Voting Machine Maker Defends Refusal of White-Hat Hacker Testing at DEF-CON

Voting machine maker Election Systems & Software (ES&S) defended its decision not to participate in a white-hat hacking event at this year’s DEF-CON to test the security of voting systems, saying such hack-a-thons could actually jeopardize election security and invite hackers to disrupt electronic voting systems.

Not allowing its voting system to be submitted to independent hacking by security researchers at the “Voting Village” at the DEF CON cybersecurity conference does not mean ES&S shows any lack of commitment to security; on the contrary, it was actually meant to protect their systems, the company said.

“Forums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” ES&S President & CEO Tom Burt said in a letter last week. “We believe that exposing technology in these kinds of environment s makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”

DEFCON’s Voting Village has been a staple since 2004. But are hacks of voting machines a distraction from bigger and more present threats to election integrity?

Burton’s letter was in response to one he received several days before from four U.S. senators calling out ES&S for not allowing its system to be tested by security researchers at DEF CON, and blatantly questioning the company’s commitment to security.

The Senators’ letter was not without merit. ES&S previously acknowledged that some of the voting machines it sold to local governments from 2000-2006 included a specially-configured copy of PCAnywhere, a remote access tool used for tech support. The news was worrying for the security community not just for the potential for hacking into the machines, but because it called into question the company’s credibility, as it had previously denied the inclusion of the tool.

The Senators–Sen. Kamala Harris (D-CA), Susan Collins (R-ME), Mark Warner (D-VA) and James Lankford (R-OK)–said they were “disheartened” that ES&S deemed the DEF-CON event “unrealistic” and is not supportive of independent testing, and strongly questioned the company’s commitment to security.

“We believe that independent testing is is one of the most effective ways to understand and address potential cybersecurity risks,” the senators wrote.

Thanks, but no thanks to white-hat hacking

In their letter, the senators also demanded that Burton answer three questions about the company’s commitment to ensuring its voting systems in the future are secure.

The senators asked whether the company will agree to: allow election agencies to submit its machines to third-party testing and share those results with the public; to provide those agencies with the machines at a reasonable cost before elections for this testing before entering a long-term contract with ES&S; and to provide cybersecurity researchers with the machines as well, also at a reasonable cost, so they can test them and make the results public.

Burton responded “yes” to all three questions, outlining how ES&S already complies with all of these criteria to ensure its systems are secure for elections. He also tried to assure the senators that he is on the same side as them when it comes to fighting against hackers who want to sabotage U.S. elections.

“Senators, we respect your positions and share your interests in election security,” Burton wrote. “We are an American company that dedicates each and every day to the security of elections, as well as every other aspect of this cornerstone of our nation’s democracy.”

He also said ES&S doesn’t think all white-hat hackers and events like the one at DEF-CON are bad, conceding that “there is real value in the ethical ‘white hat’ hackers.”

Still, the company would rather its systems not be submitted to their testing, preferring instead to undergo third-party and independent testing under “extreme laboratory conditions, as well as realistic conditions that replicate a typical polling place or elections office to take into account what kind of hacking is and isn’t possible during an actual election.”

“That way, time and resources are directed to vulnerabilities that are actually capable of being exploited,” Burton wrote.

New partnerships to enhance security

Amid its back-and forth with senators–the day after Burton received the senators’ letter and before his response to the senators’ letter–ES&S did actually take concrete action to better secure its systems. Whether it was coincidence or not, the news shows the company taking strides to make what some may consider long-overdue improvements.

Specifically, the company unveiled a deeper partnership with the U.S. Department of Homeland Security and the Information Sharing and Analysis Centers (ISAC) to bolster security within its systems, including the installation of advanced threat monitoring and network security monitoring for ES&S products and services.

ES&S also is joining two ISAC centers–The Elections Infrastruction ISAC and Information Technology

ISAC–to join a larger threat-sharing network so the company can receive alerts on cyberattacks as well as share its own threat intelligence with other partners.

The move appears to back Burton’s written commitment to “strong, continuing partnerships between state and local election officials, the EAC, DHS, law enforcement” as one aspect of the company’s strategy to prevent cybersecurity incidents involving its voting systems that could mar the results of future U.S. elections. As the country prepares for key state and federal elections in November, it remains to be seen whether ES&S and other voting-machine manufacturers’ work to prevent election hacking will pay off.