The nation’s leading voting equipment vendor made the bombastic claim that foreign spies may be infiltrating events where ethical hackers test vulnerabilities in voting machines — such as the Def Con hacking conference that took place this month in Las Vegas — to glean intelligence on how to hack an election.
“[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” Election Systems and Software wrote in a letter made public Monday to a bipartisan group of lawmakers on the Senate Intelligence Committee.
ES&S was responding to bipartisan group of lawmakers on the Senate Intelligence Committee who inquired about the security of the company’s machines after researchers at Def Con discovered new vulnerabilities in voting equipment made by ES&S and other vendors. Yet the company’s response took issue with the idea of testing by independent hackers in the first place: “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”
Attacking ethical hackers is likely to be a losing political strategy for ES&S, which is facing intense pressure from Congress and the research community to be more transparent about its machines’ security vulnerabilities. Lawmakers are already batting down the company’s claims and siding with independent cybersecurity experts who want to expose potential weaknesses in the country’s election systems before the November midterms — suggesting both a real concern about the security of the equipment and a growing acceptance of “white hat” hacking.
Senate Intelligence Committee Vice Chairman Mark R. Warner (D-Va.) “is not satisfied with this response,” a Warner spokesman said in an email. “In particular, the company’s suggestion that making machines accessible somehow makes them more vulnerable is silly and contrary to all evidence.”
A spokesman for Sen. Kamala D. Harris (D-Calif.) said it was “unacceptable that ES&S continues to dismiss the very real security concerns that Def Con raised.”
“Independent security research does not jeopardize election integrity — instead it helps us design more secure voting systems,” the spokesman told me in an email.
Warner and Harris, along with Sen. Susan Collins (R-Maine) and Sen. James Lankford (R-Okla.), wrote to ES&S after Def Con, expressing concerns that voting machine vendors “may not be prepared for the growing threats to our elections.” They also asked whether ES&S would provide its equipment to “qualified, good faith cybersecurity researchers” for independent testing.
In its response, first reported by Politico, ES&S said it would do so. But in the same breath, the company argued against hacking its machines in these kinds of forums and suggested there may be something more nefarious at play: “We strongly urge you to, in your capacity as members of the Select Committee, reach out to your contacts in the Intelligence Committee and make your own assessment regarding the presence of foreign adversaries in these anonymous forums.”
The company’s assertions drew sharp criticism from security experts. Some noted that the voting-machine hacking demonstrations at Def Con were organized by well-established security researchers and academics who purchased the devices themselves — including on online marketplaces such as eBay.
“It’s not like foreign adversaries need to go to Def Con to buy them or conduct their own review of them,” said Lawrence Norden, deputy director of the Brennan Center for Justice’s Democracy Program, which promotes voting rights.
Others tweeted their critiques. From Alex Stamos, Facebook’s former chief security officer:
This is absolutely the worst possible way to respond to this issue. If the @VotingVillageDC obtained your machines, I guarantee there are well-stocked labs in Moscow, Beijing and Tehran. InfoSec community wants to help, let them. Open DMs if you would like assistance. https://t.co/Ksqwlep4kP
— Alex Stamos (@alexstamos) August 27, 2018
Matt Blaze, a computer science professor at the University of Pennsylvania and co-organizer of Def Con’s Voting Village:
That’s it. That’s all the @VotingVillageDC was. A weekend, a big room, a bunch of surplus voting machines. Many intelligence agencies have even bigger rooms than we did.
— matt blaze (@mattblaze) August 27, 2018
And Melanie Ensign, Uber’s privacy and security communications lead, and a member of Def Con’s steering committee:
This is for sure going to be a case study in my security comms course.
What could have so easily become a positive PR opportunity for ES&S is going to end with weeping & gnashing of teeth. https://t.co/nGQpHsJhK1
— Melanie Ensign (@iMeluny) August 27, 2018
This is the second year in a row that researchers at Def Con have identified vulnerabilities in voting machines that would allow a malicious actor to tamper with vote tallies. ES&S and other vendors have criticized the demonstrations as unrealistic, noting that layers of physical security protect the voting machines used on Election Day from any attacker looking to change votes. State election officials have also cautioned about reading too much into Def Con’s findings, saying they don’t reflect the physical security at polling places.
But policymakers are taking notice of the vulnerabilities. Def Con’s disclosures have helped pave the way for election security legislation in Congress that seeks to set voluntary standards for voting equipment. And there’s a growing bipartisan interest in scrutinizing voting machine vendors, Norden told me. By ratcheting up its rhetoric, ES&S may be picking a fight it can’t win, he said.
“I don’t think the vendors have adjusted to the new world we are in,” he said. “Def Con is not without its controversies this year, but there’s been a notable change in the way election officials and policymakers think about these issues, and sooner or later, vendors like ES&S are going to have to make adjustments, too.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: A report published by T-Mobile earlier this month shows a 12 percent increase in the overall number of government requests for data that the wireless carrier responded to in 2017 compared with 2016, but a decrease in the number of wiretap orders, TechCrunch’s Zack Whittaker reported Monday. “The report said the company responded to 219,377 subpoenas, an 11 percent rise on 2017,” according to TechCrunch. “These demands were issued by federal agencies and do not require any judicial oversight. The company also responded to 55,372 court orders, a 13 percent rise, and 27,203 warrants, a rise of 19 percent.”
The report, which the company released Aug. 14, does not indicate how many customers were the object of government requests for data to T-Mobile. “T-Mobile also said it received 46,395 requests to track customers’ real-time location, and 4,855 warrants and orders for tower dumps, which police can use to obtain information on all the nearby devices connected to a cell tower during a particular period of time,” Whittaker wrote. Yet the increase in requests is not unusual, according to the mobile carrier. “A spokesperson for T-Mobile told TechCrunch that the figures reflect a ‘typical increase of legal demands across the board’ and that the increases are ‘consistent with past years,’” Whittaker reported.
PATCHED: Jigsaw, a tech incubator owned by Google’s parent company Alphabet, has been providing assistance to political campaigns through a project called “Protect Your Election” as worries about foreign interference in the 2018 midterm elections continue to grow, New York magazine’s Gabriel Debenedetti reported Monday. “The goal is to make a suite of tech tools to defend against attacks like DDoS and email phishing as accessible as possible for campaigns, political groups, independent news outlets, human rights groups working on elections, election workers, and activists,” according to New York magazine. “The effort launched abroad in 2017, as Ecuadorian news sites and journalists suffered attacks ahead of their presidential election.” (I wrote about Jigsaw’s offer to help protect political campaigns in May.)
And threats to elections will continue beyond 2018. Jared Cohen, chief executive of Jigsaw, told New York magazine that two elections in 2019 and 2020 will be a magnet for cyberattacks. “We did 11 elections last year all over the world, and that’s great. But I asked the question: What else can we be doing. And the two dates that everybody is going to be fixated on is May of 2019, which is the European parliamentary elections, and November 2020, the U.S. presidential election. Those are elections where you know that attempts are going to be made,” Cohen told Debenedetti. “They’re going to do it with, you know, 2019 tools. Not 2016 tools.”
PWNED: After the National Defense Authorization Act banned several companies including Chinese surveillance equipment manufacturer Hikvision from obtaining U.S. government contracts, the American branch of the company hired lobbyists to fight back against the decision, the Daily Beast’s Lachlan Markay reported Monday. “According to a source familiar with Hikvision’s work, the company isn’t looking to strip the NDAA of specific provisions; rather, it is pressing for an official statement of congressional intent that would prevent the exodus of business that would result from regulations barring any Hikvision client from doing business with the U.S. government altogether,” Markay wrote. “The next step will be to consult with the Pentagon, where regulators will write the actual rules implementing the NDAA language, and where Hikvision will attempt to exert some influence over the makeup of regulations that could determine its fate in the U.S. market.”
Earlier this month, Hikvision hired the lobbying firm Mercury Public Affairs with a contract of $70,000 per month. “The contract was signed on August 8, about a week after the Senate passed its version of the bill, and days before the president signed it,” according to the Daily Beast. “The team of Mercury lobbyists on the Hikvision account includes former Sen. David Vitter (R-LA), former Rep. Denny Rehberg (R-MT), and six others, according to filings with DOJ.”
— Sen. John McCain, who died Saturday at age 81, leaves behind a rich legacy on cybersecurity policy, Nextgov’s Joseph Marks reports. “Most importantly, McCain, who was a son and grandson of U.S. Navy admirals, relentlessly pushed executive branch officials from the Pentagon, White House and elsewhere to develop a governmentwide cyber policy that could effectively deter U.S. adversaries, such as Russia and China. He was scathing when those policies fell short and when the U.S. appeared unable to project strength in cyberspace.”
— Four Republicans on the House Energy Committee recommended improvements for the Common Vulnerabilities and Exposures program, which lists cybersecurity vulnerabilities that have been publicly disclosed. “Committee Chairman Greg Walden (R-Ore.) joined Reps. Gregg Harper (R-Miss.), Marsha Blackburn (R-Tenn.) and Rob Latta (R-Ohio) to write a letter to Homeland Security Secretary Kirstjen Nielsen on Monday suggesting that the program is granted a line item in the DHS budget instead of receiving uneven funding through contracts,” the Hill’s Jacqueline Thomsen reported. “The lawmakers also recommended that the program be reviewed biennially by both DHS and MITRE, the nonprofit that also manages the platform.”
— More cybersecurity news from the public sector:
THE NEW WILD WEST
The Bank of Spain’s website has been hit since Sunday by a cyber attack which has temporarily disrupted access to the site, a spokesman for the central bank said on Monday.
FOR THE N00BS
“I lived and died a proud American”: John McCain’s farewell letter
How Lanny Davis clouded the investigations into Trump:
One of the first Apple computers is up for auction: