~By Sujit Bhar
The very objective of the EVM Challenge, organised with much fanfare by the Election Commission of India (ECI) on June 3 was defeated in the restricted atmosphere in which the EVMs were placed, not allowing any physical interception by anybody. The huge tom-tomming of its success by the ECI was a sham, as has been claimed by techies around the country and abroad as well as by many political parties, most of whom didn’t even bother to attend the dud show.
After the ‘show’ Chief Election Commissioner, Nasim Zaidi claimed victory and said EVMs cannot be hacked, a rather non-technical claim that can now sound hollow in the face of new revelations that Russian hackers had actually hacked into the software of US voting systems.
The Guardian newspaper reported on June 6 that “Russian intelligence agents hacked a US voting systems manufacturer in the weeks leading up to last year’s presidential election, according to the website Intercept, citing what it (the website) said was a highly classified National Security Agency (NSA) report”.
The hacking of emails of senior Democrat members, it is seen now, is just the tip of the hacking iceberg. The arrest of a federal contractor has blown the lid off a cyber espionage attack that was probably extraordinary in its breadth and depth.
The newspaper quotes the secret NSA report, saying: “The revelation coincided with the arrest of Reality Leigh Winner, 25, a federal contractor from Augusta, Georgia, who was charged with removing classified material from a government facility and mailing it to a news outlet.”
The method was not very novel, involving a mix of the old time “mole” and modern day cyber techniques. On the one hand “Russian military intelligence carried out a cyber-attack on at least one US voting software supplier” and on the other it “sent spear-phishing emails to more than a hundred local election officials days before the poll.” The newspaper reported that the information was revealed by the techno site Intercept, specialising in national security issues.
Phishing emails are innocuous-looking emails that come with equally innocuous-looking attachments or links, accessing which leads to letting the virus into one’s system. The Trojan-type virus can sit undetected inside a system and transmit relevant data or even change/corrupt existing data.
Patching up with a local performer made the task that much easier, especially with the emails of several top Democratic leaders in the hacker’s basket.
The Guardian says: “The hacking of senior Democrats’ email accounts during the campaign has been well chronicled, but vote-counting was thought to have been unaffected, despite concerted Russian efforts to penetrate it.”
The arrested federal contractor Winner was with Pluribus International Corporation, “assigned to a US government agency facility in Georgia,” the newspaper quotes the website as saying. “She has been employed at the facility since on or about February 13 and held a top-secret clearance during that time… She was a former linguist in the US air force who spoke Farsi, Pashto and Dari.”
By all accounts, if this was the method used, it is a clever amalgamation of regular espionage techniques and cyber crime techniques, none which are really high brow in themselves, though lethal when combined.
Such are the techniques being suggested by many in India in accessing and corrupting/modifying software that is burnt into the chips that are included into the system.
The EVMs are manufactured at one site, and assembled at another, while the chips are manufactured at one site, with the software burnt in and sealed elsewhere. Some of them are out of the country. There are many slips possible within the complex chain and a mole in any link in the chain can switch chips.
The mole remains the common point of reference in both cases, whether Russia in the US, or any interested party in the Indian EVM chain.
Citing these instances, Zaidi’s bold claim that EVMs just cannot be hacked is probably a bit premature and somewhat unverified.