destina - Fotolia

Voting vendor ES&S unveils vulnerability disclosure program

Election Systems & Software, the biggest vendor of U.S. voting equipment, will allow the security researcher community to test its elections equipment for vulnerabilities.

Election system vendors have had frosty relationships with the infosec community in the past, but one company is reversing course in an effort to improve the security of its products.

At Black Hat USA 2020 Wednesday, Chris Wlaschin, vice president of systems security for Election Systems & Software, (ES&S) formally announced the voting-machine manufacturer's vulnerability disclosure program, which aims to strengthen election security by working with independent security researchers.

"This policy applies to all digital assets owned and operated by ES&S, including corporate IT networks and public-facing websites. Keep the details of any discovered vulnerabilities confidential until either they are fixed or at least 90 days have passed," ES&S wrote in the disclosure policy.

Wlaschin shared the session with Mark Kuhr, co-founder and CTO of Synack, a crowdsourced security platform that will help manage the new program. They discussed a partnership to allow for penetration testing, on some ES&S products. In addition, they each shared examples of independent researchers' work and remedies put in place through ES&S' vulnerability disclosure program.

"Researchers are not waiting for a policy to be put in place -- they are actively working on election security issues, and I'm proud to report that collaboration is working," Wlaschin said.

A collaboration across vendor, government and researcher communities is important in securing the election systems, Kuhr said.

"From code readers, to voter registration systems to voter registration databases, there are complex systems and to tackle such a problem we need an aggressive approach and we need a united effort in order to do this," Kuhr said.

Improvements on the horizon

During the virtual session, Kuhr announced that Synack updated its "Secure the Election" initiative with a more comprehensive penetration test, crowdsourced researchers and incentivized discovery.

"It's going to help us push forward this idea that states should be working with that external research community to find vulnerabilities ahead of the adversary. This is a way to help the states move into a modern era of penetration testing," Kuhr said.

In addition, ES&S partnered with Synack to test their newest generation electronic pollbook.

"These pollbooks are in wide use across the country. They are the front line of election technology where voters enter a polling place and are checked in using the electronic pollbook. We want to make sure everything that can be done to harden these pollbooks is done, so they are as secure as they can be," Wlaschin said.

Lessons from the past

For years, election system vendors have shunned vulnerability disclosure and bug bounty programs while declining to participate in events like Black Hat or DEF CON. Communication between election system vendors and the security research community in the past has been an obstacle, according to Matt Olney, director of threat intelligence at Cisco Talos, but implementing vulnerability disclosure policies is a useful step in overcoming that obstacle.

"What I see with my history in security is that election vendors are still on the road to security maturity, and part of that maturity is to intake vulnerability disclosures and put out the appropriate patches without it being a highly contested thing," Olney said. "Across the board, there's still some space in terms of ensuring there's a vulnerability policy, working well with researchers, engaging with the research community to get the most value out of it. And there's a lot to get out of that community without a lot of cost on the vendor side, and I think they're still figuring that out."

ES&S has grappled with high-profile vulnerabilities and security issues in the past. In 2018, The New York Times reported some of the vendor's products contained a flawed remote access program called PCAnywhere. After initially denying the report, ES&S admitted it had installed PCAnywhere on its election management system (EMS) workstations for a "small number of customers between 2000 and 2006," according to a letter sent to Sen. Ron Wyden (D-Ore.) that was obtained by Motherboard.

Last year Motherboard reported that security researchers had found additional issues with how ES&S products electronically transmit vote totals, but the company pushed back on the research.

While election security has progressed, Kuhr said there is still more to be done.

"Testing timelines are too elongated, we need to have the ability to have continuous testing on these patches and to be able to push patches to the field very quickly," Kuhr said. "The incorporation of federal standards on this type of product is also needed. Right now, states do not have to buy voter registration systems that are rigorously security tested because there are a lot of optional requirements."

Next Steps

CISA taps Bugcrowd for federal vulnerability disclosure program

Dig Deeper on Risk management