s veto that prevented these laws from passing — which would have stopped the exact work needed to secure these systems.
Outrage in this matter is fair, and necessary. Only through making our voices heard will we affect change. Election hacking impacts all of us — we all need to be vigilant, and we all need to be proactive.
It’s your right and duty to ask about security, whether you’re asking your smart watch vendor, your internet provider, or your government.
Our votes count – we only get one.