9 May 2020

What to make of HBO’s ‘Kill Chain: The Cyber War on America’s Elections’

Abel Morales
With the election now only months away, officials are desperately trying to find solutions to protect the integrity of our election systems. The big question that remains is, “Will it work?”

Kill Chain: The Cyber War on America’s Elections is a new HBO documentary that takes viewers through a journey to discover the weaknesses of today’s election technology. Being a security engineer, it is my job to help analyze some of the techniques that hackers are using in order to better protect the organizations I serve. I decided to watch Kill Chain to understand the minds of the adversaries who are conducting the attacks on our election system. Below are my takeaways from the film.

Hacking an election can take three days - or Less

In the documentary, one of the hackers at DEF CON successfully took over a voting machine and forced the system to shut down. The hacker achieved command line access. Within a three-day period, hackers learned from the presenter and found dozens of vulnerabilities.


These were just hackers at a three-day conference limited to the resources they held within the conference center. Nation-state attackers have the time and resources to acquire these machines, identify the vulnerabilities and plan a strategic and coordinated attack to impact an election.

The role white hat hackers can play in election security

The documentary shed a light on the role white hat hackers, like the demonstrators at DEF CON, can play in election security. Modern organizations embrace help from the cybersecurity community often. Aside from an internal security team assessing their technologies, companies often have a bug bounty program designed to incentivize white hat hackers to report vulnerabilities on their security systems. Based on the severity of the vulnerability and other parameters, companies and government agencies provide the reporter a reward for their discovery.

The benefit of these programs includes a large talent pool, access to different expertise, faster discovery of vulnerabilities. Although the reporting is important, firms need to have a service level agreement to remediate the reported vulnerabilities, develop a patch, confirm the vulnerability is remediated within a timely manner, and make the patches available to its consumers.

Given enough time, money and resources, any electronic device can be hacked. The documentary provided an inside look at how just as they can discover the vulnerabilities, white hat hackers can be employed to fix some of the election security issues.

Key takeaways on what needs to change

Governments need to take a lesson from the private sector. Vendors are now incorporating cybersecurity at the forefront of their development process. Information technology and development are intertwined with cybersecurity more than ever as consumers expect to use safe and secure platforms. Election systems should be no different.

Although voting machines should not be connected to the internet, Kevin Skoglund, a senior technical advisor at the election security advocacy group National Election Defense Coalition, recently found 35 voting machines connected to the internet. Voting machines using old or outdated technology and software were highly vulnerable to exploitation.

Equally as terrifying is a supply chain attack. Interos recently reported the following on the 35 voting machines:

- 20% of the machine’s components came from China-based companies. The components include:

o Control boards

o AI processors

o Infrastructure software

o Touchscreens

- 56% of suppliers within the first three tiers had at least one location in China

- 14% of suppliers within the first three tiers had at least one location in Russia

- 59% of companies within the first three tiers of the machine’s supply chain had locations in China, Russia, or China and Russia

State and government officials need a comprehensive and independent security assessment of the vendor and their technologies. In the private sector, similar vulnerable systems would not be allowed to be plugged into the enterprise network, as it exposes a risk. Government officials need to hold vendors accountable for not addressing vulnerabilities within the software, hardware, and the entire supply chain.

Are we at war with election security vulnerabilities?

The documentary makes an extremely strong case about election security concerns. Unfortunately, the government is not moving fast enough to address the various issues that exist with the technology and vendors that support the voting process. The entire country needs to be equipped to address the supply chain issues and ensure vulnerabilities are patched in a timely manner. Any successful interference from a third-party that compromises the integrity of our electoral process undermines our democracy.

Documentaries such as Kill Chain act as an educational tool for security researchers, political leaders and American citizens on the severity of election security threats. The more we understand these dangers, the better position we are in to prevent an attack on our nation’s most sacred practice of democracy.

Abel Morales is a security engineer at Exabeam

No comments: