The Nation’s Top Voting Machine maker has Admitted in a Letter to a Federal Lawmaker that the Company Installed Remote-Access Software on Election Management Systems it Sold over a period of Six Years, raising Questions about the Security of those Systems and the Integrity of Elections that were conducted with them.

In a Letter sent to Sen. Ron Wyden (D-OR) in April, Election Systems and Software (ES&S) acknowledged that it had “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” which was installed on the Election-Management System ES&S sold them.

The Statement contradicts what the Company told Fact Checkers in February.

At that time, a Spokesperson said ES&S had Never Installed pcAnywhere on any Election System it Sold. “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the Spokesperson said.

The Company told Wyden it Stopped installing pcAnywhere on Systems in December 2007, after the Election Assistance Commission (EAC), which oversees the Federal Testing and Certification of Election Systems used in the U.S., released New Voting System Standards. Those Standards required that any Election System submitted for Federal Testing and Certification thereafter could contain only Software essential for Voting and Tabulation. Although the Standards only went into effect in 2007, they were created in 2005, in a very Public Process during which the Security of Voting Machines was being discussed frequently in Newspapers and on Capitol Hill.

Software like pcAnywhere is used by System Administrators to Access and Control Systems from a Remote Location to conduct Maintenance or Upgrade or Alter Software. But Election-Management Systems and Voting Machines are supposed to be Air-Gapped for Security Reasons, that is, Disconnected from the Internet and from any other Systems that are Connected to the Internet. ES&S Customers who had pcAnywhere Installed also had Modems on their Election Management Systems so ES&S Technicians could Dial into the Systems and use the Software to Troubleshoot, thereby Creating a potential Port of Entry for Hackers as well.

In May 2006 in Allegheny County, Pennsylvania, ES&S Technicians used the pcAnywhere Software installed on that County's Election-Management System for Hours trying to Reconcile Vote Discrepancies in a Local Election, according to a Report filed at the time. And in a Contract with Michigan, which covered 2006 to 2009, ES&S discussed its use of pcAnywhere and Modems for this purpose. "In some cases, the Technical Support representative accesses the customer’s system through PCAnywhere—off-the-shelf software which allows immediate access to the customer’s data and network system from a remote location—to gain insight into the issue and offer precise solutions," ES&S wrote in a June 2007 Addendum to the Contract. "ES&S technicians can use PCAnywhere to view a client computer, assess the exact situation that caused a software issue and to view data files."

In 2006, the same period when ES&S says it was still Installing pcAnywhere on Election Systems, Hackers stole the Source Code for the pcAnyhere Software, though the Public didn’t learn of this until years later in 2012 when a Hacker posted some of the Source Code Online, forcing Symantec, the Distributor of pcAnywhere, to admit that it had been Stolen Years earlier. Source Code is invaluable to Hackers because it allows them to examine the Code to find Security Flaws they can Exploit. When Symantec admitted to the Theft in 2012, it took the Unprecedented step of Warning Users to Disable or Uninstall the Software until it could make sure that any Security Flaws in the Software had been Patched.

ES&S also said that the Modems it installed on its Election Management Systems for use with pcAnywhere were Configured only to dial Out, not Receive Calls, so that only Election Officials could Initiate Connections with ES&S. But when Wyden's Office asked in a Letter to ES&S in March what Settings were used to Secure the Communications, whether the System used Hard-Coded or Default Passwords and whether ES&S or Anyone Else had Conducted a Security Audit around the Use of pcAnywhere to Ensure that the Communication was done in a Secure Manner, the Company did not Provide Responses to any of these Questions.










NYC Wins When Everyone Can Vote! Michael H. Drucker