Skip Navigation

Election Security Lessons from DEFCON 27

Brennan Center fellow Ciara Torres-Spelliscy recaps her experience at the largest hacking conference in the United States.

August 20, 2019

Given the extent of foreign inter­fer­ence in the 2016 elec­tion, every Amer­ican should be concerned about elec­tion secur­ity in 2020. But what can computer hack­ers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hack­ing confer­ence in the United States, know­ing this was prob­ably my last chance to see a legal elec­tion hack­ing.

Voting machines are protec­ted from reverse engin­eer­ing under the Digital Millen­nium Copy­right Act. But the Library of Congress, which has certain author­it­ies under the law, set a three-year window to allow third parties access to voting machines to test their secur­ity. Barring an exten­sion by the Library of Congress, 2019 is the third and last year these hacks are legal.

DEFCON is a huge event, and I saw fellow confer­ence-goers all over Las Vegas with their distinct­ive glow­ing badges. I was only inter­ested in the DEFCON Voting Village, which included a large assort­ment of voting equip­ment for parti­cipants to test, hack, and break.

The DEFCON Voting Village also included an impress­ive roster of speak­ers. My Bren­nan Center colleague and former Virginia elec­tion offi­cial Liz Howard spoke about how Virginia switched to paper ballots just in time for the 2017 elec­tion. Other speak­ers I got to hear included Sen. Ron Wyden (D-OR), Depart­ment of Home­land Secur­ity Cyber­se­cur­ity and Infra­struc­ture Secur­ity Agency Director Chris Krebs, Cali­for­nia Secret­ary of State Alex Padilla, and Veri­fied Voting Pres­id­ent Marian Schneider. Like other speak­ers in the Voting Village, they urged states to use hand-marked paper ballots and to adopt risk-limit­ing audits.

DEFCON’s organ­izers have put the three-year window for hack­ing voting machines to good use. Each year, they have published confer­ence find­ings that serve as grave warn­ings to Congress and to states and local juris­dic­tions that buy voting machines for elec­tions. The DEFCON 25 report, for example, warned, “If Russia can attack our elec­tion, so can others: Iran, North Korea, ISIS, or even crim­inal or extrem­ist groups.”

The DEFCON 26 report described how young attendees were able to success­fully hack a mock elec­tion website: “Young DEFCON attendees were given the oppor­tun­ity to hack mockups of secret­ary of state elec­tion results websites for the thir­teen Pres­id­en­tial Battle­ground States. In less than 10 minutes, an 11-year old in the compet­i­tion hacked into a mockup of Flor­id­a’s elec­tion results website, chan­ging its repor­ted vote totals. The attack the chil­dren were trained to use on the sites (SQL injec­tion) is the same attack the Senate Intel­li­gence Commit­tee warned was used in a major­ity of Russian cyber attacks on elec­tion websites in 2016.”

DEFCON’s organ­izers plan to release a white paper to summar­ize this year’s conven­tion find­ings as well.

This year’s confer­ence included a demon­stra­tion of a secure ballot box by the U.S. Defense Advanced Research Projects Agency (DARPA), the Depart­ment of Defense agency respons­ible for devel­op­ing emer­ging tech­no­lo­gies. DARPA’s secure ballot box, which was made with open source code, is just one example of how better designed hard­ware could make voting more secure, espe­cially by guard­ing against remote access. If imple­men­ted well, it could lead to more manu­fac­tur­ers work­ing to make the next gener­a­tion of improved voting machines. Because of a glitch, the white hat hack­ers at DEFCON could­n’t tinker with the DARPA machinefor two days. But DARPA prom­ised to bring it back for next year.

DEFCON speak­ers noted that there’s still a lot of work left to do in order to secure U.S. elec­tions. Wired and Mother­board reporter Kim Zetter talked about how voting machine manu­fac­tur­ers have lied in the past about the secur­ity of their machines. Zetter was the first to report that voting machines made by ES&S, a major vendor, were linked to the inter­net, which means that they can be accessed remotely. Marian Schneider, pres­id­ent of Veri­fied Voting, noted that while the ES&S machines were behind a fire­wall, such fire­walls have been breached before, includ­ing in a recent data breach at Capital One that exposed inform­a­tion from 100 million credit card applic­a­tions. Schneider also warned against efforts to allow voting via cell phone apps.

Computer scient­ist Harri Hursti reminded the DEFCON audi­ence that cyber­se­cur­ity is not a partisan issue or even just a U.S. elec­tions issue — it matters for the integ­rity of demo­cracy across the globe. And many DEFCON speak­ers lambasted the state of Geor­gia for wast­ing money on systems with machine-marked ballots instead of invest­ing in more secure hand-marked ballots.

Mean­while, Senator Wyden dead­panned that only “1 percent of the Senate was at DEFCON.” He also urged attendees be modern day Paul Reveres and to pres­sure Senate Major­ity Leader Mitch McCon­nell to stop block­ing bipar­tisan elec­tion secur­ity bills like the Secur­ing Amer­ica’s Federal Elec­tions (SAFE) Act. The ball is in McCon­nell’s court, as good bills have already passed the House. 2020 is right around the corner. As New York Rep. Alex­an­dria Ocasio-Cortez asked in an Instagram video, “Where’s Mitch?”

The views expressed are the author’s own and not neces­sar­ily those of the Bren­nan Center.

(Image: Ciara Torres-Spel­licy/BCJ)