It seemed unlikely a few years ago that a topic as dry-sounding as election cybersecurity would be on everyone’s lips, but here we are — and for good reason. To paraphrase a wise man, “the more they complicate the plumbing, the easier it is to stop up the drain,” — and as we all now know, there are those working to do just that.
But where most efforts to batten down the election hatches are top-down and coming from the state and federal governments, some of us have been working more bottom-up. At the DEFCON annual hacker conference in Las Vegas, the “Voting Village” project invites top hackers to have a go at penetrating the voting machines themselves, looking for — and cataloging — vulnerabilities.
As you might imagine, not everyone has been happy about this.
No technology is 100% secure, so if you look hard enough you can always find some way to cause some mischief, even if it amounts to just an annoyance rather than an actual threat. As a result, some manufacturers of the scrutinized equipment have pushed back on the DEFCOM efforts in a self-serving attempt to gloss over any weaknesses in their commercial products.
The National Association of Secretaries of State and other “official” sources even got into the act, suggesting that the hackers’ efforts undermined public confidence in the democratic system. This of course from the very sources who almost daily speak of the threat from foreign actors — a far more potentially confidence-undermining discussion.
But this year the response was different. Manufactures relented and embraced the efforts, and Voting Village participants included the likes of California Secretary of State Alex Padilla and Oregon Senator Ron Wyden.
Why the change of heart? First of all, the unquestionable legitimacy of the efforts. It simply isn’t possible to dismiss the event as just a bunch of silly hackers. Voting Village is coordinated by the University of Chicago’s Cyber Policy Initiative, which counts on its advisory board former ambassadors and Homeland Security authorities both past and present.
Then there are the results. The hackers act as independent verifiers of the hardware and software we depend on for accurate election data, and the results of the work have been irrefutable. Even the much-maligned simulations that suggested some state-level systems were vulnerable to code-injection attacks were vindicated by the Mueller Report, which identified those very vulnerabilities. This enabled them to be directly mitigated.
Very simply, Voting Village has created more impetus to address local vulnerabilities that may have otherwise been overlooked. Where most of the attention has gone to top-down threats, the DEFCON hackers focused equal attention to less headline-grabbing concerns — especially in those cases where voting machines may be networked with obsolete software.
At the end of the day these efforts matter, and because they matter, the messages from the hackers themselves have finally been taken seriously.
Physical security for one. Voting Village rather dramatically demonstrates the need for vigilance in tabulator storage and chain-of-custody protocols. Generally speaking, any physical vulnerabilities to systems are not easy to exploit without time and expertise. Keeping those machines properly secured and monitored (as we do in Vermont) solves this problem.
Second, and more important, is the need for paper ballot backup — again, as we do in Vermont. With paper ballots, the results are always there, unhacked and verifiable.
Finally, Voting Village shows that there is a place in the conversation for the public. That can mean anything from hacking to simple public engagement. Ask questions, inform yourself.
The only way to be sure our systems are secure is to recognize and address all the insecurities, which means finding them in the first place. And information is not something to fear. In fact, it is the best remedy for fear. We can feel more confident in those tasked with providing our security when we can be confident they understand all potential avenues for mischief. That’s not frightening — it’s reassuring.
If we’re doing everything right we can rest easier. When our election systems get meddled with — and make no mistake, it’s going to happen on occasion — we’ll be in a position to identify and remedy the situation and those final results will be available with only a minor delay. Just like the old days when a clerk might overlook a box of ballots in the vault and force a recount. These scary cyber-scenarios become less scary understanding that such problems need only be the modern version of that analog scenario, so long as we’re taking all the necessary precautions.
All of us working together — hackers and authorities alike — can only make us stronger and more secure. Indeed, it already has.
Montpelier City Clerk John Odum serves on the Advisory Board of the University of Chicago Cyber Policy Initiative.