Lawmakers turn to hackers at Defcon for election security
For two years in a row, hackers at Defcon have demonstrated that voting machines currently in use in US elections have serious security issues. With the 2020 US presidential election quickly approaching, lawmakers who want to fix those vulnerabilities are heading to the Las Vegas hacking conference, which starts Thursday, to see them in person.
Many lawmakers have wanted to pass an election security bill since the race for the White House in 2016, when Russian hackers interfered with the election. A Senate Intelligence Committee report released in late July detailed how the hackers likely targeted election systems in all 50 states. In states such as Illinois and Florida, they were successful.
While there's no evidence that any votes were tampered with during the 2016 election, hackers have shown plenty of proof that the voting machines being used are vulnerable to attacks. Lawmakers like Sen. Ron Wyden, a Democrat from Oregon, have proposed legislation to improve election security to make sure these vulnerabilities wouldn't affect future voters.
"White hat hackers do an invaluable public service in this technologic age by identifying security holes and, if necessary, shaming the government or the companies responsible into fixing them," Wyden said in a statement. "The success of the Voting Village -- in which public demonstrations of voting machine flaws by hackers at Defcon quickly convinced officials in Virginia to promptly move to paper-based voting systems -- is a prime example of how the computer security community has positively impacted public policy and protected our national security."
Despite those efforts, Congress hasn't been able to pass an election security bill. Senate Majority Leader Mitch McConnell, a Republican from Kentucky, blocked two election security bills in July, calling it "partisan legislation."
This comes after former special counsel Robert Mueller warned Congress last month that Russia would continue its efforts to hack US elections, telling lawmakers, "They're doing it as we sit here."
Along with Wyden, Rep. Eric Swalwell, a Democrat from California, will also be at the Voting Village at the hacker conference.
There, hackers and election security experts will have an opportunity to explain to lawmakers what policies are needed to keep voters safe from hackers.
"The overwhelming interest we are seeing from government leaders demonstrates that securing our democracy is a national security priority and we need policy solutions that address the concerns brought to light each year by this Village," Voting Village co-founder Harri Hursti said in a statement.
This is the first year that Defcon has volunteers specifically to help politicians integrate with hackers and learn about issues in cybersecurity. The outreach could potentially affect proposed legislation that would keep cities, elections and devices secure for years to come.
Rep. Ted Lieu, a Democrat from California and Rep. Jim Langevin, a Democrat from Rhode Island, will also be at the hacking convention to learn how policymakers can affect future legislation on cybersecurity.
"I became one of the first members of Congress to attend Defcon when I spoke two years ago about how security researchers have shaped my work," Langevin said in a statement. "I know firsthand the incredible value and knowledge the Defcon community can offer to policymakers. I'm looking forward to returning to the conference this year to keep the lines of communication open."
A new machine
Lawmakers at the Voting Village will be able to see a prototype of a $10 million DARPA-funded open source voting machine, designed to prevent hackers from tampering with people's votes.
The project is headed by Galois, a government contractor that DARPA awarded in March. Since then, Galois has also worked with Microsoft to develop ElectionGuard, software for voting machines to verify ballots.
While in both years that the Voting Village has existed, hackers were able to find vulnerabilities, Galois is aiming to bring the first voting machine that hackers at Defcon can't crack. But even if hackers do find vulnerabilities with the prototype, which its creators expect to happen, it's a win-win.
"There's an ambition that this demonstration will not have vulnerabilities comparable to what's in the room," Joe Kiniry, a principal scientist at Galois, said in an interview. "But of course, the point of the exercise is to learn. If they do find flaws, it helps the researchers put on a different thinking cap and adjust their work over the next 2.5 years while this project continues."
Galois's machine reads votes on paper, and verifies that the vote is valid through scans. It'll be equipped with a secure CPU that Galois created, designed to prevent against common attacks that other voting machines have fallen to in previous Voting Villages.
Kiniry said the team has been looking at voting machines for nearly two decades, learning from past mistakes. This prototype, he said, goes beyond normal voting machine standards.
"We're building things that aim to have a security profile comparable to the work we do for the Department of Defense and intelligence agencies," Kiniry said. "Showing that we can do that for a voting system, we hope will show the world that it is really possible to raise the bar."
The project is open-source, so that voting machine vendors can adopt the security features for its own devices in future elections. If successful, lawmakers will be able to see this technology as another step for election security legislation.