There is a “civil war’ going on at big U.S. voting-equipment vendors between employees who want to proactively address security vulnerabilities and those who stubbornly oppose doing that, according to DEF CON founder Jeff Moss.
“Half the company wants to deny that there’s any problem and to do things on their own timescale and basically soldier on,” Moss said Thursday, while the other half typically includes “younger engineers who think this is a great opportunity to make a change” in how the company approaches cybersecurity. He spoke on Capitol Hill at the rollout of the DEF CON Voting Village report, which highlighted a decade-old vulnerability in a ballot-counting machine used in more than half the states.
Moss, a cybersecurity expert and outside adviser to the Department of Homeland Security, told CyberScoop that the opposing impulses at voting-equipment vendors could force some engineers to leave the companies.
Engineers who have reached out to him privately “are excited that we’re doing this,” Moss said, referring to the testing of equipment at this year’s DEF CON in Las Vegas in August. The engineers “want to show off all of the stuff that they thought about and worked on, pass on the knowledge, and use that to make change inside the organization,” he added. “I think if change doesn’t happen, they’re just going to be frustrated and potentially move on.”
Moss’ comments come amid a confrontation between researchers and manufacturers over security testing of election equipment just weeks before the midterm vote. Top vendor Election Systems and Software has repeatedly raised concerns about “unvetted” and “anonymous” security researchers examining its machines at DEF CON. While ES&S says it supports rigorous third-party testing of its products, DEF CON’s backers say the vendor’s opposition to the Voting Village flies in the face of the conference’s ethos of improving security through collaboration.
In a recent statement, ES&S said it works “closely and transparently with federal officials on a daily basis and voluntarily takes every machine it offers to customers through federal certification, which includes robust cybersecurity testing to supplement its own security testing and other third-party security testing.”
Moss predicted that the voting infrastructure sector would eventually get more proactive in working with outside security researchers.
“From our perspective, from the hacking perspective, we’ve seen this movie before with other manufacturing verticals,” Moss told CyberScoop. “I have no doubt the same trajectory that’s happened on everybody else will happen with the voting [sector]. It’s just: is it going to be easy or is it going to be hard?”
The medical device and automotive sectors, for example, have gradually embraced vulnerability disclosure programs after initial intransigence from vendors. Thanks to an exemption the Digital Millennium Copyright Act, the threat of manufacturers suing researchers for their work has waned.
“If this is the new normal,” Moss said of the support for security research provided by the DMCA exemption, “then [voting-equipment vendors will] just have to adapt to the new normal. You can’t wait this out.”