The national conversation on election security came into sharp focus Friday at a renowned hacker conference as U.S. officials and security researchers sought common ground in raising awareness of potential vulnerabilities in election equipment.
The goal was to have a more transparent conversation about those vulnerabilities without spreading undue public fear about them.
The Voting Village at DEF CON in Las Vegas, a room where white-hat hackers could tinker with voting machines and mock voter registration databases, was a high-profile test of that collaboration.
“I’m here to learn,” Alex Padilla, California’s secretary of state, said before touring the village in the bowels of Caesars Palace hotel and casino.
That mindset is important as state and local officials ramp up resources toward securing election infrastructure three months before the midterm elections. In advance of the 2016 presidential election, Russian hackers probed the IT systems of 21 states, and U.S. officials have warned of the threat of renewed Russian interference in the midterms.
At the village, Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, stood next to a large ballot-scanner made by Election Systems & Software, one of the country’s biggest voting-equipment vendors. A couple of young researchers were picking the machine apart looking for vulnerabilities and what voting data the old machine might reveal.
“There’s a balance we have to really walk,” Hall said, between proactively looking for vulnerabilities and giving owners of voting equipment time to address them.
“We want to find flaws in these machines; we’d like to get them fixed,” Hall added. “But it’s not like general purpose computing where you can get them fixed immediately. It’s not like an election official can go get a patch for one of these machines and just change it on their own.”
Padilla came by to chat with Hall before making his way to other equipment stations across the room.
Other state officials were less indulgent of the village. The National Association of Secretaries of State (NASS) released a statement criticizing the village as “a pseudo environment which in no way replicates state election systems, networks or physical security.” (Village organizers counter that the machines on display are in use today).
The NASS statement did not sit well with Jake Braun, a technology investment consultant who helped organize the village. Braun kicked off a discussion on election security at DEF CON by snarling into a microphone: “F–k you, you f—ing luddites,” in response to NASS.
“Nothing that we say is going to make the public have more faith in our elections,” Braun said, making the case for the voting village. “Only something we do is going to make the public have faith in our elections.”
Though less animated than Braun, other village organizers said that security researchers’ years-long efforts to test election equipment have been hindered by a lack of transparency from vendors.
Matt Blaze, a cryptologist and election-technology expert, said the voting village is an opportunity to “broaden the community of experts from the privileged few…who have been allowed to look at these machines to the broader community of hackers and technology experts who can understand exactly how vulnerable these kinds of software-dependent systems are.”
For its part, the Department of Homeland Security was trying to use DEF CON to bring the security community and election officials closer together.
“Both sides have a very valid point,” Jeanette Manfra, a top DHS official, said of NASS and the voting-village organizers. Election officials had made the effort to come to Las Vegas to learn, Manfra told reporters. “I think the flip side is it’s on the folks here to learn about how elections work.”
In March, Congress allotted states $380 to better securing their election infrastructure, money that is widely recognized as necessary but insufficient toward that end. The funding isn’t enough, for example, to replace all of the less-secure paperless voting machines used in more than a dozen states.
California received about $35 million of the $380 million allotment, but Padilla said his state needs more money to bolster election security. He told CyberScoop that his state could use additional funding for hardware and software upgrades, training staff, and countering disinformation campaigns.
“Let me be abundantly clear: We need more resources,” Padilla told DEF CON attendees.
Blaze echoed that point.
“We really need to think as a society about giving election officials significantly more resources as technical threats have become more and more prominent,” he said. “2016 is not going to be the last time that we see state actors attacking election systems.”