DEFCON hopes voting machine hacking can secure systems

The first official report on voting machine hacking from DEFCON suggests the need for pen testing, basic security guidelines and cooperation from local and federal governments.

A new report pushes recommendations based on the research done into voting machine hacking at DEFCON 25, including basic cybersecurity guidelines, collaboration with local officials and an offer of free voting machine penetration testing.

It took less than an hour for hackers to break into the first voting machine at the DEFCON conference in July. This week, DEFCON organizers released a new report that details the results from the Voting Village and the steps needed to ensure election security in the future.

Douglas Lute, former U.S. ambassador to NATO and retired U.S. Army lieutenant general, wrote in the report that "last year's attack on America's voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years -- potentially more serious than any physical attack on our Nation."

"Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process -- the fundamental link between the American people and our government -- could be much more damaging," Lute wrote. "In short, this is a serious national security issue that strikes at the core of our democracy."

In an effort to reduce the risks from voting machine hacking, DEFCON itself will be focusing more on the election systems. Jeff Moss, founder of DEFCON, said during a press conference for the report that access to voting machines is still a major hurdle.

"The part that's really hard to get our hands on is the back-end software that ties the voting machines together -- to tabulate, to accumulate votes, to provision a voting ballot, to run the election, to figure out a winner -- and boy we really want to have a complete voting system to attack, so people can attack the network, they can attack the physical machines, they can go after the databases" Moss said. "This is the mind-boggling part: Just as this is the first time this is really being done -- no NDAs -- there's never been a test of a complete system. We want a full end-to-end system so it's one less thing people can argue about. We can say, 'See? We did it here too.'"

DEFCON had obtained the voting machines tested at the 2017 conference from second-hand markets, like eBay, but hopes to have more cooperation from election officials and the companies that make the voting equipment. Moss said it is still unclear what exactly DEFCON will be allowed to do in 2018 because the DMCA exemption that allows voting machine hacking currently needs to be renewed.

Immediate voting machine security

DEFCON officials noted that election security needs to be improved before the 2018 DEFCON conference so local officials can prepare for the 2018 midterm elections.

John Gilligan, board chair and interim CEO for the Center for Internet Security (CIS), said his organization was working "to take the elections ecosystem and to develop a handbook of best practices" around election security. CIS has invited DHS, NIST, the Election Assistance Commission, the National Association of Secretaries of State and other election officials to collaborate on the process.

"We have 400 or 500 people who currently collaborate with us, but we're going to expand that horizon a bit because there are those who have specific expertise in election systems. The view is: Let's get together and very quickly -- by the end of this calendar year -- produce a set of best practices that will be given to the state and local governments," Gilligan said in a news conference on Tuesday. "Our effort will complement what the Election Assistance Commission is developing presently with NIST."

Jake Braun, cybersecurity lecturer at the University of Chicago and CEO of private equity firm Cambridge Global Advisors, headquartered in Washington, D.C., said the DEFCON team would provide free voting machine pen testing to any election officials that want the help.

The only way you can see if the machine was hacked is if the attacker wanted to be found. That's the sad truth. It can be done without leaving a trace.
Harri Hurstifounding partner, Nordic Innovation Lab

"If you're an election official, the thing you can do coming out of this is to contact DEFCON and offer to give out your schemes, your databases, give access to whatever else you want tested. This is essentially free testing and training for your staff, and that would normally cost you millions of dollars to purchase on your own."

Moss said the industry fear of hackers is common, but urged that the team only wanted to help.

"This is the first scrutiny the manufacturers have had and they don't know what to do. And that's a pretty routine response. We saw that from the medical device world, car world, access control, ATMs," Moss said. "When these industries first come into contact with hackers and people who are giving an honest opinion of their technology, they pull back and hide for a while. If you're doing a good job, we'll tell you, 'Hey, that's awesome.' And, if you're doing a poor job, we'll say, 'Can you please fix that?' But the best part is it's free. You're getting some of the world's best hackers doing pro bono work, giving away reports for free -- normally these people make thousands of dollars a day -- and they're doing it just because they want to see what's possible."

The DEFCON voting machine hacking report noted a number of misconceptions surrounding the security of elections, but Harri Hursti, founding partner at Nordic Innovation Lab, said one of the biggest issues was the idea that there had "never been a documented incident where votes have been changed during a real election."

"These machines don't have the capability of providing you forensic evidence to see that. They cannot prove they are honest; they cannot prove they were not hacked. They simply don't have the fundamental, basic capabilities of providing you that data," Hursti said in the press conference. "The only way you can see if the machine was hacked is if the attacker wanted to be found. That's the sad truth. It can be done without leaving a trace."

Next Steps

Learn why cybersecurity standards are needed to protect the election process

Find out why U.S. electronic voting systems need post-election audits

Read about the importance of taking action after completing pen testing

Dig Deeper on Security operations and management