The annual DEF CON hacker conference took place this weekend in Las Vegas, where corporations, enthusiasts and the the US government backed by Big Data challenge the hacker community in a friendly competitions to break the best defenses the experts have to offer, and pay a pretty handsome sum (not to mention job offers) for those who can find a way through. It's a way for both sides to get better and stronger, but in the end the decision to implement tougher network defenses are always a business decision and not a security one.
Unfortunately as we've seen recently with Russia, that cost-benefit analysis mindset when applied to government means we still have a major vulnerability in this country with electronic voting machines and have for years. One of the biggest exhibitions at DEF CON this year was a demonstration on just how easily those machines can be cracked.
Election officials and voting machine manufacturers insist that the rites of American democracy are safe from hackers. But people like Carten Schurman need just a few minutes to raise doubts about that claim.
Schurman, a professor of computer science at the University of Copenhagen in Denmark, used a laptop’s Wi-Fi connection Friday to gain access to the type of voting machine that Fairfax County, Virginia, used until just two years ago. Nearby, other would-be hackers took turns trying to poke into a simulated election computer network resembling the one used by Cook County, Illinois.
Elsewhere, a gaggle of hackers went to work on a model still used in parts of seven states, as well as all of the state of Nevada. Though the device was supposedly wiped before it was sold by the government at auction, the hackers were able to uncover the results the machine tallied in 2002.
They were among the hundreds of cybersecurity experts who descended on “Voting Village,” one of the most talked-about features of the annual DEF CON hacker conference. In a cramped conference room, they took turns over three days cracking into 10 examples of voting machines and voter registration systems — a reminder, they say, of the risks awaiting upcoming U.S. elections.
“I could have done this in 2004,” said Schurman, who could gain administrative-level access to the voting machine, giving him the power to see all the votes cast on the device and to manipulate or delete vote totals. “Or 2008, or 2012.”
In the wild, he estimated, it would take him about a minute to break in.
Anne-Marie Hwang, an intern at the digital security firm Synac, demonstrated that by bringing a generic plastic key to mimic the ones given to poll workers and plugging in a keyboard, she could simply hit control-alt-delete and enter the voting machine’s generic password to gain administrative access.
The lesson: “The bad guys can get in,” said Jake Braun, a panel moderator at the conference who advised the Department of Homeland Security on cybersecurity during the Obama administration.
And that means election officials must acknowledge that no security is foolproof. Instead, Braun said, they need to adopt the private sector model of working to better detect and minimize the effect of successful cyberattacks rather than trying to become impenetrable.
“‘Unhackable’ is absurd on its face,” Braun said. “If the Russians and Chinese and whoever else can get into NSA and Lockheed Martin and JP Morgan, they absolutely can get into Kalamazoo County or the state of Ohio or the [voting machine] vendor.”
So this means we either need to go back to paper machines, or massively boost detection and containment protocols. Either would mean a lot of additional federal money set aside to help county election boards and various offices of Secretaries of State around the country.
The problem is in precisely zero instances can I find a Republican at the federal level who thinks we should do that. If anyone has an example of a Republican in Congress who wants to do it, let me know.
All I can find are Republicans who want to destroy voting in this country through cuts to implementation funds, voter ID laws, and neglect of the Voting Rights Act.
Ask yourself why in every instance why Republicans want to make voting harder and yet less secure.