DEF CON Voting Village matures as industry keeps its distance

Written by

The third annual Voting Village at the DEF CON hacking conference was a little different than years past. There were more machines to play with and more election personnel wandering around. And nobody publicly cursed out state officials or vendors.

Attendees seemed buoyed by the fact that they were helping secure the 2020 election, which U.S. officials warn will again draw foreign interference attempts.

“We have more people who are comfortable, immediately wanting to rip things apart and see how they work,” cryptologist Matt Blaze said with satisfaction. He was taking a rest in the corner of the village — a room in Las Vegas’ Planet Hollywood hotel littered with voting equipment ­— from the exertions of helping organize the gathering.

“We don’t care if you break anything, as long as you’re doing it in an interesting way,” Blaze, a professor at Georgetown University, told CyberScoop.

Across the room was Stephen Crane, a young entrepreneur who came to the village to break things. He, too, looked tired. It was early evening on a Friday and Crane had been there all day trying to dissect a ballot scanner and voting tabulator. He hadn’t found any vulnerabilities yet; he was still trying to figure out how the machine worked.

Hovering behind the scanner and tabulator was the Coalition for Good Governance’s Marilyn Marks, her lawyer in tow. She was wondering if the machine was used in Georgia, where she has sued the secretary of state’s office to expedite the retirement of less-secure, paperless voting machines. The Voting Village was a reconnaissance opportunity to help strengthen her case, she said.

Notably absent from the village, at least in an official capacity, were the country’s three biggest voting gear vendors. Neither Election Systems & Software, nor Dominion Voting Systems, nor Hart InterCivic donated machines or had a booth in the Village. The organizers independently procured all of the equipment, including pollbooks and ballot scanners. Some of the gear was used as recently as the 2018 midterm elections.

Blaze and other observers say there has been progress in getting the vendors and the Voting Village on the same page. Last year, ES&S balked at turning over any of its gear to “unvetted, anonymous” people at the Voting Village.

This year, at least some vendors were close to agreeing to set up their equipment in the village, but didn’t hash out the parameters in time, according to Blaze. “The corporate culture isn’t quite there,” he added. “I’m optimistic that they will come around, but they haven’t done it yet.”

None of the three voting equipment vendors responded to requests for comment.

New frontiers

Studying a computer takes time, but opening it up always reveals something. Last year’s Voting Village report detailed a decade-old flaw in a voting tabulator used to count ballots in more than half of states. This year’s assessment, to be released in the coming weeks, is bound to bring more security recommendations to act on.

A new addition to the village this year was a prototype of a hardware voting platform designed by Galois, an Oregon-based firm, and funded by the Pentagon. Galois offered the prototype to the village so that hackers could take a crack at the machine and explore the differences between a secure and insecure voting system, Galois’s Joe Kiniry told CyberScoop. After enduring technical difficulties for two days, the Galois machine was ready for hacking on Sunday.

Maurice Turner, senior technologist at the nonprofit Center for Democracy & Technology, basked in the sense that the village would be crossing some new frontiers over the weekend.

“You have all these hackers who are interested in these voting machines that they’re just now getting access to,” Turner said, a gleaming medallion from a prior DEF CON dangling from his neck. “Hopefully we can connect some of those new, exciting security experts with the officials in their own communities.”

In the hallway outside the village stood Noah Praetz, a man trying to make those connections. He was an Illinois election official in 2016 when Russian hackers breached that state’s voter registration database.

He recalled visiting the Voting Village in 2017 as an Illinois official who didn’t announce himself. “We were all pretty guarded,” Praetz said of the handful of state officials who attend then.

At DEF CON this year, Praetz was one of the “sherpas” leading election officials through other villages, such as the Biohacking Village, that are more advanced because they have buy-in from equipment vendors.

“I think we’re getting really close to a really mature village with active participation,” Praetz told CyberScoop.

A more mature village can lead to a more mature election ecosystem. As officials prepare for 2020, they are getting more help on that front. Cybersecurity experts with no prior experience with voting infrastructure are trying to figure out how they can help defend U.S. democracy after Russia’s assault on it in 2016.

Matthew Olney, director of threat intelligence and interdiction at Cisco Talos, spends much of his time tracking advanced hacking groups. But since 2016, he and his colleagues have launched an in-depth study of the quirks and intricacies of the U.S. electoral system. They have polled secretaries of state to determine where the weaknesses might be and how, as security analysts steeped in the methods of malicious hackers, they can advise officials during the 2020 election.

“We continue to try to find partners in the election space that we can work with to learn more about it, so we can give better advice,” Olney said before visiting the Voting Village.

Shannon Vavra contributed reporting.