Voting machine companies balk at taking part in hacking event

Voting machine companies balk at taking part in hacking event
Copyright 2019 CNN
The vulnerabilities in America's voting systems are "staggering," a group representing hackers warned lawmakers on Capitol Hill on Thursday -- just over a month before the midterm elections.

At the country’s biggest election security bonanza, the US government is happy to let hackers try to break into its equipment. The private companies that make the machines America votes on, not so much.

The Def Con Voting Village, a now-annual event at the US’s largest hacking conference, gives hackers free rein to try to break into a wide variety of decommissioned election equipment, some of which is still in use today. As in the previous two years, they found a host of new flaws.

The hunt for vulnerabilities in US election systems has underscored tensions between the Voting Village organizers, who argue that it’s a valuable exercise, and the manufacturers of voting equipment, who didn’t have a formal presence at the convention.

Supporters of the Voting Village say it’s the best way draw attention to problems with an industry that otherwise doesn’t face much public accountability, even in the wake of Russia’s foreign interference in the 2016 election. Their work has attracted the notice of several lawmakers, who are calling for new legislation to strengthen the integrity of US elections.

Detractors, often tied to the election industry, say that most of these hacks are impractical in a real-life voting scenario and worry that the event leaves the false impression that US elections are easily exploited at scale.

DARPA’s challenge

The biggest newcomer this year was the Defense Advanced Research Projects Agency, the Pentagon agency devoted to emerging technologies, which chose the Voting Village to publicly debut a microprocessor, still a work in progress. DARPA and its partner on the project, a company called Galois, invited hackers to try to exploit the experimental microprocessor, an essential component for computerized systems that is rarely made in the US.

The project is open source, meaning its designs are made public. The idea is that it’s ultimately safer for anybody to spot potential flaws.

“If people find stuff, that’s OK. I’d rather find out now,” said the program’s manager, DARPA’s Linton Salmon. “If they don’t find anything, that’s OK too. There’s no bad result here except not doing it.”

DARPA’s decision to introduce itself into the elections space has rankled some in voting machine business, who fear it represents the start of the government running a process that has historically been the purview of a free market.

“If that is (DARPA’s) plan, they’re going about it very badly,” said Matt Blaze, a Voting Village organizer and renowned voting security expert. “It’s so far away from being an actual voting system you could use in an election. If it ever did become that, it would almost certainly be a platform that vendors were adopting, rather than it coming from DARPA.”

Despite it being an agency of the Department of Defense and Def Con hackers having a traditional mistrust of the US federal government, DARPA did create the Tor browser, which is also an open source project and is by far the most highly recommended browser for circumventing government censorship and surveillance.

The agency’s project could eventually provide a road map for cheap, ultra-secure components that could be used in election equipment by anyone who wanted. But the processor isn’t just for experimental election tech: It’s also being developed for classified military purposes. The Pentagon has a vested interest in US-made microprocessors, as many are manufactured abroad, prompting fears that they could come designed with exploitable flaws.

By contrast, the companies behind the equipment that Americans register and vote on aren’t nearly as forthcoming about their cybersecurity — preferring the opposite of the open source philosophy, often referred to as “security through obscurity.” Though the major companies sent employees to the Voting Village, none of them had a formal presence.

Talks break down

Dominion, one of the country’s main suppliers of election equipment, was in talks in recent weeks to become a formal part of the Voting Village, with a setup that would more closely mimic the voting process, according to multiple sources familiar with the discussions. But talks between the two camps broke down over how much control the village would have over the hackers and researchers and how they would disclose their findings.

“There is still a great deal of untapped potential if the vendors can find a way to partner with the village organizers to mature the village experience,” said Maurice Turner, a technologist at the Center for Democracy and Technology.

In an interview with CNN earlier this year, Chris Wlaschin, the vice president of systems security at ES&S, the country’s largest election manufacturer, described his philosophy by saying, “I’m one of those old school cybersecurity practitioners who thinks less information about sharing vulnerabilities, sharing any perceived weakness — less information that’s circulated about that with security, the better.”

In a follow-up statement, spokeswoman Katina Granger said that “ES&S submits its equipment to testing by independent security researchers and proactively seeks to work with independent experts in election security.”