Has it been four years already?

Yep, that’s right, election cybersecurity is back in the spotlight. It’s easy for the topic to only be top-of-mind during election years, but this is actually something that is near and dear to my heart outside of election years as well. Despite an enormous amount of investment and progress in election system security, a deepening distrust in election integrity in North America is bringing the subject of vulnerabilities, hacking in good faith, and the place of security research into public discourse once again. 

Back in 2020, I wrote a blog about how vulnerable the population is to manipulation through disinformation strategies. A tweet of a voting machine that “looks like” it’s infected by ransomware could be as effective at deterring voter turnout and confidence as an actual infected machine. 

In fact, I’ve illustrated this point in the belly of the beast—Capitol Hill. In early 2019, a group of security research and vulnerability experts were invited to a House Committee hearing, and  spoke to voting machine manufacturers and government officials about the need to both improve machine security and actively counter the disinformation risk created by the topic of election hacking. Using a voting machine I bought off eBay earlier that week, I showed how easy it is to make it look like a voting machine had been hacked, even when it hadn’t been. Election security has, and always will be, a two-headed beast—it’s an information systems security problem and an information warfare problem.

In the election off-years, I’ve been working tirelessly with the Bugcrowd team and other allies in the community to build bridges between the builders of voting technology and hackers operating in good faith who can break the technology, in order to expose critical vulnerabilities before threat actors have a chance to find the same vulnerabilities, and to demonstrate “Neighbourhood Watch for Election Security” to concerned voters and pundits. 

Establishing collaboration between hackers and election technology providers 

Some of this work includes the formation of the Election Security Advisory Council, and our involvement in a pilot event with the IT-ISAC’s Election Industry Special Interest Group (EI-SIG). In September 2023, we held the inaugural Election Security Research Forum (ESRF) at MITRE Corporation’s National Election Security Lab. This pilot event aimed to foster collaboration between hackers and voting technology providers under the principles of Coordinated Vulnerability Disclosure (CVD), and marked a significant milestone in the traditionally chilly relationship between these two groups. Three voting technology providers—Election Systems & Software (ES&S), Hart InterCivic, and Unisyn Voting Solutions—provided modern voting machines for hackers to test over several days.

The ESRF marked the culmination of five years of work by the IT-ISAC and its Election Industry SIG, which was formed in 2018 with the goal of establishing a trusted framework for industry-hacker engagement. The event involved a rigorous planning process, engaging the Election Security Advisory Council, comprising leaders from Bugcrowd, other security companies and agencies, and election leaders and officials. 

Fifteen hackers, selected based on their technical expertise and commitment to CVD principles, participated in the event. They were given access to a variety of election technology provided by the companies, allowing them to conduct testing and identify vulnerabilities. Throughout the event, hackers had legal safe harbor for publishing vulnerabilities in exchange for adhering to agreed-upon vulnerability disclosure policies.

The event aimed to demonstrate the feasibility and benefits of collaboration between hackers and election technology providers—in effect, its main goal aside from the discovery of vulnerabilities, was to demonstrate that “dogs and cats can play nice.” While vulnerabilities were identified during testing, the focus was on proactive identification and resolution, rather than simply proving system insecurities. The event fostered increased collaboration and trust between hackers and providers, laying the groundwork for future engagements. The culmination of the event was a burn-down in front of a broader audience, including Secretaries of State, representatives from NASS and NASED, as well as members and leaders from the Election Assistance Commission—the body responsible for certifying voting technology.

Moving forward, the organizers plan to modernize the certification process for election technology to accommodate CVD programs and continue hosting events like the ESRF. The ultimate goal is to normalize the practice of CVD in elections, fostering greater security, trust, and transparency in the electoral process.

Continuing the conversation at RSA

Since that first meeting in DC in 2018, we’ve seen the DHS publish advice and guidance around vulnerability disclosure adoption for election administrators and voting technology manufacturers, and seen almost complete adoption of VDP as standard practice amongst voting equipment manufacturers.  This started with ES&S, the manufacturer of 60% of the voting machines in the USA, as they announced the first vulnerability disclosure program for a voting machine manufacturer during DEF CON in 2020. Moves like this, along with events like the ESRF, show the massive strides made to end over a decade of hostility and distrust between technology vendors and the hacking community, and to enable better security and greater voter confidence by allowing hackers operating in good-faith to play their role as the internet’s immune system.

We still have a way to go, but we’re headed in the right direction. I’ll be speaking on a panel next week at RSA about the ESRF event alongside some of my peers from the ESAC and the EI-SIG. We’ll share more details, explore lessons learned, and discuss next steps. I hope to see you there!