Tensions Flare as Hackers Root Out Flaws in Voting Machines
Tensions Flare as Hackers Root Out Flaws in Voting
Machines
Defcon hack-a-thon conference aims to help test election
security, but makers of voting equipment raise doubts
By Robert McMillan and Dustin Volz Aug. 12, 2018 9:00
a.m. ET
LAS VEGAS—Hackers at the Defcon computer security
conference believe they can help prevent manipulation of U.S. elections. Some
election officials and makers of voting machines aren’t so sure.
That tension was front and center at Defcon’s
second-annual Voting Village, where computer hackers are invited to test the
security of commonly used election machines. Organizers see the event as an
early test of U.S. election security and a counterpunch to potential outside
interference. On the first day of the event, which runs through Sunday, hackers
were able to swap out software, uncover network plug-ins that shouldn’t have
been left working, and uncover other ways for unauthorized actors to manipulate
the vote.
These hacks can root out weaknesses in voting machines so
that vendors will be pressured to patch flaws and states will upgrade to more
secure systems, organizers say.
Yet some manufacturers and security experts believe the
hack-a-thon is unlikely to uncover the type of real-world issues that would
come up in an election.
“Anybody could break into anything if you put it in the
middle of a floor and gave them unlimited access and unlimited time,” said
Leslie Reynolds, executive director of the National Association of Secretaries
of State.
Election Systems & Software LLC, a leading
manufacturer of voting equipment, was reluctant to have its systems tested at
the conference. The company played down the expected findings from the event in
a letter to customers. Hackers “will absolutely access some voting systems
internal components because they will have full and unfettered access to a unit
without the advantage of trained poll workers, locks, tamper-evident seals,
passwords, and other security measures that are in place in an actual voting
situation.”
Kathy Rogers, senior vice president of government
relations for ES&S, said the letter was sent “in response to numerous
inquiries by our customers as to what equipment might be at Defcon and what
they might expect.”
In the letter, ES&S also warned election officials
ahead of the conference that unauthorized use of its software violated the
company’s licensing agreements, according to a copy of the letter viewed by The
Wall Street Journal. Voting Village organizer Jake Braun disagreed with this
interpretation of the agreements.
The states and vendors are making a mistake by not
participating in the voting village, which amounts to a thorough security test
for any machine involved, Mr. Braun said. “This is not a cyber-mature
industry,” he said.
Some state and local election officials at the conference
said the companies that sell voting equipment are more interested in
maintaining their profit margins than improving the security of their machines.
Representatives from voting machine makers ES&S and
Dominion Voting Systems Corp. declined to comment on criticisms raised by the
organizers and wouldn’t say whether they had employees present at the hacking
conference.
Election cybersecurity has been a national concern since
2016, when Russian-government hackers allegedly broke into systems at the
Democratic National Committee, launched an influence campaign on Facebook
Inc.’s social network, and targeted more than 20 voter registration systems,
government officials say.
Russia has repeatedly denied interfering in the election.
Earlier this month, senior intelligence officials in the
Trump administration warned that Russia was again engaging in “pervasive”
efforts to interfere in the November elections.
In March, Congress appropriated $380 million to shore up
the nation’s election systems—money that has now been allocated to 50 states
and five territories to pay for improved election equipment, and security
training and testing, according to the Election Assistance Commission, the
agency responsible for disbursing the funds.
Jeanette Manfra, a senior cybersecurity official at the
Department of Homeland Security, said that security researchers at Defcon were
doing important work by finding vulnerabilities in voting systems that could be
used by bad actors. But she said she sympathized with concerns from election
officials that the vote-hacking village could unintentionally lower public
confidence in American elections—considered a chief goal of Russian
interference.
“You want companies to be building more secure products,
but at the same time the public doesn’t necessarily know the full picture,” Ms.
Manfra said. “If all you are saying is, ‘Look, even a kid can hack into this’,
you’re not getting the full story, which can have the impact of having the
average voter not understanding what is going on.”
“It’s really, really difficult to actually manipulate the
vote count itself,” she said.
But it’s still worth uncovering any potential security
flaws in these machines, because there are plenty of others—organized criminals
for example —who might want to throw an election, said Joseph Lorenzo Hall,
chief technologist with the nonprofit Center for Democracy & Technology.
“Everybody’s talking about Russians, but we have to be
clear that there are other threats here,” said Mr. Hall on Friday while
mingling with hackers at the Defcon Voting Village. It’s a conference room deep
in the bowels of Caesars Palace—littered with voting machines, memory cards and
scanners.
A few minutes later, Mr. Hall stopped talking and cast a
wary eye over at two attendees who were examining a big grey vote scanning
machine in the corner of the room. He was worried they might plug it in and
fire up its powerful engine without supervision. “We’re OK with destructive
testing of these things. I just don’t want you to hurt yourself,” he said.
“There are things that will take your fingers off in there.”
Comments
Post a Comment