At this year's DefCon, a hacking conference, the ease of hacking, both virtually and physically our voting systems was subject number one.
Attendee Rachel Tobac demonstrated how no tools or special knowledge allowed her to gain admin access to the voting machines used in 18 states.
Another attendee, this time an 11-year old girl, took all of TEN MINUTES to hack into a simulation of Florida's Secretary of State's website and changed the results.
Even stipulating that the Russian hacking efforts are not as sophisticated (by most intelligence accounts, their tactics are more along the lines of throwing everything against the wall to see what sticks rather than surgical strikes), it still raises the question of how we can trust in the integrity of our 2018 mid term elections.
In the most fundamental sense, security researchers work by throwing the book at a piece of software, poking and prodding for any obscure or overt flaw in a program, usually causing developers to issue regular patches as vulnerabilities are discovered. Conferences like DEFCON provide a platform for both critical research and “stunt hacking,” flashy tricks that are often simple but designed to catch the broader public’s attention.
But that process is anathema to voting equipment manufacturers for a number of reasons. Vendors have to follow some government guidelines and undergo certain audits, but they’re largely unaccountable to the public. Patching voting equipment that isn’t connected to the internet is difficult for many counties with little technical expertise, and vendors fall back on how unlikely it is that a registered poll worker or an elected official would have the time it takes to tamper with a voting machine. The vendors also point out that even if someone had the time to work a hack, the overall US election system is decentralized enough that as unlikely as hacking one machine is, a coordinated effort to hack them in bulk is even less likely.↓ Story continues below ↓
Copyright laws have previously made it difficult for researchers to legally acquire voting equipment to test it. With an incentive to assure customers that their product isn’t dangerous, vendors have historically lied outright about vulnerabilities they deemed unlikely to cause problems in the real world.
As yet, the Trump administration has done nothing to secure the election systems from tampering, either foreign or domestic, perhaps because he and the rest of the GOP see no issue with cheating if it meets their end goal of more power to them. One thing they could do right now is allocate the money needed to secure the systems on the state level.
Election officials can't act on findings about voting machine and voting infrastructure vulnerabilities, DefCon speakers noted on Friday, if they don't have the money to replace obsolete equipment, invest in network improvements, launch post-election audit programs, and hire cybersecurity staff. Some progress has come, but not enough, and too slowly.
"While I thank the United States Congress for appropriating $340 million last month, let me be abundantly clear, we need more resources," said Alex Padilla, the secretary of state of California and the state's top election official. "All the things that we know we have to do, all the things that I'm going to learn and observe when I go down to the Village after this panel, to implement and act on all of these findings, recommendations, and discoveries we need official resources."
After all, it took nearly two decades for Congress to appropriate that recent election security windfall; it came from the 2002 Help America Vote Act. "That's butterfly ballot hanging chad money, not cyberthreats 2016, 2018, 2020 money," Padilla says. In recent months, Congress has failed to pass various bills that would fund election security and infrastructure improvements ahead of the midterms. And though the bipartisan Secure Elections Act has been steadily gaining momentum in the Senate—and was introduced through a companion bill in the House on Friday—it is likely still months away from potentially becoming law.
Sure, it's not as exciting as picking out Space Force logos, but it matters much more to the integrity of the nation.