The Russian connectionU.S. voting machines can be easily, quickly hacked: DEFCON report

Yesterday, 10 October, DEFCON released a new report at the Atlantic Council’s Brent Scowcroft Center on International Security detailing findings from its first-ever “Voting Machine Hacking Village.” DEFCON notes that the Voting Village, held three months ago at DEFCON25 in Las Vegas – and in light of Russian hacking attempts during the 2016 election — provided a national stage for thousands of hackers to engage with 25+ pieces of U.S. election equipment for the purpose of finding cyber vulnerabilities and expanding the base of knowledge about election security.

The report highlighted how every piece of equipment in the Village – which included voting machines and poll books still largely in use in current U.S. elections – was effectively breached in a matter of minutes by hackers, including one machine with unwiped personal voter contact data from 2008 for more than 650,000 voters in Tennessee. The report also revealed that foreign-made parts were widely discovered within the Village’s machines, elevating possibilities about supply chain security and an adversary’s ability attack a vast number of voting machines –simultaneously and remotely.

“What the report shows is that if relative rookies can hack a voting system so quickly, it is difficult to deny that a nefarious actor – like Russia – with unlimited time and resources, could not do much greater damage,” said Voting Village organizer and University of Chicago cybersecurity instructor, Jake Braun who also moderated the panel. “That threat becomes ever more poignant when you consider they could hack an entire line of voting machines, remotely and all at once via the supply chain.”

The report also noted that voting machines have been hacked in some limited academic or industrial settings in the past, but due to temporary exemption of the Digital Millennium Copyright Act (DCMA), the Voting Village represented the first time these election systems were made widely available for experimentation without fear of criminal or civil punishment.

Additionally, on the heels of recent headlines about Russian government-linked hackers targeting as many as twenty-one states’ election systems during the 2016 election, the event and report also focused on the larger national security and geopolitical implications of the Voting Village demonstration. To that end, the event speakers also included former U.S. ambassador to NATO, Douglas Lute; data security expert and Voting Village organizer, Harri Hursti; former director of NSA/CSS Threat Operations Center (NTOC), Sherri Ramsay; and the Center for Internet Security (CIS) Chairman and Interim Chief Executive Officer, John Gilligan. DEFCON organizer, Jeff Moss, was the keynote speaker.

As a follow up to the report findings, DEFCON joined several other groups in attendance at the event to unveil a new coalition effort that will work together to formulate best practices regarding U.S. election infrastructure – including voting machines, voter file databases, and election office practices. The aim is for such findings to be disseminated to election stakeholders at the federal, state and local levels. The coalition, which will be convened by CIS, is a nonpartisan, voluntary effort with initial participants coming from a variety of cyber, national security, academic, and government association organizations including:

· Center for Internet Security

· DEFCON

· National Governors Association

· National Conference of State Legislatures

· Atlantic Council

· New America Foundation

· University of Chicago

· University of Maryland

· University of Texas San Antonio

· Nordic Innovation Labs

Of the coalition effort, DEFCON founderMosssaid: “Bullets or ballots are two methods that can control who is in power. We spend a great deal of resources on bullets, and strengthening national security. Imagine if we put that kind of thought-power into securing our ballots. The Voting Village was done in the spirit of advancing knowledge so we can find solutions. Our community can keep doing that through this coalition and future DEFCON election-security demonstrations.”

DEFCON notes that the coalition expects to release its guidance on election security best practices, to be issued within the next two months. The Voting Village has also been announced for a second year and is planning to add more equipment, software and the ability to conduct an entire mock election using actual voting technologies into next year’s event.

— Read more in Matt Blaze et al., DEFCON 25 Voting Machine Hacking Village Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure (DEFCON, September 2017)