Election Infrastructure Access Authority Failure Through Remote Access Software Installed on Voting System Management Computers at ES&S

Election management systems occupy a uniquely sensitive position in democratic infrastructure. They are the computers on which election officials configure ballot definitions, program the voting machines used at polling places, and tabulate the results after polls close. The security model for these systems rests on the assumption of isolation — that election management systems are not connected to the internet, cannot be accessed remotely, and are physically secured. This air gap is the foundational security assurance that protects elections from remote interference. Election officials and the voting public are told that voting systems are isolated from external networks. The integrity of election results depends on this being true.

ES&S is the largest voting equipment vendor in the United States, with systems deployed in jurisdictions across the country. Between approximately 2000 and 2006, ES&S installed pcAnywhere — a commercial remote access tool made by Symantec — on election management systems delivered to customers. The software was installed to enable ES&S technicians to remotely access the systems for technical support and troubleshooting. The installation was a convenience measure: rather than dispatching technicians on-site, ES&S could connect to the election management system remotely, diagnose problems, and apply fixes. The software enabled exactly the capability the air gap was supposed to prevent — remote access to the computer that programs voting machines.

In 2019, Motherboard/Vice reported that ES&S had installed remote access software on election management systems. Under pressure from Senator Ron Wyden, ES&S acknowledged in a letter that it had installed pcAnywhere on election management systems between 2000 and 2006 and stated that it had subsequently discontinued the practice. ES&S asserted that the connections were made over phone lines rather than internet connections, though security researchers noted that pcAnywhere could operate over any network connection and that the distinction between modem and internet access was less meaningful than the fundamental issue: the systems were configured to accept remote connections.

The disclosure was compounded by the revelation that pcAnywhere itself had been compromised. In 2012, Symantec acknowledged that the source code for pcAnywhere had been stolen by hackers in 2006 — during the period the software was installed on election management systems. The source code theft meant that attackers had the ability to identify and exploit vulnerabilities in pcAnywhere during the years it was running on systems that managed elections. The remote access tool installed for vendor convenience was itself a compromised piece of software during the period of its deployment on election infrastructure.

The air gap did not exist as an enforced architectural property of the election management systems. It existed as a stated security assurance that was contradicted by the software installed on the systems. The security model said: these systems are isolated. The vendor installed software whose purpose was to enable remote access. The two conditions are mutually exclusive. A system with remote access software installed is not air-gapped. The air gap was a claim, not a constraint. No mechanism prevented the vendor from installing remote access tools on systems that the security model required to be isolated.

The absence was not of technology — the air gap is conceptually simple. The absence was of an architectural constraint that would have prevented remote access software from being installed on election management systems regardless of the vendor's convenience preferences. The security model depended on isolation. The vendor prioritized remote maintenance. No governance mechanism enforced the isolation requirement against the vendor's operational choice to install connectivity tools. The air gap existed in the security documentation. The remote access software existed on the same machine. The system was simultaneously described as isolated and configured for remote access. One of those descriptions was false.

ES&S stated it discontinued pcAnywhere installation after 2006. Senator Wyden and other legislators called for mandatory federal security standards for election equipment. The Election Assistance Commission's Voluntary Voting System Guidelines were updated to address remote access restrictions, though the guidelines remained voluntary. The case became a central reference in debates about election security, demonstrating that the air gap assurance given to the public was not an architectural property enforced by system design but a policy claim that the vendor had contradicted through its own installation practices. No comprehensive audit determined which jurisdictions had election management systems with pcAnywhere installed during the 2000-2006 period or whether the software had been fully removed from all affected systems.