A Voting Machine Maker’s Take on DEF CON

I am the Vice President of Systems Security for America’s leading voting machine manufacturer, Election Systems & Software (ES&S), and I attended DEF CON, the nation’s largest hacker conference. DEF CON’s “voting village” has generated clicks and soundbites in the past few days, in part because of an assertion that industry refused to participate. Nothing could be further from the truth. I attended DEF CON because I want to leave no stone unturned in my quest to ensure the security of the nation’s voting systems, and I believe there is real value in the ethical “white hat” hackers that industry members can connect with at the conference.

Before accepting my role at ES&S in April 2018, I served as the Chief Information Security Officer for the U.S. Department of Health and Human Services, overseeing the Department’s cybersecurity efforts. Before that, I held cybersecurity positions in such agencies as the Department of Veterans Affairs, Military Sealift Command, and the Defense Intelligence Agency. I understand the importance of maintaining good relations with ethical hackers.

Security researchers, another name for ethical hackers who help test the security of information systems, often provide significant and measurable insight into the vulnerabilities associated with technology of all kinds. Whether it is hardware, software, personnel, or facilities, security researchers help technology manufacturers be more aware of the cyber threats that may affect the devices we use in our daily lives. Security researchers also assist government and businesses in protecting vital information and critical infrastructure assets important to our national security and democracy.

However, white hats are almost certainly not the only cyber experts attending DEF CON. In fact, the only requirement for entry, according to the DEF CON website, is “$280 USD cash at the door.” There is no registration. Anyone, whether they are friend or foe of U.S. security, could be part of the voting village.

That is why voting machine makers and software providers do not hand over hardware, software or source code to the anonymous hackers at DEF CON. Supplying critical infrastructure source code or voting machine hardware or software to anonymous hackers who may be gathering intelligence to interfere in our elections is not only irresponsible, it is dangerous to America’s democracy.

It is true that security researchers are a necessary part of keeping our elections as secure as possible. However, exposing current equipment and source code to anonymous hackers is potentially the same as handing over your ATM card and PIN to a scammer and asking them why your bank account is empty.

However, providing current equipment and source code to anonymous hackers at a conference is not the sole way voting machine manufacturers can utilize security researchers. Bug bounty hunts and penetration tests help keep our security systems one step ahead of the bad actors (who are probably attending DEF CON), and that is why ES&S uses independent researchers to test its systems.

This sort of ethical election testing is conducted under both extreme laboratory conditions as well as realistic conditions that duplicate a typical polling place or elections office to determine what kind of hacking is and isn’t possible during an actual election. That way, time and resources are used on vulnerabilities actually capable of being exploited.

DEF CON testing, however, is not done in real-world conditions. Machines and software are not current, and the voting village does not reflect the circumstances of an actual election, such as an election worker stopping a hacker from opening up a voting machine.

In my previous cyber roles, I have authorized security researchers to find vulnerabilities or bugs and help organizations harden their software and systems against cyber attack. Under these circumstances, it was the best of both worlds. The organizations benefited from this second set of eyes detecting flaws that system architects or software coders overlooked while still maintaining control over hardware, software, or source code that may represent millions of dollars of intellectual property or research and development investments.

Cybersecurity is a race with no finish line. Everyone involved in the conversation agrees that our nation’s critical infrastructure is under attack by nation-states, cybercriminals, and professional and amateur hackers. It is only through preparation, constant vigilance, secure technology, post-election audits, and strong, continuing partnerships between State and Local Election Officials, DHS, Law Enforcement, and voting system manufacturers that we will keep the elections infrastructure secure.