| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
- ES&S, the nation's dominant supplier of election equipment and services, was involved in a security lapse incident in Chicago where data on 1.8 million registered voters was left publicly exposed on an Amazon cloud server [76779].
- ES&S faced criticism for skimping on security in favor of convenience, making it more difficult to detect intrusions [76779].
- ES&S was found to have left encrypted passwords for employee accounts exposed in the data cache, which could have led to a complete compromise if exploited by a sophisticated attacker [76779].
- ES&S objected to a new state requirement for vulnerability testing in Colorado in 2014, indicating resistance to security measures [76779].
- ES&S technology stumbled during primary elections in Los Angeles County and Kansas due to programming errors and insufficient pre-election testing [76779].
- ES&S sells vote-tabulation systems equipped with cellular modems, a feature that experts say could be exploited by hackers to tamper with vote counts [76779].
- California found vulnerabilities in ES&S's Electionware system that could allow an intruder to erase all recorded votes at the close of voting [76779].
(b) The software failure incident having happened again at multiple_organization:
- Dominion Voting Systems and Hart InterCivic, along with ES&S, face criticism for skimping on security in favor of convenience, making it more difficult to detect intrusions [76779].
- Academic computer scientists have found many voting systems in use today across the U.S. to be prone to security problems, indicating a broader issue across multiple organizations [76779].
- Dominion's Democracy Suite was found to have multiple critical vulnerabilities in 2014, highlighting security concerns with another major vendor in the industry [76779].
- Startups in the election equipment industry face barriers to entry due to the dominance of major players like ES&S, who guard proprietary technologies and litigate against competitors, indicating a lack of competition and innovation in the industry [76779].
- States have varying levels of oversight over election vendors, with some like California, New York, and Colorado keeping a close eye on the vendors, while others have cozier relationships with them, suggesting a lack of consistent oversight across multiple organizations [76779]. |
| Phase (Design/Operation) |
design, operation |
(a) The article highlights instances where software failures occurred due to design flaws introduced during system development or updates. For example, in the primary elections, ES&S technology stumbled in Los Angeles County, where over 118,000 names were left off printed voter rolls due to sloppy system integration by an ES&S subsidiary during a database merge [76779]. Additionally, the article mentions that California found chronic problems with popular voting systems, including vulnerabilities in ES&S's Electionware system that could allow intruders to erase all recorded votes at the close of voting, indicating design flaws in the software [76779].
(b) The article also discusses software failures resulting from operational issues or misuse of the system. In Kansas' most populous county, a different type of error in newly installed ES&S systems caused a 13-hour delay in the vote count as data uploading from thumb drives was slow, indicating operational challenges [76779]. Furthermore, the article mentions that voting equipment vendors have not seemed security-conscious in any phase of their design, which could lead to vulnerabilities during system operation [76779]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident related to the exposure of data on Chicago's 1.8 million registered voters was primarily due to contributing factors that originated from within the system. The incident occurred because a private contractor left the data publicly exposed on an Amazon cloud server [76779]. Additionally, the incident involved encrypted passwords for ES&S employee accounts being included in the exposed data cache, which could have potentially led to a compromise if exploited by a sophisticated attacker [76779].
(b) outside_system: The software failure incident also had contributing factors that originated from outside the system. For example, the incident highlighted the lack of significant federal oversight and operational secrecy surrounding the companies responsible for election equipment and services, which operate as front-line guardians of U.S. election security [76779]. Additionally, the incident raised concerns about potential external threats such as hackers downloading the exposed data or infiltrating company systems using the compromised passwords [76779]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
The software failure incident in the article was primarily due to a security lapse where a private contractor left data on Chicago's registered voters publicly exposed on an Amazon cloud server. This exposure of sensitive data, including addresses, birth dates, and partial Social Security numbers, was a result of the data being left unprotected on the cloud server, indicating a failure introduced without direct human participation [76779].
(b) The software failure incident occurring due to human actions:
Human actions also played a significant role in the software failure incident. The article highlights how the top executives of Election Systems & Software (ES&S) faced scrutiny from the Chicago Board of Elections for what went wrong in the security lapse. Additionally, the article mentions instances of sloppy software development, insufficient pre-election testing, and resistance to vulnerability testing by independent hackers, all of which are human actions contributing to the software failure incident [76779]. |
| Dimension (Hardware/Software) |
software |
(a) The articles do not provide information about a software failure incident occurring due to contributing factors that originate in hardware.
(b) The software failure incident reported in the articles is related to software vulnerabilities and security lapses in election systems. The incident involved a private contractor leaving data on Chicago's registered voters exposed on an Amazon cloud server, including sensitive information like addresses, birth dates, and partial Social Security numbers [76779]. The incident highlighted the lack of security measures in place by the dominant election equipment and services supplier, Election Systems & Software (ES&S), and other major vendors like Dominion Voting Systems and Hart InterCivic. The articles discuss how the industry has long skimped on security in favor of convenience, making it difficult to detect intrusions, and how the vendors have faced criticism for resisting vulnerability testing and not being transparent about their security measures [76779]. Additionally, the articles mention instances of sloppy software development by ES&S, leading to errors in voter rolls and delays in vote counting during primary elections [76779]. These incidents point to software failures originating from security vulnerabilities and inadequate testing processes within the election technology industry. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident reported in the articles is related to a malicious objective. The incident involved a security lapse where a private contractor left data on Chicago's 1.8 million registered voters publicly exposed on an Amazon cloud server. The exposed data included sensitive information like addresses, birth dates, and partial Social Security numbers [76779].
Additionally, the exposed data cache included encrypted passwords for ES&S employee accounts, which, if exploited by a sophisticated attacker, could lead to a complete compromise of the company's systems [76779].
Furthermore, the incident highlighted the lack of adequate security measures in the election equipment and services provided by companies like ES&S, Dominion Voting Systems, and Hart InterCivic. These companies have been criticized for skimping on security in favor of convenience, making it difficult to detect intrusions like the one that occurred in Russia's 2016 election meddling [76779].
(b) The software failure incident cannot be categorized as non-malicious as it involved a significant security lapse that exposed sensitive voter information and encrypted passwords, indicating a malicious intent to harm the system. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The software failure incident reported in the articles can be attributed to poor decisions made by the election equipment and services companies, such as ES&S, Dominion Voting Systems, and Hart InterCivic. These companies have been criticized for skimping on security in favor of convenience, leading to vulnerabilities in the systems used for elections [76779].
(b) The incident also highlights accidental decisions or mistakes made by the companies in terms of inadequate security measures and sloppy software development. For example, ES&S faced issues during primary elections where names were left off printed voter rolls due to sloppy system integration, and errors in newly installed systems caused delays in the vote count [76779]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The articles provide information related to software failure incidents due to development incompetence. For example, in the primary elections, ES&S technology stumbled in Los Angeles County, where more than 118,000 names were left off printed voter rolls due to sloppy system integration by an ES&S subsidiary during a database merge [76779]. Additionally, the incidents in Kansas' most populous county revealed mediocre programming and insufficient pre-election testing by ES&S, causing a 13-hour delay in the vote count as data uploading from thumb drives crawled [76779].
(b) The articles also mention software failure incidents that occurred accidentally. For instance, the articles discuss how during the primary elections, ES&S technology faced issues in Los Angeles County and Kansas due to errors and delays that were not intentional but rather accidental due to system integration problems and insufficient pre-election testing [76779]. |
| Duration |
permanent, temporary |
The software failure incident discussed in the articles can be categorized as both temporary and permanent:
(a) Permanent: The software failure incident involving the private contractor leaving data on Chicago's 1.8 million registered voters exposed on an Amazon cloud server for months can be considered a permanent failure due to contributing factors introduced by all circumstances ([76779]).
(b) Temporary: The software failure incident where ES&S technology stumbled during the primary elections in Los Angeles County and Kansas, resulting in errors and delays, can be seen as a temporary failure due to contributing factors introduced by certain circumstances but not all ([76779]). |
| Behaviour |
omission, other |
(a) crash: The incident in Article 76779 did not specifically mention a system crash where the system loses state and does not perform any of its intended functions.
(b) omission: The incident in Article 76779 did involve failures related to omission. For example, in Los Angeles County, more than 118,000 names were left off printed voter rolls due to sloppy system integration by an ES&S subsidiary during a database merge [76779].
(c) timing: The incident in Article 76779 did not specifically mention failures related to timing, where the system performs its intended functions correctly but too late or too early.
(d) value: The incident in Article 76779 did not specifically mention failures related to value, where the system performs its intended functions incorrectly.
(e) byzantine: The incident in Article 76779 did not specifically mention failures related to a byzantine behavior, where the system behaves erroneously with inconsistent responses and interactions.
(f) other: The incident in Article 76779 highlighted failures related to sloppy software development, vulnerabilities, security lapses, and resistance to vulnerability testing by independent hackers, among other issues. These aspects could be considered as other behaviors contributing to the software failure incident [76779]. |