Summary: <br> In this week’s episode (#120): more than 100,000 U.S. voters submitted their ballots in the last presidential election via email in 2016. Despite that: hardly any attention has been paid to the security of email and online voting systems used by 32 states. Also: anxiety about hacking of the midterm elections put the spotlight on state IT systems – particularly Secretary of States offices. But what is the state of state security? We’ll speak with Srini Subramanian of Deloitte about that company’s latest survey of State CISOs!<br> <br> <br> <br> <br> <br> <br> <br> Vote by email? What a great idea!<br> <br> <br> <br> It might be the election insecurity scandal you never heard of. In 2016, more than 100,000 voters across the globe, many of them U.S. service members, voted in federal state and local elections by email or using an online voting portal.<br> <br> <br> <br> If emailing a ballot to a random address sounds like a sketchy way to vote, that’s because it is. Online voting options in 32 states have been subject to hardly any scrutiny by computer security experts or regulators, despite warnings about the inherent risks of such systems.<br> <br> <br> <br> See also: <a href="https://securityledger.com/2018/08/as-election-threats-mount-voting-machine-hacks-distraction/" target="_blank" rel="noreferrer noopener">As Election Threats Mount, Voting Machine Hacks are a Distraction</a><br> <br> <br> <br> <br> <br> Jeremy Epstein, Association for Computing Machinery<br> <br> <br> <br> <br> <br> In our first segment of the podcast, we’re joined by Jeremy Epstein of the Association for Computing Machinery (or ACM) and co-author of a recent report:<a href="https://www.commoncause.org/wp-content/uploads/2018/10/ElectionSecurityReport.pdf"> Email and Internet Voting: The Overlooked threat To Election Security.</a><br> <br> <br> <br> The report, conducted by ACM, Common Cause, R Street and the National Election Defense Coalition advises that states that offer vote by email or online voting options to abandon them pending “a major technological breakthrough or fundamental change to the nature of the Internet.”<br> <br> <br> <br> The report also recommends a number of stop-gap security measures that can help limit the risk of voting by email – advice that Epstein likened to advising would be drunk drivers to refrain from driving “really drunk.”<br> <br> <br> <br> “This is pervasive and a lot of it is quite risky,” he told me. “The technologies being used are developed in most cases by private companies with no standards. And there’s no certification or validation by any meaningful organization.”<br> <br> <br> <br> State elections officials and Secretary of States offices often lack cyber security expertise to push back on vendors and insist on better security. However, even if they did it might not make a difference: the email system is inherently insecure. <br> <br> <br> <br> You might also listen to this podcast: <a href="https://securityledger.com/2018/05/467979/" target="_blank" rel="noreferrer noopener">Episode 96: State Elections Officials on Front Line against Russian Hackers</a><br> <br> <br> <br> In this interview, Epstein tells us that experiments with email voting go back more than two decades – and that warnings about the security of such systems have gone right along with those experiments. Twenty years later, Epstein said, the fundamental risks haven’t changed, including malware, hacks of email voting systems, phishing and man in the middle attacks.<br> <br> <br> <br> The State of State Insecurity<br> <br> <br> <br> The midterm elections<a href="https://securityledger.com/2018/05/467979/"> shone the spotlight on the security (and insecurity) of state IT networks</a>,
