The nation’s leading seller of voting machines has finally agreed to play nice with “red teams” — hacking pros who probe for security vulnerabilities.
The Plan:
At the Black Hat security conference on August 6, Election Systems & Software LLC (ES&S) announced that they would work with the security firm Synack to allow “penetration testing” on the latest models of their voting technology.
The two firms will work together to arrange professional hacking attempts on devices like ES&S’s electronic poll book, which officials use to manage voter registration data. Doing so could help ES&S learn about security risks and vulnerabilities, so they can be fixed before criminal hackers exploit them.
They also announced they will crowdsource penetration tests on new products and those still in development, as well as making it easier for hackers to report their findings without risking legal consequences.
“The word’s gonna get out that we are serious about this. Because hackers gonna hack, researchers gonna research.” ES&S’s Chris Wlaschin, vice president of systems security and chief information security officer at ES&S said, reports WIRED.
The Backstory:
Election equipment manufacturers, including ES&S, have been resistant to letting outside professional hackers test their systems.
In the past few years, the Defcon security conference hosted “Voting Village,” where hackers have found vulnerabilities plaguing voting machines in use for decades. But election equipment companies have argued that such scenarios are unrealistic and don’t represent real-world polling situations, where additional protections are in place to make it inconceivable to hack voting equipment. To provide unfettered access for hackers to “look under the hood” is a 180 shift in attitude.
“There’s been a lot of bad blood in the history of this, but I think this is a positive development,” Mark Kuhr, chief technology officer at Synack, told WIRED. “What we’re trying to do is move the ball forward here and get these election technology vendors to work with researchers in a more open fashion and recognize that security researchers at large can add a lot of value to the process of finding vulnerabilities that could be exploited by our adversaries.”
Why This Matters:
An intense election is just months away, and people want assurance that their vote will count. But concerns about election security abound, with some people saying that electronic voting machines are just waiting to be hacked. A Politico survey found that in 14 states, hundreds of counties used paperless voting machines during the last presidential election — most of them plan to do the same this year. So, who ensures that votes are secure?
Some would be surprised by the loosey-goosey regulations.
There are no federal regulations on voting technology vendors, only state regulations. When it comes to requiring vendors to show cybersecurity plans or adhere to security standards, the states hold all the power. The voluntary standards created by the National Institute of Standards and Technology and the Election Assistance Commission aren’t required unless states choose to adopt them.
The Center for American Progress published a report on election security in 2018, which concluded that all states “have taken at least some steps to provide security in their election administration.” However, CAP deemed 33 states to have unsatisfactory post-election audit procedures, while 10 states do not provide cybersecurity training to officials, and 32 states allow regular absentee voters to cast their ballots electronically — a practice considered insecure by security experts. In other words: vulnerabilities exist that leave some votes susceptible to hacking.
ES&S isn’t the only company taking steps toward adding third-party investigations. Dominion Voting Systems Corp., the second-largest vendor, is also writing a “vulnerability disclosure” policy, Kay Stimson, a spokeswoman for the company told the Wall Street Journal. And Hart InterCivic Inc. also said they are expanding vulnerability testing and working with DHS.
This year over half of the voters in the U.S. will cast their ballot on one of ES&S’s voting machines. Because they are the top U.S. manufacturer of voting equipment, they also influence industry standards — which has traditionally been resistant to providing open access to hackers who fish around for bugs. This collaboration could mark a significant shift in the industry toward adopting more security research.
“It is quite a change,” Wlaschin told WIRED. “Given the times that we’re in and the focus on election security, ES&S has for some time been trying to work with security researchers to, number one, improve the security of our equipment and software and, number two, to improve the perception of election security.”