Voting machine companies, which for years have been loath to acknowledge any security weaknesses, are finally saying they will consider allowing ethical hackers to search for them. But hackers are skeptical of the election industry's recent commitment to security and transparency.
The olive branch to hackers marks a huge about-face for the industry, which last week asked for feedback from researchers and companies about the best ways to let outsiders vet their security. They've long argued that researchers, by exposing security flaws, could give a roadmap to foreign hackers intent on compromising the 2020 contest. Now they're saying the threat of Russian hacking and disinformation is too severe for the security of election systems to be treated as a private matter to be managed behind closed doors.
“For many years the industry…preferred to work quietly behind scenes. [But] 2016 brought cybersecurity to the front burner and folks in this industry who were uncomfortable talking about vulnerabilities have warmed up to it," Chris Wlaschin, the top cybersecurity official for Election Systems and Software, told me.
But some ethical hackers worry the industry, which has historically prioritized making their machines easier for election administrators to use rather than making them as secure as possible, isn’t ready to make big changes. They fear the companies won't work quickly enough to fix the bugs they discover and could use non-disclosure agreements to enforce silence about dangerous bugs that could compromise an election.
Wlaschin said the process to report bugs, which is still under consideration, is likely to be relatively restrictive. The companies are likely to require both background vetting for hackers who participate and require them to sign non-disclosure agreements about the issues they find. Members of the working group that’s developing the plan have been getting regular briefings from companies that manage programs like that, he told me.
That's already raising the hackles of some hackers who say the voting machine industry has a history of ignoring their reports about dangerous bugs -- or downplaying the bugs' significance.
“The idea of a system where people are reporting vulnerabilities under a gag order and the gag order is in place until its fixed is unrealistic. Because right now ‘until it’s fixed’ could be as long as the system’s in use,” Harri Hursti, a cybersecurity researcher who has spent more than a decade studying vulnerabilities in voting systems, told me.
Hursti helps run a program for hackers to probe election systems in a safe environment at the Def Con cybersecurity conference. He worries a formal program for hackers to report bugs could end up undercutting the research hackers are doing independently without actually making voting systems' cybersecurity any better.
For instance, when researchers at his "voting village" probed voting machines for the first time in 2018, they found bugs that were first reported to companies more than a decade ago that still hadn't been fixed. They also found built-in passwords that were not possible to change that were set to insecure and easy-to-guess codes such as “1111.”
Hursti and other hackers will release the findings from their second round of testing, which took place this summer, later this week. He says they are just as concerning. He slammed the industry’s white paper and request for comment as “marketing materials” from a group that isn’t serious about cybersecurity.
But the voting machine industry says non-disclosure agreements and similar protections are common when companies ask outside researchers to examine highly sensitive systems and they're necessary to ensure information about dangerous bugs doesn't get out to hackers who actually want to compromise voting machines.
“We’re trying to create a balance between ensuring the security of the systems and getting valuable input from the community,” Scott Algeier, executive director of the non-profit cybersecurity organization that helped draft the industry's white paper and request for information, told me. “If a vulnerability is announced and there’s no fix for it, that puts everyone at risk.”
And some cybersecurity researchers were more bullish on the voting industry’s plan.
Joe Hall, chief technologist at the Center for Democracy and Technology who’s also worked extensively in election systems cybersecurity, told me he’s fine with the industry requiring non-disclosure agreements from hackers but said those agreements should be negotiated so they run out if vulnerabilities remain un-patched for too long.
“I’ve seen signals from the industry over the past year that they seem to be giving cybersecurity much more of a first-class citizenship,” Hall said. “I’m not saying it’s going to last and they have a long way to go but I’ve seen a change in terms of their receptivity.”
Even if the industry does get hackers on board, though, it will face another hurdle to implement their cybersecurity fixes.
That's because states certify voting machines using federal guidelines that make it extremely hard to change any software – including patching bugs against hackers – without restarting the lengthy certification process all over again.
That means “a change to even one byte of the trusted software built in voting machines or back office computers” could launch a re-testing process that takes weeks or even months, the companies note in their white paper, which they produced through the Information Technology-Information Sharing and Analysis Center, a non-profit cybersecurity group that counts most major election systems vendors among its members.
The companies are talking about ways to speed up that process with the Election Assistance Commission, a federal agency that oversees voting security guidelines, but there’s no timeline for when the fix will happen, Wlaschin told me.
PINGED: U.S. Sen. Mark R. Warner (D-Va.) wants answers from a health-care company that exposed the medical data of more than 1 million Americans about what it's doing to safeguard that data in the future. In his letter to the CEO of TridentUSA Health Services, Warner slammed the company for its “sloppy cybersecurity practices” and disregard for federal medical privacy laws.
“It is critical that the privacy of the individual — including their personal health information — is appropriately protected,” Warner wrote.
Warner is asking the company to provide information by Oct. 9 about how it audits data for compliance with federal medical privacy laws and the cybersecurity protections it requires from any third parties that access the information.
MobileXUSA, a subsidiary of TridentUSA, left patients' names and birth dates and information about their doctors and medical procedures exposed online, Pro Publica's Jack Gillum, Jeff Kao, and Jeff Larson reported. The server used by MobileXUSA was just one of 187 servers holding patient information that ProPublica reporters found didn’t have basic cybersecurity protections or passwords, raising wider concerns about cybersecurity practices in the medical records industry.
PATCHED: Hackers probably associated with the Chinese government targeted at least 17 organizations in the U.S. utilities sector in the past few months, the cybersecurity firm Proofpoint revealed yesterday. The most recent attacks show that APT10, the Chinese state-sponsored group suspected of the attacks, is getting savvier with their techniques and probably will continue to ramp up attacks against the sector, researchers say.
Similar to previous attacks, the hackers tried to dupe the targets by sending them malware-laced email attachments that appeared to be from a legitimate energy industry certification board. This time, hackers doubled down on the con by attaching a pdf from the legitimate organization in addition to the malware, Proofpoint said.
PWNED: FedEx executives underplayed the damage from a major ransomware attack while dumping millions of dollars worth of their own stock, shareholders allege in a new lawsuit, Jeff Stone at CyberScoop reports. The lawsuit is just the latest in a string of such suits following the 2017 NotPetya attack, which spread from Ukraine to hit a number of Western companies. The U.S. government has blamed Russian intelligence for the attack.
FedEx pinned more than $400 million in losses on the 2017 attack, but investors say that number underestimates the actual value of the losses. And while the company was recovering from those losses, FedEx's founder and chief operation officers sold a combined tens of millions of dollars' worth of their own stocks before prices fell in December 2018.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
— Cybersecurity news from abroad:
- The House Science Committee will host a hearing on “Online Imposters and Disinformation” Tuesday at 10 a.m.
- The International Association of Privacy Professionals hosts a conference September 24-25 in Las Vegas.
— Coming up:
- The House Committee on House Administration will host an oversight hearing for the Federal Election Commission on Wednesday at 9am.
- The House Judiciary Committee will host a hearing on securing America's elections at 9am on Friday.