The midterms are just a month away. No matter your political leanings, there is one topic that should be on the minds of not only every American citizen, but everyone around the world: election hacking. Where we stand right now, it’s far too late to do anything before November 6. It’s at same time unsettling that, given the potential impact hacking had on the last major election, more has not been done to ensure we make it through election day without interference.
Let’s assume that these machines and systems are vulnerable – because everything is. The essence of good security relies on establishing a continuous feedback loop: push code, check code, fix code, write new code. While these machines sit in a warehouse new vulnerabilities are discovered and new techniques are created, so when the machines make it back out into daylight the bad guys are ready and waiting.
The proof of this was evident the last two years in Vegas, with hackers in the Voting Village reliably breaching voting machines in minutes. By lunchtime on the first day of DEFCON this summer, one of the machines had already been reprogrammed to project an image of the Illuminati. Within the confines of the Voting Village it’s all fun and games, but these proofs of concept prove something much more nefarious.
Despite our ability to identify these issues, these machines are still incredibly vulnerable. Matt Blaze, a computer science professor at the University of Pennsylvania and one of the organizers of the Voting Village said:
“We didn’t discover a lot of new vulnerabilities. What we discovered was vulnerabilities that we know about are easy to find, easy to reengineer, and have not been fixed over the course of more than a decade of knowing about them. And to me that is both the unsurprising and terribly disturbing lesson that came out of the Voting Village.”
DEFCON’s second annual report on voting machines confirms just how vulnerable they are: the voting machines that we use today are still vulnerable to an 11 year old flaw. Half of the country use these machines. These things are vulnerable and the hackers can, will and have found out how. The Crowd plays an important role in finding that these things exist and helping us fix them. But in order for the Crowd to effectively make these machines more secure, the companies that make them need to get serious about security.
This isn’t a comment on voting machines. The most resilient system in the world will fall if enough time, energy and creativity are applied to doing so. But with the election a month away, what can we do?
At the very least there should be a requirement for test beds to be made available in between election cycles (outside of DEFCON) and for the companies that make these machines to have a clearly stated Vulnerability Disclosure Program.
The tide is shifting. Vulnerability Disclosure is becoming a best practice. Outside of adoption (which has been swift and extensive) there is no better evidence than the push for legislation — The FDA, The Justice Department, and Department of Homeland Security and State Department to name a few. It doesn’t stop with vulnerability disclosure — really proactive companies will extend on this, add incentives, and create a fully fledged bug bounty program to encourage findings…and fixes.
We need to think about ways that the election can (and will) be hacked. Foreign and domestic threat actors are interested in the outcome of any election, especially this one. The priority now becomes detecting how the variety of systems that will be deployed on Nov. 6 have already been hacked. Assume breach.
Election hacking affects us all. As consumers we need to be vigilant. Our votes count – we only get one. It’s your right and duty to ask what type of security measures the companies making these machines are taking. Think of it as neighborhood watch for the election. #ItTakesACrowd
