Voting machine companies, which for years have been loath to acknowledge any security weaknesses, are finally saying they will consider allowing ethical hackers to search for them. But hackers are skeptical of the election industry’s recent commitment to security and transparency.
The olive branch to hackers marks a huge about-face for the industry, which last week asked for feedback from researchers and companies about the best ways to let outsiders vet their security. They’ve long argued that researchers, by exposing security flaws, could give a roadmap to foreign hackers intent on compromising the 2020 contest. Now they’re saying the threat of Russian hacking and disinformation is too severe for the security of election systems to be treated as a private matter to be managed behind closed doors.
“For many years the industry … preferred to work quietly behind scenes. [But] 2016 brought cybersecurity to the front burner and folks in this industry who were uncomfortable talking about vulnerabilities have warmed up to it,” said Chris Wlaschin, the top cybersecurity official for Election Systems and Software.
But some ethical hackers worry the industry, which has historically prioritized making their machines easier for election administrators to use rather than making them as secure as possible, isn’t ready to make big changes. They fear the companies won’t work quickly enough to fix the bugs they discover and could use non-disclosure agreements to enforce silence about dangerous bugs that could compromise an election.
Wlaschin said the process to report bugs, which is still under consideration, is likely to be relatively restrictive. The companies are likely to require both background vetting for hackers who participate and require them to sign non-disclosure agreements about the issues they find.
That’s already raising the hackles of some hackers who say the voting machine industry has a history of ignoring their reports about dangerous bugs—or downplaying the bugs’ significance.
“The idea of a system where people are reporting vulnerabilities under a gag order and the gag order is in place until its fixed is unrealistic. Because right now ‘until it’s fixed’ could be as long as the system’s in use,” said Harri Hursti, a cybersecurity researcher who has spent more than a decade studying vulnerabilities in voting systems.•