I. In Focus This Week
DEFCON26 shows partnerships will win the war
Voting Village looks at vulnerabilities, threats to system
By Jennifer Morrell
As a former election official in Colorado, the summer of 2017 was focused on the successful implementation of our first statewide risk-limiting audit. It was exciting because we anticipated it would be an important component in further validating the outcome of elections.
So you can imagine the frustration we felt with the headlines coming from last summer’s DEFCON25 stating that voting equipment could easily be hacked. My perspective was that it was just a publicity stunt to get attention. Fortunately, it did get quite a bit of attention, helping to pave the way for federal funding to states for new voting equipment.
Now a year later I found myself accepting an invitation to attend DEFCON26 and observe the Vote Hacking Village. I’ve attended many different conferences, but nothing prepared me for the semi-controlled chaos of DEFCON.
The neon, flashing conference badge, the chill-out rooms, the Goons (part security, part information providers), 20,000-ish tech geeks, Caesar’s Palace. The whole thing was a trip!
To say I felt out of my comfort zone was an understatement. Besides realizing I was navigationally challenged, I found myself in a sea of people who all seemed to speak another language.
Election administrators certainly have their own lexicon, so it shouldn’t have been a surprise that hackers and technology experts have a language of their own as well. It was as much about the experience as a realization there is a whole world of terms and expertise I knew nothing about. But, here is what I did learn…
Vulnerabilities and threats to the election system
The keynote speaker, David Sanger, noted that in 2007 “cyberthreat” was not even a word in our national threat assessment, so there is a very good reason why the recent threats to our elections have left the election community scrambling to catch up. This is all very new and has the potential to completely change how we conduct elections.
It seemed evident this year that the Voting Village organizers recognized the election system was more than just voting equipment. The Village was organized to illustrate the vulnerabilities and threats to voter databases, election night reporting websites, e-pollbooks, and of course voting equipment, specifically DREs and optical scanners.
Some criticisms have been levied against the usefulness of this whole production since it takes place in a pseudo environment where hackers have unfettered access to the voting equipment and systems. While this was true there were also some eye-opening things that took place.
I watched hackers pick locks and security seals in just a few seconds with what seemed like nothing more than the flick of their wrists. These were the same locks and numbered seals we use to secure memory card doors on DREs and seal ballot boxes/bags used for storing paper ballots, memory cards, etc. They could pull the locks and seals apart and put them back on again with no damage and no evidence of tampering. In some demonstrations they were able to pick the lock, remove the seal, and tamper with the card reader and memory card slot in just a few seconds giving them full administrative access to the machine.
They tried to demonstrate the point that being disconnected from the internet doesn’t mean your system is safe if there are flaws in the machine. They shared real world examples of situations where hackers were able to inject a virus into other critical systems with high levels of physical security and no internet connections – which was chilling.
My favorite demonstration was a large-screen projection with graphics representing a state voter registration database and the sophisticated layers of security between a hacker and the database. The challenge was to breach the security and tamper with the database. Conference goers could watch and see how far a hacker had been able to penetrate through the layers of security, which seemed to be a real challenge.
There was conversation about how far in some of the hackers had got and what they had learned but ultimately none were able to penetrate the database. One of the many reasons I was able to confidently answer the question, “do you think elections are more secure now than they were in 2016” with a resounding “yes! – they are absolutely more secure then they have every been”. (I got asked that a lot!)
The organizers were passionate about the need for paper ballots, risk-limiting audits, and better resources to protect the back-end systems and hopeful that the Voting Village demonstration would accelerate the implementation of those practices. (They were also optimistic that paper ballots were only the answer until they can help us come up with something better.)
Strong desire to understand elections and collaborate
I went to DEFCON with the idea that I would just observe and learn. It was pointed out on the first day that I was in the audience and was an ex-election official now focusing on risk-limiting audits. This made observing all the activity in the Voting Village a challenge. I was constantly approached by hackers and tech experts all wanting to ask questions about how elections were conducted, how voting equipment was tested, and especially how risk-limiting audits worked and the process for conducting them.
I noticed that other election officials in attendance, who were brave enough to identify themselves as such, were getting the same questions. Some participants came to the discussion with skepticism, but all seemed to leave impressed with the steps that are being undertaken by the election community to secure elections as well as a better understanding of what actually takes place when planning and conducting an election.
I heard repeated references to the ‘election system’ separate from discussions about voting equipment so I think they are listening to us. Clearly the focus this year was not just on voting equipment.
Though it has been a controversial news story this week, the fact that an 11-year-old girl could breach a replicated state election website in under 10 minutes, with little help or input, should be a wakeup call to all of us that if you haven’t had an expert review and test your website for vulnerabilities you need to find an individual or organization who will do that for you. [Ed. Note: The Voting Village issued a correction that it was actually an 11-year-old boy who hacked the site in 10 minutes. The 11-year-old girl did it in 15 minutes.]
Most of the hackers I talked to felt that it was important to pick apart the equipment, websites, and registration databases to understand what flaws and vulnerabilities might be present. This was not just so they could show off their skills. There was a genuine desire to help election officials improve their security protocol and encourage voting system vendors to fix the vulnerabilities.
Partnerships will win the war
It is clear that election hacking, and conversely election security, is complex. Conference organizers and participants repeated over and over again that state and local election officials need more resources. On more than one occasion presenters from the tech side admonished the hackers participating to become poll workers. The audience erupted in applause when one speaker suggested that the best way to learn how elections work and make them more secure is to volunteer as a poll worker.
While the focus of the conference was on increasing security for the technological components – hardware, software, firmware, security settings, etc. it struck me that all of these recommendations have a human component. They need people with a specific set of skills and education to implement them.
State and local election offices need funding not just for new voting equipment but to recruit and retain staff with the technical skills to test, monitor, maintain, and audit that equipment. Until they receive adequate funding and the FTEs to do that, some type of public/private partnership may be the best answer.
I saw another side to this community than what I was expecting, and I think it is in our best interest to stop thinking of them as adversaries and start thinking about ways we can collaborate and utilize their expertise. In fact, we should probably rely on this same cadre of tech experts to help us write new job descriptions and org charts, so we can start hiring security and auditing experts of our own when and if the funding is put in place.
Until then, maybe we should look to DEFCON and other similar gatherings as free consulting. We may not agree with all of the recommendations that are made but we can at least use the information to better inform the questions we ask when looking for new voting equipment as well as use it to enhance our cybersecurity and physical security practices. Likewise, if there is a recommendation made by the hacker community that would be detrimental to the election process we know that’s an area where we can collectively stand firm and find ways to better communicate and inform. I hope to see more election officials in the Voting Village next year!
(Jennifer Morrell previously served as the deputy of elections & recording in Arapahoe County, Colorado. She is currently a consultant for the Democracy Fund and leads the Election Validation Project aimed at increasing trust in elections through audits, standards, and testing. She was invited to the Voting Village at DefCon by Jake Braun, University of Chicago & Cambridge Global Advisors.)
- Next >>