LAS VEGAS — For the third year running, the Voting Village at DEF CON shined a light on election security and one thing was made clear: no one agrees on what to expect in 2020.
In opening remarks at DEF CON, founders Harri Hursti, Matt Blaze and Jake Braun laid out the long road the Voting Village has traveled to raise awareness of election security issues. Blaze, who serves as the McDevitt Chair of Computer Science and Law at Georgetown University, pointed out the troubles began with the Help America Vote Act (HAVA), which passed in 2002 as an effort to modernize and improve election administration.
“They didn’t understand as much at the time as we do now about building voting machines and almost everything produced to comply with the Help America Vote Act has terrible vulnerabilities associated with it,” Blaze said. “That’s partly because we’ve taken these systems that weren’t dependent on software before and made them dependent on software. And, as everybody here in Las Vegas can tell you, software is utterly terrible. So we essentially took a problem that was hard and we added software to it.”
A new initiative at this year’s Voting Village was to connect security researchers and hackers directly to election officials to provide pro bono work to help secure the 2020 election. Braun, an executive director for the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative, noted the past work of the Voting Village had been corroborated.
“The Mueller report reinforced a lot of what we identified last year, like you can hack a website with a SQL injection and get into a voter registration database, which is exactly what Mueller said the Russians did in 2016,” Braun said. “And frankly, they didn’t even go as far as we said was possible [in last year’s election.]”
Harri HurstiCo-founder, Nordic Innovation Labs
Hursti, the co-founder of Nordic Innovation Labs known for exposing e-voting system security vulnerabilities, added that the attacks seen in recent elections around the world and in the U.S. were “very traditional,” using known vulnerabilities and common attack vectors, like phishing, to access backend systems.
“This is not an issue of partisanship and it’s not even an issue about the United States. We have a global community of democratic countries and all the countries are right now facing similar threats,” Hursti said. “Nation-states don’t necessarily care who wins. They might have a candidate they prefer, but they are not ever supporting something from the kindness of their hearts. For nation-state attackers who are not democratic countries themselves, this is an ideological war. The end game is to undermine the trust of the people.”
2020 election security in question
Blaze, Hursti and Braun noted that the known best practices for election security boiled down to two items — paper ballots and risk-limiting audits. However, only Braun openly expressed confidence that the 2020 election would be more secure than 2016.
The divide in election security confidence was starker during a roundtable discussion on the second day of election security talks. At that time, Alex Joves, regional director of Cybersecurity and Infrastructure Security Agency (CISA), Wayne Thorley, deputy secretary for elections for the state of Nevada, and Rita Glass and Trevor Timmons, CIOs for the California and Colorado Secretary of State offices, respectively, agreed that the 2020 election will be more secure than 2016.
However, at that same roundtable, Josh Benaloh, senior cryptographer for Microsoft Research, Alissa Starzak, head of policy Cloudflare, and Jay Kaplan, co-founder and CEO of Synack — all companies that have been working with local officials on election security — said the 2020 election will not be any more secure than 2016.
Thorley and Timmons expressed confidence based on seeing the work done by local officials around the country since 2016, but both made it clear that any improvements made to election security shouldn’t be credited to Congress.
“We at the state level don’t wait for Congress to pass legislation. If we did that, we’d be waiting 20 years,” Thorley said.
Timmons added he was “worried that a one-time infusion of money from the government will be seen as enough to address issues, because it will not. This is an ongoing fight.”
Others throughout various talks at the Voting Village echoed this sentiment and said the need for more resources is exacerbated by the realities of local budgets.
Microsoft’s Benaloh said local officials need “a reliable source of money” because “election infrastructure is competing with roads in local budgets.”
In an earlier panel, Barb Byrum, county clerk for Ingham County, Mich., said getting resources to states is only part of the solution.
“Resources need to get down to the local level. Even if states have funds, it doesn’t necessarily mean local counties, cities or towns have the staff or resources needed,” Byrum said. “We’re one cyberattack away from seeing significant investment in elections. We’re one major devastation away and I don’t want to go through that.”
Byrum’s comment was part of a larger debate that lasted throughout DEF CON about the role election technology vendors play in the process.
Noah Praetz, an election consultant and former director of elections for Cook County, Ill., was one of the few to defend election vendors.
“There are 8,800 local election officials, most with no staff, and they depend on vendors. Vendors are deeply embedded with local officials and may even be the de facto IT staff if there are problems,” Praetz said. “Vendors are trying to meet demands in a market with low profit margins.”
Alex Padilla, secretary of state for California, agreed in part, but took a different perspective, saying “vendors do the bare minimum because there’s no return on investment.”
In the panel with technologists, Kaplan suggested mandating certain support from election vendors.
“Election vendors should be responsible for patching vulnerabilities in perpetuity. There should never be a question of who is going to pay for a fix. You wrote the bug, you fix it,” Kaplan said. “We need responsible disclosure and policy that says researching is okay.”
Beneloh agreed there needs to be better ways to disclose vulnerabilities to vendors and added that patching is a problem area as well.
“We need better ways to do patching so installing a patch doesn’t mean a certified system loses certification,” Benaloh said. “Uncovering vulnerabilities is great, but we need better ways for disclosing those flaws to vendors. There isn’t sufficient confidence in the DMCA exceptions. You don’t want to say, ‘If I do this, maybe I won’t go to jail.’ Even here in Vegas, gaming vendors know they need to be open to vulnerability testing, but election vendors haven’t learned that lesson yet.”
Election officials and technologists alike questioned why vendors don’t take a more active role in the Voting Village. Many there didn’t know that two of the biggest election vendors, ES&S and Dominion, were at DEF CON.
An ES&S spokesperson said the company was present because it draws security talent. “We are always on the lookout for people to help us make our products and election security better.”
Dominion representatives brought some equipment to demo and claimed they invited researchers to meet with them and discuss how to work together on the Voting Village and CVD more broadly moving forward. The spokesperson said no one attended the meeting, but they plan to continue to reach out via DEF CON and other avenues.
Dominion did not respond to questions about how researchers were notified of the meeting. Neither company responded to further questions regarding providing machines for testing or why organizers knew they were at the conference, but attendees and local officials did not seem to be aware of their presence.
Election security comes down to politics
The panelists were clear on what’s necessary to improve election security — more resources, more staff, paper ballots and risk-limiting audits – but little can be done without action from Congress.
Both Joves and Christopher Krebs, director of CISA at the Department of Homeland Security (DHS), pointed out that DHS can only do so much without invitations from local officials.
“We’ve got to continue to be aggressive about what we do to push out support to the states. Some states have invested, but others haven’t,” Krebs said. “These policy questions aren’t really my job. Congress has a role here.”
Senator Ron Wyden (D-Ore.) pointed to Senate Majority leader Mitch McConnell’s efforts to block votes on election security bills.
“It sure seems like Russia’s number one ally in compromising American election security is Mitch McConnell,” Wyden told the DEF CON crowd.
California Secretary of State Padilla noted that “there hasn’t been a significant investment in elections in 17 years,” since HAVA was passed.
“A lack of consistent or strong leadership going up the ladder from DHS makes things more difficult. Lies coming directly from the inhabitant of the Oval Office makes our job more difficult,” Padilla said. “Where there’s will, there’s a way, but there’s no will with the Senate Majority leader. There’s a way to make the investment and leave it to accountants to sort out the paperwork.”