Inviting hackers to attack vote machines
L.A. County officials hope new Defcon challenge will help expose vulnerabilities in election equipment as they plan a system change
Local election officials are looking for some good hackers.
As part of an effort to create a new voting system, Los Angeles County computer specialists are headed this week to Defcon, one of the world’s largest hacking conventions, where attendees will try to compromise a new target — voting equipment.
County Registrar-Recorder Dean C. Logan said he hopes Defcon’s new Voting Village will give his staff more to worry about as they work to revamp the way Los Angeles County votes.
Defcon, which draws 20,000 participants to Las Vegas yearly, has set aside a space this year for hackers to pick apart voting machines, assail voter-registration databases and carry out mock attacks on various voting processes from around the country.
In time-honored Defcon style, some will play offense and some will play defense, and the point is to expose vulnerabilities.
Defcon founder and Chief Executive Jeff Moss, known by the online moniker Dark Tangent, said he and fellow Defcon planners have spent months buying voting equipment on EBay to prepare for the event.
He said he hopes the Voting Village will spur new interest in problems in U.S. election systems.
“Hackers are always looking for something new to play with,” said Moss, who seemed almost to be rubbing his hands. “It’s going to be such a rich area!”
The event comes at a moment of heightened interest in possibilities for election tampering.
American intelligence officials released an assessment in January saying that, although the vote count was not affected, Russian-government hackers interfered in the 2016 national election. The report said they hacked Democratic National Committee networks and officials’ emails and selectively leaked material in an effort to damage Democratic candidate Hillary Clinton.
Russian hackers had gained access to state and local electoral boards in an effort to learn about their processes and equipment, according to the assessment, and Kremlin-linked sources pushed negative stories about Clinton’s health and charity. In addition, the sources sponsored social media campaigns to amplify scandals about her and mar her candidacy.
Last month, Homeland Security officials went even further, saying the FBI had found evidence that Russian-backed hackers had penetrated election systems in 21 states in 2016, including Illinois and Arizona.
Security advocates are “very, very worried” about hackers’ next moves, said Barbara Simons, a San Francisco computer scientist who leads Verified Voting, a nonprofit election-security advocacy group.
Simons, who will open the Defcon event Friday at Caesars Palace, said she hopes to use the occasion to kick off her group’s national awareness campaign about “our broken voting system” and require voter-marked paper ballots nationally.
Los Angeles County officials, meanwhile, are years into a $15-million effort to develop what they call a new “voting experience” to replace the card-and-stylus system now in use because, they say, it’s too hard to replace broken parts on the old system, and too hard to adapt it to reforms aimed at making voting easier.
They have proposed a replacement that features a prototype electronic, touchscreen ballot marker and an open-source software platform for tallying. A pilot program will be in voters’ hands next year, and all county voters may be switched to the new system as early as 2020.
In concept, L.A. County’s plans dovetail with what security advocates such as Simons have been calling for — in part because they preserve the paper ballot.
Paper balloting may seem anachronistic. But in the new world of rampant cyber-insecurity, paper is almost seen as cutting edge. “Paper is a very good thing,” said Simons, whose group also advocates mandatory audits of computer tallies.
Logan, the registrar, said paper ballots are key to keeping the proposed system secure and convincing voters to trust it. After using the touch screen, he said, voters will be able to examine their printed ballot and place the card in a box by hand, he said.
The proposed switch to open-source tallying software also ref lects current security thinking, Logan said.
Open-source systems don’t rely on secret, proprietary code. And although they aren’t immune to intrusions of malicious code, “you have a better chance of finding it than with proprietary code,” Simons said.
Despite the plaudits the county’s voting reform effort has won — it was a semifinalist for a Harvard government award — Logan said he wants the proposed system to face even tougher tests.
Enter Defcon, with its whiff of outlaw credibility and its democratic style of ferreting out the latest computer break-in techniques.
“There is a past history in the election community ... to kind of resist this kind of event,” Logan said. “But we need to embrace this. We need to know what the threats are.”
Logan said it’s too early to send the county’s proofof-concept for a new election system to Defcon, but that’s in the works for next year.
For now, three specialists plan to go — all of whom are involved in reviewing the proposed new voting systems. They aim to learn how to better detect, and defend against, hacks, Logan said. They’ll be on the lookout for hackers with what he called “hands-on” experience. Logan plans to invite the hackers to attack the proposed system as a test down the line — to “kick the tires,” as he put it.
Moss, the Defcon founder, said the idea for the Voting Village grew out of conversations with fellow researchers after the 2016 national election and hacking controversy.
As he talked to coding experts and dug up academic studies, he said he was struck by how little had been done to put manufacturers’ equipment-safety claims to the test.
In particular, he said there’s been a dearth of recent studies of complete, end-to-end election systems.
Tight proprietary control of back-end software makes it difficult to simulate such systems, he said. So this year’s Defcon attendees will have to settle for dismantling pieces of them.
Organizers have collected 25 pieces of election equipment, most of which is still used. Paper will not be spared: poll books and the punch-card systems, whose ambiguous hanging chads caused headaches in the George W. Bush-Al Gore presidential race in 2000, will be on hand and ready to be preyed upon.
Defcon draws software specialists and mechanical hackers — lock pickers, for example. So code-based and analog systems will get a work-over, Moss predicted.
Moss said he hopes to get election officials and cybersecurity researchers talking, and he’s seeking a complete simulated election system for Defcon’s election event next year.
The deficiencies of existing systems are serious, Moss said.
“But it’s not an insurmountable problem,” he said. “The problems are mostly human problems, like not having resources, or doing something because it’s new, not because it’s better.”
PLANNERS of Defcon, an annual event for hackers, have spent months collecting voting machines for hackers to work on. Above, code is displayed last year at the Black Hat cybersecurity conference.
DEFCON FOUNDER and Chief Executive Jeff Moss said he hopes the Voting Village will spur new interest in problems in U.S. election systems. Above, voters cast their ballots in November at the Watts Towers Arts Center.
L.A. COUNTY officials have proposed a replacement system that features a prototype electronic, touchscreen ballot marker and an open-source software platform for tallying. Above, voters in Koreatown in June.