A major U.S. voting machine manufacturer revealed that it installed remote-access software on some election management systems that it sold in the early 2000s, according to a letter released by a Democratic senator on Tuesday.
Sen. Ron Wyden’s (D-Ore.) office released an April 5 letter from Election Systems & Software (ES&S) making the disclosure amid sustained scrutiny over the security of U.S. election systems following Russian interference in the 2016 presidential election.
{mosads}
In the letter to Wyden, first reported by Motherboard and obtained by The Hill, ES&S said it “provided pcAnywhere remote connection software on the [election management system] workstation to a small number of customers between 2000 and 2006.” The software was installed on voting management systems, ES&S said, to help with troubleshooting.
State and local election officials use these management systems to administer elections. In some cases, they hold software used to program digital voting machines. The systems are also used to tabulate final results of the voting process.
The company said it discontinued the use of the software in 2007, after the U.S. Election Assistance Commission issued new guidelines requiring that voting management systems not be connected to an outside network. The commission — an independent body established by Congress — tests and certifies voting equipment for use by state election officials.
ES&S also insisted in the letter that remote access software was never installed on any actual vote-tallying devices.
Wyden wrote to the company earlier this year asking if it sold products with remote-access software, after The New York Times reported that such software had been discovered on an election management computer system used by a county in Pennsylvania. The senator warned at the time that the presence of the software could render the system vulnerable to hackers.
“The default installation or subsequent use of remote-access software on sensitive election systems runs contrary to cybersecurity best practices and needlessly exposes our election infrastructure to cyberattacks,” Wyden wrote in March.
In its response, the company described the security of elections infrastructure as “paramount importance to our democracy.” The company also stressed that the software was only installed and used with the customer’s approval and that it was “prescribed only after all other troubleshooting efforts were exhausted.”
“Remote connection software was used solely to enable effective and timely customer support and was considered an accepted practice by numerous technology companies, including other voting system manufacturers,” the letter stated.
“This remote connection support model was never used, nor was it ever possible to be used, on any voting devices (tabulators and/or ballot marking devices), as voting devices do not contain the required operating system or remote connection software necessary to enable a remote connection,” it stated.
U.S. intelligence officials judged last year that Russian hackers targeted election systems in 21 states as part of a broader effort to interfere in the election. In a small number of cases the hackers successfully penetrated systems — such as a voter registration database in Illinois.
Officials maintain that none of the systems targeted were involved in actual vote tallying. Indeed, security experts agree that voting machines are much more difficult to hack into than other digital systems, because they are often stored in secure facilities and not connected to the internet.
Nevertheless, the revelations have spurred broader fears about the possibility that foreign actors could look to interfere in future elections.
On Friday, special counsel Robert Mueller indicted 12 Russian intelligence officers for allegedly waging cyberattacks against the Democratic National Committee and infrastructure used to administer elections, including by sending spearphishing emails to a voting equipment vendor. The company was not named in the indictment, but reports suggest it could be VR Systems, a Florida-based company.