For well over a decade, the relationship between voting machine companies and security researchers has been fraught. The manufacturers have long resisted allowing unfettered access for bug hunters, even as major, long-standing vulnerabilities plagued voting machine models used throughout the 2000s and 2010s. A new collaboration, though, shows that the cold war has meaningfully started to thaw.
At the Black Hat security conference today, Chris Wlaschin, vice president of systems security and chief information security officer of the election technology giant ES&S, and Mark Kuhr, chief technology officer of the security firm Synack, detailed how the two companies would work together to allow for so-called penetration testing on some ES&S products—and pointed to the larger project of bridging the long-standing gap between their two worlds.
"There’s been a lot of bad blood in the history of this, but I think this is a positive development," Synack's Kuhr told WIRED on Monday. "What we’re trying to do is move the ball forward here and get these election technology vendors to work with researchers in a more open fashion and recognize that security researchers at large can add a lot of value to the process of finding vulnerabilities that could be exploited by our adversaries."
Synack will manage a program for ES&S in which security professionals vetted by Synack will examine and attempt to hack ES&S's new model of electronic poll book, devices that election officials use to manage voter register data for elections. By throwing the device to the wolves, ES&S can learn about and fix potential security issues before malicious hackers find them. Wlaschin says the company plans to run additional crowdsourced penetration tests with Synack on other products as well. And he added that ultimately the company hopes to do this type of penetration testing on new products while they're still in development. ES&S is also announcing a revamped coordinated vulnerability disclosure program during the talk, creating a clear pathway for hackers to submit findings without fear of reprisal.
In the past, ES&S's stance on disclosure and processes were notoriously opaque. And the company's dominance in the US voting machine market has allowed it to exert influence over standards and regulation. All of this makes Wednesday's Black Hat talk even more noteworthy.
"It is quite a change," ES&S's Wlaschin told WIRED ahead of the talk. "Given the times that we’re in and the focus on election security, ES&S has for some time been trying to work with security researchers to, number one, improve the security of our equipment and software and, number two, to improve the perception of election security."
For years, voting machines were a black box, even as more and more states replaced old analog marking systems with computerized options. The Digital Millennium Copyright Act even made it illegal for security researchers to probe voting machines for potential vulnerabilities, which only changed in 2016 with a DMCA exception for voting machine security research.
That paved the way for the program known as the Voting Village, which launched in 2017 as a way for researchers to get their hands on voting machines, likely for the first time, and start hacking them. Part of the Defcon security conference, the Voting Village has also served as a sort of town hall for debate and innovation in voting security. In 2018, ES&S sent a letter to customers downplaying the importance of the Voting Village and its findings: "Attendees will absolutely access some voting systems internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords, and other security measures that are in place in an actual voting situation."
ES&S's Wlaschin says the company already had mechanisms for vulnerability disclosure in place, but that he has worked to unify them and make it easier for the company to respond to research findings quickly. He joined the company in 2018 after more than 30 years in the Navy and leading information security efforts at the Department of Veterans Affairs and Department of Health and Human Services. He adds that the process of modernizing ES&S's approach to vulnerability disclosure has been a positive one.
"While some might think this is baby steps, they are steps in the right direction," he says. "The word’s gonna get out that we are serious about this. Because hackers gonna hack, researchers gonna research."
Both Wlaschin and Kuhr say they hope their talk and the collaboration between ES&S and Synack will set an example in the election technology industry and reinforce ongoing movement toward embracing security research. For the security community it may take time to assess the purity of those intentions. But with a high-stakes presidential election just a few months away and voting security on everyone's minds, more collaboration between the two industries is likely a heartening step.
- There’s no such thing as family secrets in the age of 23andMe
- My friend was struck by ALS. To fight back, he built a movement
- How Taiwan’s unlikely digital minister hacked the pandemic
- Linkin Park T-shirts are all the rage in China
- How two-factor authentication keeps your accounts safe
- 🎙️ Listen to Get WIRED, our new podcast about how the future is realized. Catch the latest episodes and subscribe to the 📩 newsletter to keep up with all our shows
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
