DEF CON endorsed by POTUS!


The President himself has endorsed the Voting Village and the fine work of election security experts to continuously improve the security of the systems which power US Democracy!

...The bad news: It's... not quite happening the way we'd planned.

A tale of two panels

In a panel at Shmoocon in January, we discussed at length the continuing need for independent security research into election systems to minimize risks to election integrity, but also the need to be cautious about scaring the non-technical voter away from Democracy itself (and the relative risk of the two scenario's playing out in the 2020 General Elections):

Hacking Democracy On Securing an Election (Shmoocon 2020)
Democracy is the cornerstone of America’s Constitution, identity, and ideology, and this foundation was shaken during the 2016 Presidential Election.
"That [directly manipulating votes] is a pretty expensive attack. If I'm a bad guy that's wanting to do something in this space, that's probably not the thing that I'm going to go after first, if there are all these other things available [like attacking the perception of vote integrity]."

The panel was held just Pre-COVID, and the attack I was talking about used a combination of the Russian-boogeyman as a potential threat and narrative of insecurity established by the security research community. Combining these two pre-existing factors would create a cheap and effective disinformation weapon to manipulate turnout or to contest the ballot.

A practical example of this that I called out earlier in 2019 on Capitol Hill highlighted the simplicity of:

  • Getting hold of a voting machine from eBay,
  • Making it look infected with ransomware (even if Photoshop was as technical as the actual attack gets), and then
  • Tweeting the pictures to the right audiences to influence confidence in the process in a broad or targeted way.

Seems simple right? The illustration's purpose was to call out that the vulnerabilities themselves were not the only thing that mattered.

As COVID kicked in, these risks became more evident with increased social isolation, the background of the pandemic, and the increasing reliance on social and Internet media. The 2020 Elections were already going to reasonably chaotic, but this was a new curveball concerning the intersection of cybersecurity and information warfare, which we covered when we did a Mid-COVID redux of the panel during DEF CON 2020.

Fast forward to Post-Election 2020: When we flag these particular risks, I don't think any of us considered the White House as the provocateur in this scenario... In November 2020 the threat and impact modeling we'd done nearly 18 months earlier turned out to have been on-point.

Outcomes

The positive news is that the voting equipment manufacturers listened to the chorus of experts warning them that system transparency, and not just cybersecurity, was a vital information warfare risk-factor heading into the 2020 Election.

Disclose.io, VDP, Hackers, and voting
About 18 months ago, I sat in Capitol Hill with a bunch of other badasses including Matt Blaze, Kimber Dowsett, Jack Cable, Alexander Romero, Leonard Bailey, and others, and talked to voting machine manufacturers and US states.

Many organizations took deliberate measures to build in not just better insight into their systems' security, but additional transparency and ease of understanding of security measures by the layperson by adopting the kind of vulnerability disclosure program's (VDPs) we've been pushing via Bugcrowd and The Disclose.io Project.

Some facts:

  • The video tweeted by POTUS was from the DEF CON 2019 Voting Village (#dc27).
  • What happened the following year, and is absent from the clip shared by POTUS, was that Election Systems & Software, the largest voting machine manufacturer in the USA, announced that they would partner w/ good-faith hackers and establish a VDP for their software and systems.
  • The ES&S policy for working proactively with good-faith hackers is here.
  • Dominion and Hart Intercivic followed suit, launching programs shortly after.
  • The policies' launch dates can be seen in the disclose.io #diodb database, an open-source repo for aggregation and transparency around these types of programs.
  • Both Iowa and Ohio Secretary of State made similar moves later in the year, invoking similar security and trust dynamics around auxiliary election systems like voter registration portals and databases.
disclose/diodb
Open-source vulnerability disclosure and bug bounty program database. - disclose/diodb

It's important to note the voting machine companies went to extra lengths to add authorization for good-faith security researchers, extending what's commonly referred to as "Safe Harbor" for good-faith security research.

These clauses are usually to combat the chilling effect on security research created by anti-hacking laws like the CFAA. In these cases, it was also a deliberate measure to reinforce the transparency of the process, supporting the integrity of Democracy itself. In each policy, the Safe Harbor clause directly reflects the disclose.io Generic Safe Harbor boilerplate.

disclose/dioterms
Open-source vulnerability disclosure policies. Contribute to disclose/dioterms development by creating an account on GitHub.

From here...

OK, so does this all mean that the voting machines and tabulators are tamper-proof and that any concern around them is unfounded and should be dismissed outright?

No, not at all - In the interest of proper discourse, and not deepening the conspiracy theories by creating a perception of defensiveness - the security community is wise to find ways to acknowledge the validity of any concern, regardless of the tone or underlying intent.

Vulnerabilities are a feature of software development and no system, even voting equipment, is immune. Trust but verify is always the order of the day, and post-election checks of integrity are both valid and Constitutionally allowed. Both the measures taken leading into the 2020 General Elections and the resilience so far of the systems under investigation demonstrates the lengths that election officials and those who support these systems go to, on a continuous basis, to make sure they are as resilient as possible, and that the methods used to achieve this resilience have transparency built into them.

The situation also demonstrates how impactful misinformation and disinformation is as a tool of cyberattack, how much more easily the use of such tools is concealed, and how much more economically rational - as an attacker - it is to just "say scary things" when compared to the cost, risk of discovery, and difficulty of actual clandestine vote manipulation.

Here's the full CNBC video: