Election Security Lessons from DEFCON 27

Brennan Center Fellow Ciara Torres-Spelliscy recaps her experience at the largest hacking conference in the United States.

August 20, 2019

Given the extent of foreign interference in the 2016 election, every American should be concerned about election security in 2020. But what can computer hackers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hacking conference in the United States, knowing this was probably my last chance to see a legal election hacking.

Voting machines are protected from reverse engineering under the Digital Millennium Copyright Act. But the Library of Congress, which has certain authorities under the law, set a three-year window to allow third parties access to voting machines to test their security. Barring an extension by the Library of Congress, 2019 is the third and last year these hacks are legal.

DEFCON is a huge event, and I saw fellow conference-goers all over Las Vegas with their distinctive glowing badges. I was only interested in the DEFCON Voting Village, which included a large assortment of voting equipment for participants to test, hack, and break.

The DEFCON Voting Village also included an impressive roster of speakers. My Brennan Center colleague and former Virginia election official Liz Howard spoke about how Virginia switched to paper ballots just in time for the 2017 election. Other speakers I got to hear included Sen. Ron Wyden (D-OR), Department of Homeland Security Cybersecurity and Infrastructure Security Agency Director Chris Krebs, California Secretary of State Alex Padilla, and Verified Voting President Marian Schneider. Like other speakers in the Voting Village, they urged states to use hand-marked paper ballots and to adopt risk-limiting audits.

DEFCON’s organizers have put the three-year window for hacking voting machines to good use. Each year, they have published conference findings that serve as grave warnings to Congress and to states and local jurisdictions that buy voting machines for elections. The DEFCON 25 report, for example, warned, “If Russia can attack our election, so can others: Iran, North Korea, ISIS, or even criminal or extremist groups.”

The DEFCON 26 report described how young attendees were able to successfully hack a mock election website: “Young DEFCON attendees were given the opportunity to hack mockups of secretary of state election results websites for the thirteen Presidential Battleground States. In less than 10 minutes, an 11-year old in the competition hacked into a mockup of Florida’s election results website, changing its reported vote totals. The attack the children were trained to use on the sites (SQL injection) is the same attack the Senate Intelligence Committee warned was used in a majority of Russian cyber attacks on election websites in 2016.”

DEFCON’s organizers plan to release a white paper to summarize this year’s convention findings as well.

This year’s conference included a demonstration of a secure ballot box by the U.S. Defense Advanced Research Projects Agency (DARPA), the Department of Defense agency responsible for developing emerging technologies. DARPA’s secure ballot box, which was made with open source code, is just one example of how better designed hardware could make voting more secure, especially by guarding against remote access. If implemented well, it could lead to more manufacturers working to make the next generation of improved voting machines. Because of a glitch, the white hat hackers at DEFCON couldn’t tinker with the DARPA machine for two days. But DARPA promised to bring it back for next year.

DEFCON speakers noted that there’s still a lot of work left to do in order to secure U.S. elections. Wired and Motherboard reporter Kim Zetter talked about how voting machine manufacturers have lied in the past about the security of their machines. Zetter was the first to report that voting machines made by ES&S, a major vendor, were linked to the internet, which means that they can be accessed remotely. Marian Schneider, president of Verified Voting, noted that while the ES&S machines were behind a firewall, such firewalls have been breached before, including in a recent data breach at Capital One that exposed information from 100 million credit card applications. Schneider also warned against efforts to allow voting via cell phone apps.

Computer scientist Harri Hursti reminded the DEFCON audience that cybersecurity is not a partisan issue or even just a U.S. elections issue — it matters for the integrity of democracy across the globe. And many DEFCON speakers lambasted the state of Georgia for wasting money on systems with machine-marked ballots instead of investing in more secure hand-marked ballots.

Meanwhile, Senator Wyden deadpanned that only “1 percent of the Senate was at DEFCON.” He also urged attendees be modern day Paul Reveres and to pressure Senate Majority Leader Mitch McConnell to stop blocking bipartisan election security bills like the Securing America’s Federal Elections (SAFE) Act. The ball is in McConnell’s court, as good bills have already passed the House. 2020 is right around the corner. As New York Rep. Alexandria Ocasio-Cortez asked in an Instagram video, “Where’s Mitch?”

The views expressed are the author's own and not necessarily those of the Brennan Center.

(Image: Ciara Torres-Spellicy/BCJ)