by John Statton
***
Intellectual litter covered the team’s Hall scribbled wipe boards, almost empty pizza boxes, half-drunk cans of warming soft drinks and beer, yellow stickies, notepads, and pens. Debris accumulated over the last eighteen hours that they had been working on the problem.
Alice Hart leaned back in her chair and zoned out of the going-nowhere conversation. It ping-ponged back and forth between Blair Beretta and Scott. Her eyes played over the goal outlined in red on the wipe board in front of her: Digitally Steal Elections.
The group had been going over all of the hundreds of things involved in successfully pulling this off, and had managed to talk itself into the position it was impossible.
Suddenly an idea began to glimmer, and Alice’s eyes took on a distant look as she mentally tried running it down.
Mariana noticed Alice's disconnection, and, with knowledge honed over many months of working together, broke off her discussion with Johnny Edwards and took a longer look at Alice. She’d been on the receiving end of Alice's left-field problem insights before, and she was beginning to know the look. About time, she thought, we’re running on fumes, let's hope it's a nice one.
The others in the room gradually took notice of their leader patiently looking at Alice. Blair and Scott’s conversation petered out. Johnny kept his counsel and joined the silence. Only Boris, who had no experience with the team's dynamics, could not keep vigil and blurted out, “What… what's going on?”
It was at that moment Alice broke from her world of thought and rejoined the group. “Hey, I think I may have an idea.” With an almost audible sense of anticipation, the team turned towards their oracle.
“We all understand it’s hard to flat-out steal an election. A result too different from the polls is going to be suspect and leave itself open for challenges. With challenges comes scrutiny. With scrutiny, the detection risk skyrockets.”
She continued, “But, we know there’s an opportunity with the growing use of electronic voting machines. Phasing out paper ballots and the shift to digital voting and tabulation works to our advantage, it’s easier to fix the results. But we can't be too conspicuous in our manipulation.”
“That summarizes the hole we’re in,” said Mariana.
“What about a close race? That's where manipulation could hide under cover of the polling margin of error. I think the answer lies in creating a very competitive election: that way, when our candidate wins, there is legitimacy. How do we influence races to be close?”
“Polls,” said Mariana quietly as if speaking to herself. “We fix the surveys.” Standing and moving to the front of the room, she continued, “Alice, you've done it. We adjust the polling results to create the impression of a close race. There are a limited number of polling firms…”
Blair finished her thought, “…and if their results all line up with each other, the public has no way of knowing the real truth. Polling has become the measure of public opinion. The only check on the accuracy of the polls is the actual election results.”
“That’s it,” said Mariana. “Most people who see an election result defying the polls have to suspect the winning candidate somehow cheated, because what incentive does a pollster have to lie? But if surveys and results align, legitimacy is reinforced.”
Alice piled on, “This will require very subtle polling data manipulation over time, we can't just plug in data too far off past survey population results, or we’re going to have problems with the researchers. Again, this is best used when people expect a close contest; it plays into their expectations.”
“Which is a necessary element in any great con,” said Johnny. “It won't work in districts where there is a significant gap between liberal and conservative, a close race there would be too suspicious. This is perfect for multi-party elections where neck-and-neck races can be more common; it can be used to create close polling, followed by a narrow win for our favored side, enough to tip the balance in a legislature or parliament.”
“I like it,” Mariana said. “Now we get to apply it to the British general election and ensure our candidate wins.”
“Hey, is this for real?” asked Blair. “That’s a pretty big, highly visible target.”
“Sorry about that. Until I thought we had an approach, you didn’t need to know the target. Look, we all know we do edgy things, and if you don’t want to play in this round, you can go on the beach until another assignment opens up. No harm, no foul.” Mariana looked around the room, locking eyes with each in turn. “But, you know me, and I wouldn’t be doing this unless I was one hundred percent sure of its necessity.”
After a drawn-out silence, when no one spoke up, she continued, “OK, you know the drill, our target is a well-defended system, this is going to require a deep dive. Let's talk surveillance and reconnaissance. Scott, you are on network vulnerability assessment. Alice, you start the social engineering options analysis.”
“Sure, you want the usual invasive employee research, financial, medical, education, and family records?” said Alice.
“The more proctology, the better. You are my spear-phisher. We may need you to trick someone into divulging a password. Boris, you support Alice. Johnny and Blair, you cover Scott. Come on, people, let's find a way in!”
***
A week later, a tired team gathered in the Hall. Mariana stood in front of a UK map projected on the wall screen behind her. In bright red, it showed an overlay of five regional data centers linked to one near London.
“OK, what have we got?” she said.
Alice stood and summarized, “Here is the problem, before the UK went 'all in' on electronic voting, they assembled a data security panel to make recommendations for creating the world's most secure system, basically to keep out people like us. Unfortunately, this group knew exactly what it was doing.”
“They decided the best security was not to connect to the net. Instead, they have these digital voting machines deployed around the country. They pick them up and drop them off using armored cars, and there’s a rigorous check in and out process. While at the voting place, there are at least two people present at all times monitoring their use. And did we mention there is no easily accessible data port even if a poll worker wanted to try and subvert the unit? Each voting machine connects only to a specially designed data cable; plugging it in requires multi-factor identification.”
“You know all of this, how?”
Scott chimed in, “To get started we bought a couple of the voting machines. Their supplier has repurposed the same direct-recording system for secure election sales in other countries. We found one on eBay. When you are going to stuff the digital ballot box, we figured you best know how one works.”
“Makes sense. What else did you find?”
“These things are state-of-the-art; their internal hard drive is thoroughly encrypted, and their operating system for recording votes is secure. We did not waste our time on vulnerability assessment; we were not going to be able to corrupt enough of these at the local level to affect results.”
Mariana summarized, “No remote or field access to the ballot boxes. Nothing you could do on a mass scale to affect voting. It’s got to be at the vote counting level. We'll need access to the master voting results database so we can sync with our targeted close races.”
Johnny contributed, “For security, their regional centers only link to the Electoral Commission’s Headquarters and the whole system is air-gapped. No external connections allowed, no Internet of any kind. Their connectivity to HQ is via direct optical fiber, and it is in hardened concrete conduits. Oh yeah, did I mention the military guards each regional center? Guess they don't have enough to do.”
“Sounds like once we’re past the air-gap, we can have access to their entire system,” Blair said.
“That’s optimistic,” said Alice. “We need a person in place behind the wire, maybe a team, because we can be sure they have diamond-hard computer security. It's going to be damn complex to crack.”
“What about the old-fashioned way?” asked Blair. “We infiltrate someone, a cleaner for instance, and they swipe the master credential list, once we've got the usernames and passwords we can see if one is for a sysop and take control.”
“Nope, no good,” replied Scott. “I read that every system user has to have a physically chipped ID card tying to their username-password combination. We’d also have to get hired, and that brings background checks.”
“So, we can’t infiltrate inside or penetrate from the outside,” said Alice. “Hard to route around things like that.” She continued, “To add further complications; we don't have any real data about their facility’s computing environment. However, if we can connect to their system, what about using SPINALTAP to drill our way in?”
“What's that?” Boris asked.
Mariana replied, “It’s part of why you are here, to learn about what we’ve got available. This little gem is a smart USB data fob; it's a terabyte of storage coupled with a microprocessor. Its beauty reveals when you plug it in.”
“Intriguing, I understand USB as the inception point,” said Boris, “but how does it exploit security flaws in an unknown system? You have to know what safe you are trying to open before you try and break in.”
“That’s the beauty; it does not require any of the usual bag of exploit tricks. Instead, it starts to impersonate an Ethernet connection, then takes over network traffic and plants a backdoor. It does not rely on any particular security flaws, which makes it perfect for this unknown terrain.”
“What is the secret ingredient?”
Scott butted in, “This is such a strong hack because it exploits some subtle design approaches cutting across every operating system. It’s a great little lock picker when you are up against something new.”
Boris sounded impressed, “I can see where that could be very useful in a lot of situations, especially when it's a hardened target and you are the blind men groping an elephant.”
“I'm not sure about the groping part,” said Mariana, “but it’s true we’re blind about what network flavor they’re running. SPINALTAP may serve us well as a way in, but we’re still screwed without a team on site to manage the work once we’ve penetrated.”
“Which we won’t have,” echoed Alice.
“I may have a contribution,” said Boris. “What do you know about artificial intelligence?”
Mariana asked, “Boris, our newest friend, what have you got?”
“We've been working on a limited AI system, its semi-autonomous, self-propagating code. It's fire and forget. Once launched, it can hide behind a firewall, identify appropriate networks, and insert and manage code on the opposing computers.”
“No need to have someone on site? Could it handle its work behind the gap without our hand on the stick?”
“Yes, this would address the no physical presence problem. It understands its purpose and applies machine-based creativity to the problems it encounters. But we need an initial install. It’s an extensive chunk of code, but it can be very stealthy.”
Alice remarked, “We can use SPINALTAP to provide system access, ferrying your code in. This sounds like the answer to our problem. But how do we get it across the air-gap?”
Blair asked, “What about salting the base with preloaded thumb drives? You know, dropping them in the parking lot. Some staffer is sure to innocently put it in a drive to see what's on it. Once they do, it's go time.”
“Just one problem,” said Johnny, “we need continued access to their system, and additional instructions will need to be given right up until the election. We can't litter thumb drives every time we want to upload new programming.”
Mariana said, “I’ve got a thought. I want to think this through a bit more, but I may have a way inside.” She looked at her watch. “Hope everyone is hungry, as a reward for this quality work the company is buying dinner.”
That got scattered applause from her five, and they began to stand and gather their things. She linked arms with Boris and steered him to the doorway. “Now, Boris, let's talk about this AI. I bet it's a story best told over wine and tasty pasta. We are all ears.”
#
Chapter 7
Regime Change
October 2006
The white Siemens van was the real thing, as was the corporate ID. These had been easy to arrange through stealthily hacking Siemens’ systems. Both were delivered to a hotel regularly used by the company’s staff when visiting London. Neither request, ostensibly to help a stranded employee and sent from a Senior VP's email account, was remarkable. No one at the hotel recalled anything about the dark-haired woman who picked up the envelope containing the ID and keys. No one at the Siemens motor pool had questioned her after she provided the valid authorizations to check out a service van.
With the windshield wipers beating the wrong rhythm for any of the radio's pop tunes, Mariana had made quick time heading up the A12, closing on Kelvedon Hatch, a small Essex village just over an hour north of London. It had the dubious distinction of being the former nuclear war bastion for the British government, with a vast underground bunker complex. When decommissioned in 1992, the bunker became the village's preeminent tourist attraction, where every day, people paid £7.50 each to be entertained by the joys of a nuclear battlefield and the horrors post-Armageddon living would have entailed.
Just outside the village, this claim to fame was marked by a prominent sign reading, “Secret Nuclear Bunker,” and a helpful directional arrow. Under that was a smaller addition, “Electoral Commission HQ.” This absurdity made her smile as she turned off of Ongar Road and onto the access lane, snaking through fields to the main gate. The not-so-secret site contained over twenty acres of tunnels set deep underground. Ever the thrifty agency, the Commission had commandeered the entire facility after coveting its ample electrical supply and naturally cool temperatures. It made for an excellent secure data center and national voting tabulation headquarters.
From here all of the regional voting centers were controlled. Commission officials in villages, towns, and cities received the ballot machines, secured them in their local polling stations and oversaw their return to the regional center for secure uplink to the national command. All of the election's data flowed to Commission Headquarters.
Mariana’s nervous feeling grew as she saw the gatehouse appear ahead. Even with her training, fieldwork was always dangerous. She’d been up late learning her character and crafting responses to likely questions. No matter how much practice, there are always butterflies when the curtain goes up, she thought, and it’s opening night.
She pulled up to the gatehouse and rolled down her window. A guard stepped out into the rain to check on the visitor.
“Good morning to you,” she said as she gave him a warm smile. “I'm here for the monthly generator maintenance.”
“To you too, miss. May I see your driver’s license and company ID?” As he said this, another guard had appeared to check under the van with a mirror on a long pole. Security at this facility was tight.
She reached into her Siemens’ logoed jacket and pulled out the requested documents. She knew the questions would be next.
“First time here?” he asked as he checked against his clipboard's list of authorized visitors. “I mean, we usually have Roger on this detail. I don't recall meeting before.”
Every month, Siemens provided a preventative maintenance on the complex's emergency generators. Each generator could provide the current needed to keep the data center alive for several days. They were powered up, and a complete set of diagnostics run through their control sub-systems, including a cut-over exercise to ensure communications with the site's systems and uninterrupted power.
“No, I'm his replacement for the next several months. Lucky bugger, he caught a rotation assignment in Spain. I bet he's not going to miss this rain.” She had a practiced reply.
Her ID had been digitally provided to Commission Headquarters security twenty-fo
ur hours previously, along with an email notifying them about the change in technicians. The guard found her on the list, along with a note about the assignment change.
Handing her back the cards, he got an “all secure” nod from the other guard. “Thank you then, welcome to Commission HQ. Please remember to stay only in your van, the generator enclosure, or the control building. You can turn right and proceed to the first parking lot; your generators are there.”
Mariana rolled up the window and started the van. She thought the first step had gone well.
The controls were in a small building near the generators. There was no way outsider technicians were ever allowed onto the data center floor eighty feet below. But up top, there were no escorts. No problem, she thought, just pervasive video surveillance and random roving patrols. Plus, anyone on site was subject to search at any time. What could go wrong? Her nervous feeling was not going away anytime soon.
Her tension level continued to climb as she parked in the nearly full lot. Gathering her things and glancing in the rearview mirror, she noticed her small boxy gold cross on a chain around her neck. It concealed her USB fob containing SPINALTAP.
Any external computer or storage device had to be declared upon site entry and approved by security; which she clearly did not do. If the fob was ever discovered and booted up, it had protective camouflage as a set of generator test scripts, but she knew that cover would not stand any deep scrutiny. She idly touched the cross and thought, Having this found would ruin my day and lead to a lot of unpleasant questions, with long-term incarceration on the probable nasty results list.
Mariana entered the single room generator control structure and saw it contained a desk under a window looking out over the parking lot, two chairs, a few wall hooks for coats, and an aging Hewlett-Packard desktop computer, which ran the testing system. She was conscious of the room's internal security camera and calculated how to shield things from its gaze. She bent over the system to turn it on, and with a deft move, slid the fob out of the necklace and covered its insertion into the keyboard's USB port. It was visible to someone coming in the door, but not from the camera’s vantage.