Secretaries of State Blast Election Hacking Exercise

DEFCON in 2011.

DEFCON in 2011. Isaac Brekken / AP Photo


Connecting state and local government leaders

The election officials said replicating their systems is “extremely difficult,” but others say they’re reluctant to let cybersecurity experts access them to test for vulnerabilities.

The National Association of Secretaries of State criticized a series of voting machine hacking events Thursday at DEFCON 26 in Las Vegas for being “unrealistic.”

DEFCON’s Voting Machine Hacking Village invited participants to test more than 30 such electronic devices—most of which organizers said remain in use in some U.S. states—and defend or hack a mock board of elections office and its voter registration databases during an interactive training.

Cybersecurity experts, state and local election administrators including California Secretary of State Alex Padilla, and even a Department of Homeland Security official, will take part in panel discussions at the hacking conference all day Friday.

“Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security,” NASS said in a statement. “Providing con­ference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.”

Replicating election systems is “extremely difficult” because many states use unique networks and custom-built databases, the statement continued.

Matt Bernhard, data science consultant with election transparency nonprofit Verified Voting, told Route Fifty that NASS’s talking points are typical of election officials defending broken technology. He acknowledged that there’s some merit to the argument cybersecurity experts can’t recreate the exact conditions of states’ systems.

“But they are totally unwilling to give us access,” said Bernhard, who is presenting at DEFCON. “They are trying to have it both ways.”

Critics say some secretaries of state have further discouraged and dismissed election system vulnerabilities when they are found, like Georgia’s Brian Kemp, the GOP gubernatorial candidate, after a known vulnerability was exploited by a “white hat,” or ethical, hacker. Kemp denies the system was ever compromised.

Bernhard knows the Voting Village organizers and said they went to “great lengths” this year to find machines still in use in states. While he understands secretaries of state might worry the press will misreport their voting machines are vulnerable, when they may have been recently upgraded, Bernhard said “in actuality, deployment of the technology is very patchwork.”

Nonprofit group røøtz Asylum teaches kids to be white hat hackers and partnered with the Voting Village to let children ages 8 to 16 hack replica secretary of state websites for several battleground states.

Election night reporting websites are not connected to vote counting equipment, so they can’t be used to change official election results, NASS’s statement read.

But malicious actors often use information gathered off of public-facing websites to gather intelligence for their phishing attacks, Bernhard said.

“You can kind of think of it like the human body,” he said. “Yes, the sinuses are not connected to the heart. But any intrusion into the system creates a greater opportunity for failure.”

NASS touted its work with state information technology teams, DHS, the Elections Infrastructure Information Sharing and Analysis Center, the National Guard, and private sector and university partners performing penetration testing and risk and vulnerability assessments on election systems.

In its statement, NASS applauded efforts to find and report vulnerabilities in election systems and encouraged “civic-minded members of the DEFCON community” to partner with NASS to secure elections and increase voter confidence.

Knowledge transfer between the cybersecurity and election administration communities is both improving and an equal burden, Bernhard said.

“I welcome change,” he said. “Invite us to go work on voting technology in an environment that makes them feel comfortable the results matter.”

Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.

NEXT STORY: Blockchain for Government Has Already Arrived