Published Date: 2018-02-21
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident mentioned in Article 67900 happened in November 2010 [67900]. 2. The software failure incident mentioned in Article 75688 happened in August 2018 [75688]. 3. The software failure incident mentioned in Article 83511 happened in 2016 [83511]. |
| System | 1. Election Systems & Software (ES&S) voting machines [67900, 75688, 83511] 2. M650 electronic ballot scanner [75688] 3. AccuVote TSx system [75688] 4. Ballot-marking devices (BMD) [83511] |
| Responsible Organization | 1. Election Systems & Software (ES&S) [67900, 75688, 83511] |
| Impacted Organization | 1. Voters in Pennsylvania's Venango County [67900] 2. US national security [75688] 3. American democracy and election integrity [83511] |
| Software Causes | 1. Remote-access software installed on election-management computers, making the systems vulnerable to hackers [67900] 2. Cybersecurity flaws in voting hardware, allowing for remote hacking of voting machines [75688] 3. Vulnerabilities in outdated voting machines that have been repeatedly shown to be hackable, leading to concerns over the integrity of the voting process [83511] |
| Non-software Causes | 1. Lack of proper security measures in election systems, such as the presence of remote-access software on election-management computers, making the systems vulnerable to hacking [67900]. 2. Design flaws in voting hardware, such as the M650 electronic ballot scanner and the AccuVote TSx smart card reader, which were reported over a decade ago and still exist in the machines [75688]. 3. Concerns with the integrity of the paper trail created by ballot-marking devices, including issues with the shared paper path in hybrid systems and the potential for voters not to review their ballots, leading to undetected changes in votes [83511]. |
| Impacts | 1. The software failure incident in Venango County, Pennsylvania, where remote-access software was found on the election-management computer, exposed vulnerabilities in the election system, making it susceptible to hacking [67900]. 2. The software failure incident at the Def Con hacking conference revealed major flaws in voting hardware, particularly in the M650 electronic ballot scanner used in 23 US states, which could be remotely hacked, potentially impacting election outcomes [75688]. 3. The design flaws and vulnerabilities in voting machines used across America, as highlighted in the article discussing the lack of auditable votes and meaningful paper trails, have raised serious concerns about the integrity and security of the election process [83511]. |
| Preventions | 1. Implementing robust security measures such as air-gapping election systems from the internet to prevent remote access by unauthorized individuals [67900]. 2. Conducting thorough security assessments and audits of voting machines to identify and address vulnerabilities before they can be exploited by hackers [75688]. 3. Ensuring voting machines have proper authentication mechanisms during software installation to prevent unauthorized modifications [83511]. |
| Fixes | 1. Implementing ballot-marking devices (BMD) with a paper trail that allows for auditing of election results [Article 83511]. 2. Conducting thorough research on the usability and effectiveness of voting systems, particularly BMDs, before widespread implementation [Article 83511]. 3. Addressing potential vulnerabilities in BMDs, such as the ability to autofill races or the lack of voter verification, to ensure the integrity of the voting process [Article 83511]. 4. Enhancing security measures in voting machines, including ensuring that the machines are not vulnerable to hacking, errors, or breakdowns [Article 83511]. 5. Implementing resilient systems that can monitor, detect, respond, and recover from any event, whether it is a bug or malicious interference [Article 83511]. | References | 1. Def Con hacking conference organizers [Article 75688] 2. Election Systems & Software (ES&S) [Article 67900, Article 75688, Article 83511] 3. Computer science experts and professors (e.g., David A. Eckhardt, Andrew Appel, J. Alex Halderman, Ron Rivest) [Article 67900, Article 83511] 4. Verified Voting organization [Article 83511] 5. National Election Defense Coalition [Article 67900] 6. US Senators [Article 75688] 7. Security experts and analysts [Article 75688, Article 83511] 8. Voting machine vendors [Article 83511] 9. Various election officials and departments (e.g., Michigan Department of State, New York state board of elections) [Article 67900, Article 83511] 10. Various states and counties across the United States [Article 83511] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) In the articles, it is mentioned that Election Systems & Software (ES&S) has been involved in software failure incidents related to vulnerabilities in voting machines. ES&S voting machines have been found to have serious security flaws and vulnerabilities that could potentially be exploited by hackers [Article 67900]. The M650 electronic ballot scanner, used in 23 US states and manufactured by ES&S, was found to have a cybersecurity flaw that was reported over a decade ago [Article 75688]. Additionally, ES&S has faced criticism for dismissing hacker demonstrations and concerns raised about the security of their voting machines [Article 75688]. (b) The articles also highlight that vulnerabilities and flaws in voting equipment are not limited to a single organization. Various voting machines from different manufacturers, including Dominion and ES&S, have been found to have severe vulnerabilities that could be exploited by hackers [Article 75688]. The report from the Def Con hacking conference mentioned in Article 75688 outlines major flaws in voting hardware used in the US, indicating that the issue of software failure incidents extends beyond a single organization. |
| Phase (Design/Operation) | design, operation | (a) In the articles, there are instances of software failure incidents related to the design phase: 1. The incident in Venango County, Pennsylvania, highlighted a design flaw in the voting machines made by Election Systems & Software (ES&S). The presence of remote-access software on the election-management computer made the system vulnerable to hackers, indicating a flaw in the initial design of the system [67900]. 2. The Def Con hacking conference revealed major flaws in voting hardware, including the M650 electronic ballot scanner used in 23 US states, which had a cybersecurity flaw reported over a decade ago. This flaw points to a design issue that was not addressed over time [75688]. (b) The articles also mention software failure incidents related to the operation phase: 1. The Def Con conference found vulnerabilities in the AccuVote TSx system used by 18 US states, where the smart card reader for casting votes could be easily disconnected to disrupt the election process. This vulnerability is related to the operation or misuse of the system during the voting process [75688]. 2. Concerns were raised about the integrity of the paper trail created by the new ballot-marking devices (BMDs) during the operation phase. Issues such as voters not verifying their ballots or the potential for undetected changes in the machine's operation could impact the accuracy of election results [83511]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident related to the vulnerability of voting machines and election systems to hacking and manipulation can be categorized as within_system. The articles highlight how the voting machines themselves, particularly the electronic voting machines and election-management systems, have inherent vulnerabilities that can be exploited by hackers. For example, the presence of remote-access software on election-management computers [67900], flaws in voting hardware and equipment [75688], and the use of outdated machines that lack auditability and verification [83511] all point to issues originating from within the system. (b) outside_system: On the other hand, the articles also discuss contributing factors that originate from outside the system, such as the potential for attacks by foreign intelligence operatives [75688], the lack of a national security standard for voting machines [75688], and the broader context of fear and suspicion over attacks on America's voting system [83511]. These external factors pose additional risks to the security and integrity of the voting systems, highlighting the importance of considering threats beyond the immediate system vulnerabilities. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The incident in Venango County, Pennsylvania, involved a voting system where remote-access software was installed on the election-management computer, making the system vulnerable to hackers. The software was used by an authorized county contractor working from home, allowing potential access and control of the election system [67900]. - The Def Con hacking conference revealed major flaws in voting hardware, including the M650 electronic ballot scanner used in 23 US states, which had a cybersecurity flaw reported over a decade ago. The vulnerabilities found in voting equipment were described as "staggering" and posed serious risks to national security [75688]. (b) The software failure incident occurring due to human actions: - The article highlights concerns with the integrity of the paper trail created by ballot-marking devices (BMDs) due to human behavior factors. Issues include voters not verifying the printed ballots, potential autofilling of races, and the "permission to cheat" feature where voters can opt not to review their ballots, leading to uncertainty about the accuracy of the votes counted [83511]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - The articles do not provide specific information about a software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incident occurring due to software: - The articles discuss software failure incidents related to vulnerabilities in voting machines and election systems that could lead to hacking and manipulation of election results ([67900], [75688], [83511]). - The vulnerabilities in the voting hardware, such as the M650 electronic ballot scanner and the AccuVote TSx, were reported to be due to software flaws that could be remotely hacked ([75688]). - The use of remote-access software on election-management computers and modems in voting machines were highlighted as serious security issues that could be exploited by hackers ([67900], [75688], [83511]). - Concerns were raised about the integrity of the paper trail created by new voting machines due to potential software vulnerabilities, such as autofilling races and the lack of verification of printed ballots ([83511]). - The presence of barcodes or QR codes on ballots that represent voter choices, which are scanned and counted by machines, raised concerns about potential software manipulation if the scanners were hacked ([83511]). |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) The articles provide information on malicious software failure incidents where contributing factors were introduced by humans with the intent to harm the system: 1. In Article 67900, it is highlighted that remote-access software was installed on an election-management computer in Venango County, Pennsylvania, making the system vulnerable to hackers. The software was used by an authorized county contractor working from home, but the setup allowed potential unauthorized access to the county's election system [67900]. 2. Article 75688 discusses how hackers at the Def Con conference identified major flaws in voting hardware, including vulnerabilities in voting equipment like the M650 electronic ballot scanner used in 23 US states. The report suggests that hacking such machines could potentially alter election outcomes, indicating a malicious intent to manipulate voting results [75688]. (b) The articles also mention non-malicious software failure incidents where contributing factors were introduced without the intent to harm the system: 1. Article 67900 describes a scenario where remote-access software was installed on election systems for troubleshooting and maintenance purposes, potentially exposing the systems to security risks. The installation of such software may have been done without malicious intent but still posed a security threat [67900]. 2. Article 83511 discusses the vulnerabilities in voting machines used across the US, highlighting flaws in the hardware and software that could compromise election integrity. While the flaws are a result of poor design and implementation, there is no explicit mention of malicious intent behind these vulnerabilities [83511]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) poor_decisions: The software failure incident related to the vulnerability of voting machines and election systems in the United States can be attributed to poor decisions made by election officials and voting machine vendors. The incident highlighted how critical election systems were poorly secured and protected against malicious attacks due to decisions such as installing remote-access software and modems on systems that program voting machines and tally final results, making them vulnerable to hacking [67900]. Additionally, the incident revealed that the new generation of voting equipment, including ballot-marking devices (BMD), had flaws and insecurities, with concerns about the integrity of the paper trail they create, indicating a lack of thorough research and potential weaknesses in the new voting technology [83511]. (b) accidental_decisions: The software failure incident also involved accidental decisions or unintended consequences, such as the vulnerabilities found in voting hardware and equipment that were not initially designed with robust security in mind. The flaws in voting machines, including the M650 electronic ballot scanner and the AccuVote TSx system, were discovered during hacking demonstrations at the Def Con conference, indicating unintended vulnerabilities that could pose serious risks to US security [75688]. Additionally, the incident highlighted accidental flaws in the design of the M650 system, which had a cybersecurity flaw reported over a decade ago and a design flaw from 2007, showing unintended consequences of past decisions and lack of proper mitigation over time [75688]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - The incident in Venango County, Pennsylvania, revealed a lack of professional competence in the development and implementation of election systems. The presence of remote-access software on the election-management computer, which should have been air-gapped, indicated poor security practices and vulnerabilities introduced due to incompetence [67900]. - The article highlights that voting machines used in the US have been repeatedly shown to be vulnerable to hacking, errors, and breakdowns due to serious security concerns and flaws in the development of the machines [83511]. (b) The software failure incident occurring accidentally: - The incident in Venango County, Pennsylvania, where remote-access software was found on the election-management computer, was being used by an authorized county contractor working from home. This accidental use of the software introduced vulnerabilities and risks to the election system [67900]. - The article mentions that the vulnerabilities and flaws in voting equipment, as uncovered by hackers at the Def Con conference, were accidental in nature, posing serious risks to US security [75688]. |
| Duration | permanent, temporary | (a) The articles discuss software failure incidents that can be considered permanent due to contributing factors introduced by all circumstances. The vulnerabilities and flaws in the voting machines, such as the M650 electronic ballot scanner used in 23 US states [Article 75688], the AccuVote TSx system used by 18 US states [Article 75688], and the ballot-marking devices (BMD) with printers and scanners [Article 83511], highlight systemic issues that make the software failures permanent. These vulnerabilities, including remote hacking capabilities, design flaws, and lack of proper auditing mechanisms, create a long-term risk to the security and integrity of the voting systems. (b) The articles also mention temporary software failure incidents caused by contributing factors introduced by certain circumstances but not all. For example, the incident in Venango County, Pennsylvania, where remote-access software was installed on the election-management computer, making the system vulnerable to hackers [Article 67900], can be seen as a temporary failure due to the specific circumstance of unauthorized access through remote software. Similarly, the flaws identified in voting equipment during the Def Con hacking conference [Article 75688] point to specific vulnerabilities that can be addressed and mitigated to prevent future incidents. |
| Behaviour | omission, value, other | (a) crash: The articles do not specifically mention a software failure incident related to a crash. (b) omission: The articles discuss vulnerabilities in voting machines that could lead to omissions in the voting process. For example, the AccuVote TSx system includes a smart card reader that can be easily disconnected to disrupt the election process [75688]. Additionally, the hybrid voting machines have a feature where voters can opt not to review their ballots, potentially leading to omissions in verifying the printed and counted votes [83511]. (c) timing: The articles do not specifically mention a software failure incident related to timing issues. (d) value: The articles discuss concerns about the integrity of the paper trail created by ballot-marking devices. The hybrid voting machines have a potential issue where if a voter leaves races blank, the machine could autofill those races, leading to incorrect values being recorded without detection [83511]. (e) byzantine: The articles do not specifically mention a software failure incident related to a byzantine behavior. (f) other: The articles highlight various security vulnerabilities in voting machines that could lead to a range of software failure incidents, including potential manipulation of votes, lack of verification, and risks to the integrity of the election process [67900, 75688, 83511]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | theoretical_consequence, other | (a) death: People lost their lives due to the software failure - There is no mention of people losing their lives due to the software failure in the provided articles. (b) harm: People were physically harmed due to the software failure - There is no mention of people being physically harmed due to the software failure in the provided articles. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the software failure in the provided articles. (d) property: People's material goods, money, or data was impacted due to the software failure - The articles discuss vulnerabilities in voting machines that could potentially impact the integrity of election results, but there is no specific mention of people's material goods, money, or data being directly impacted. (e) delay: People had to postpone an activity due to the software failure - The articles do not mention people having to postpone an activity due to the software failure. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incidents discussed in the articles primarily focus on vulnerabilities in voting machines and election systems, with potential implications for election outcomes. Non-human entities are not directly mentioned as being impacted. (g) no_consequence: There were no real observed consequences of the software failure - The articles highlight significant vulnerabilities in voting machines and election systems, indicating potential risks to election integrity and security. However, there is no specific mention of real observed consequences resulting from the software failures. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences of software failures in voting machines, such as the risk of election manipulation and hacking. These are theoretical consequences that have been highlighted as risks but may not have occurred in a widespread manner. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles primarily focus on the potential consequences of software failures in voting machines related to election security and integrity. Other consequences not described in the options include the risk of election manipulation, lack of trust in election systems, and the need for improved security measures to safeguard election processes. |
| Domain | government | (a) The failed system was related to the government industry, specifically the election systems used in the United States for voting purposes. The articles discuss vulnerabilities in voting machines, concerns about election security, and the potential risks of hacking and manipulation in the electoral process [67900, 75688, 83511]. |
Article ID: 67900
Article ID: 75688
Article ID: 83511