A new hackathon is helping to make elections more secure | #elections | #alabama

Most hackathons don’t take five years to schedule, but this one was for a good cause and worth the wait.

Last month a group of hackers and vendors came together in a suburban Virginia office to try to improve the operations of various election computing devices. It comes at a moment in time when trust in elections is low and misinformation high.

The event was organized by the Information Technology – Information Sharing and Analysis Center, or IT-ISAC. There are more than a dozen of these analysis centers organized around technology sharing for specific vertical industries such as automotive, electric utilities and healthcare. The IT-ISAC created a special interest group on elections back in 2018 to help elections officials to guard their networks against both physical and cyber-based threats. Thus began the plans for the hackathon.

Voting technology is not a new interest area by any means. The first set of voting system guidelines was created back in 1990, and its fifth edition was updated this past summer. These are voluntary but very extensive: The new edition contains both 15 high-level principles and requirements on the design and operation of voting systems, such as how to provide physical security and data protection.

It also contains a description of how these systems will be tested and certified. One example is these dicta: “To limit the attack surface on voting systems, these guidelines require that any election system, such as an e-pollbook or election reporting system, be air-gapped from the voting system. To ensure the integrity of the voting process, the guidelines have various methods to detect errors and provide ballot and other audits.”

There are two test labs that put various equipment through their paces and make recommendations. The final certification decision is made by the Elections Assistance Commission, a federal agency. One of the labs is Pro V&V based in Huntsville, Alabama. Lab Director Jack Cobb has worked in the voting test industry for many years and spoke about some of his challenges.

“The test industry requires a lot of talent in many different fields such as security, quality assurance, human factors and software coders,” he said. “All of these are important and their relationship is continually evolving. There has been an evolution in the importance of security requirements too. Long ago we were using hard-coded passwords for election workers’ convenience for example.”

The hackathon, held at MITRE Corp.’s offices, wasn’t the first time any such gathering has happened.

There have been numerous “Elections Hacking Villages” held over the years at the DEFCON security conferences in Las Vegas, including one held this past summer. One of the biggest issue for election workers is threats of physical harm. According to a March 2022 study from NYU’s Brennan Center for Justice, one in six election workers have experienced threats because of their job, and 77% said those threats had increased in recent years. Many have quit the field entirely.

However, these DEFCON hackathons have their limitations: “For example, all of the equipment at the DEFCON village is at least 15 years old, and all of it was purchased without any vendor participation or support,” said Trevor Timmons, chief technology officer of The Elections Group and former chief information officer of Colorado’s Secretary of State office. He has participated at both the DEFCON and MITRE events.

“The MITRE event had the explicit support of several election equipment vendors, who sent their representatives and were there to address questions in real time,” Timmons told SiliconANGLE. “DEFCON is a more theatrical event.” He said that “one overarching goal with the MITRE event was to have more secure equipment that we can trust to tally and report on votes accurately. And the event brought several pre-release devices that haven’t yet been put into the field.”

“The MITRE event brought together the practice of vulnerability disclosure with hands-on security testing by some of the most experienced and innovative ethical hackers in the country,” Kayla Underkoffler wrote in a blog post for HackerOne that documented the moment. HackerOne was one of two bug bounty participants, the other being Bugcrowd CTO Casey Ellis. He told SecureWorld that “both researchers and voting service providers can find common ground quickly and collaborate effectively.”

A total of three election tech providers and 15 security researchers also participated. They weren’t paid for their time, other than reimbursed travel expenses. One vendor not present was the now-infamous Dominion Voting Systems. It has participated in other exercises, such as annual “Tabletop the Vote” that is part of a nationwide emergency planning effort.

But there’s no substitute for actual hands-on testing of the equipment. “It’s so crucial to ensure thorough security testing is conducted by those who can adopt an outsider’s mindset and that ensures transparency of that testing for the public through vulnerability disclosure,” Underkoffler said in her blog post.

As a result of the hackathon, numerous bugs were identified by the hackers, which are being fixed by the three vendors. Eventually, these will be divulged as part of the common vulnerability disclosure protocols agreed upon by the participants.

One of the reasons for the voting hackathon at MITRE was to combat increasing levels of disinformation about voting. “There are three ways to influence elections: by manipulating the voter registration lists, direct attacks on the machines themselves, or attacking people’s confidence in the results,” Timmons said. “The last method is the easiest.”

There have been several efforts to combat misinformation about voting. One began in 2020 by the Cybersecurity Information and Security Administration with a webpage called Rumor vs. Reality that busted various election-related myths. Many states have their own myth-busting pages, such as Colorado’s. That state has a rapid response cyber unit, consisting of five cybersecurity and communications professionals. It was created as its own disinformation task force to help local voting officials combat these myths.

One motivation to focus on the last item has been the number of candidates who won’t admit they lost their races. “Trust in elections is not about convincing the winner, but the loser accepting they have lost, and the race was fair,” Timmons said. That’s why the MITRE event was so important, because, he said, it was the first event to build that bridge of trust from hackers to vendors in the elections community.

“Both hackers and vendors had trust problems, which is why it took so long to get the hackathon from idea to reality,” Timmons said. “It became a two-way street to build trust, but everyone left the event with improved trust in each other.”

Image: Pixabay