by Monty St John
It’s been a few weeks since DefCon took place in Las Vegas, but the buzz from this year’s event can still be heard echoing throughout cybersecurity circles, particularly elections cybersecurity. Hackers were out in full force to try their hand at breaking into election machines through DefCon’s “Voting Village” this year. Running for its second year, the process was well-thought-out; outlining issues with voting machines and pointing out that upgrades, patching, and having appropriate staff are still the best answers to any vulnerabilities.
However, it’s important to understand the context of information received, what it means, and how to use that information moving forward. The “Voting Village” only really prods at a few of the components to a complex ecosystem and while it exposes necessary elements to fix—as good research should—it’s not quite time to grab the torches and pitchforks and burn down the election infrastructure as being incompetent.
It’s tough to simulate the reality of the elections ecosystem at a singular event. First, it’s much broader than just election machines, which DefCon attempted to simulate this year, adding in mock election office networks and voter registration databases for participants to defend or hack. Secondly, those components—election machines, voter registration, election results publishing, voter check-in and so on—are widely disconnected from one another, both logically and geographically; meaning, unfettered access and interconnection between components was established where it otherwise didn’t exist. That means there are important distinctions between the issues pointed out at DefCon and their outcomes in real world conditions, but it DOES NOT mean there’s nothing to learn from a meeting like this. It is important to keep in mind that we need to be careful about what we take away from it.
Event organizers are trying to help, pointing out issues they think are critical, especially during a time when the debate over how to boost election security is heated. On the other hand, officials are wary about security researchers with an outside perspective highlighting the issues in the systems they work with closely day in and day out. Russian interference in the 2016 election gave election cybersecurity frontline attention, moving it from a relatively niche technical issue to a Voting Village at DefCon.
At last year’s conference, hackers revealed an array of flaws in voting machines, prompting pushback from election officials and voting vendors, who said the hacks were unrealistic, but also helping open the door for lawmakers to introduce election security legislation. Again, understanding the context and takeaways can lead to some good decisions, but can also spark heated debate, fueled by a daily-dose of over-dramatized headlines.
But as security researchers and officials both note, the threats are no different this year, as Russia continues to target the US election system. Further, the vulnerabilities remain the same, as a new wave of them emerged from this year’s work on voting machines used by states. If a singular message exists from all of this, it is the need to be proactive and advocate for the resources to correct issues through upgrades, patching, and having appropriate staff resources. While, it may be more fun to grab our proverbial pitchforks, the solution is much more practical.
To be sign up for our elections newsletter click here.
For more on relevant security topics visit https://www.cyberdefenses.com/blog.
Free On-Demand Webinar Replay on Elections Cybersecurity Assessments can be accessed here.