There are four months until the midterm elections, and the security of state election systems remains a concern. The clock is ticking to ferret out problems and fix them before Nov. 6. Websites associated with voting continue to have poor cybersecurity hygiene, even after the revelation that hackers probed the systems of 21 states in the lead-up to the 2016 election. And while Congress has increased the funds available to states to improve their election systems, many are still jumping through bureaucratic hoops to actually access the money.
One way to supplement much-needed security checks of election systems would be to replicate the security practices of tech-savvy companies. Many private tech companies treat cybersecurity differently than the government does, adapting security practices to deal with inevitable mistakes quickly and through the wisdom of the crowd. They rely partly on outside feedback to suss out vulnerabilities, something that many in the elections community seem allergic to. This could mean that fixable security flaws are left on the table for bad actors to exploit.
Tech companies were among the first to use crowdsourcing as a way to fix mistakes that cropped up in their systems. In a more innocent time for the internet, the tech community developed responsible disclosure programs for vulnerabilities based on good faith. “Norms began to develop,” said Alex Rice, former head of product security at Facebook and a co-founder of HackerOne, a company that works to help hackers and security researchers safely disclose vulnerabilities. “The right thing to do for all users of that technology was to get it into the hands of people who could take action and fix it.”
Later, tech companies started cash rewards programs — “bug bounties” — that gave hackers an incentive to report vulnerabilities through the proper channels rather than sell them on the black market.
But more traditional companies and the government have been slower to adapt to the norms of responsible disclosure. (The Department of Defense has been working to adapt more quickly, launching a “Hack the Pentagon” initiative in 2016.) Finding bugs in online systems is technically a violation of the Computer Fraud and Abuse Act, a 1986 law meant to provide a framework by which to prosecute digital crime. The law bans access to computers and networks “without authorization or exceeding authorized access,” a broad framing that prosecutors have used to target such actions as stealing corporate secrets from computer networks and setting up fake accounts on social media.
While the norm in most parts of Silicon Valley is to ignore the law for the sake of righting security flaws — many see it as woefully outdated and vaguely written — that’s not the case for every company’s approach to security. “One of the really perverse realities of being online today is there’s not a real legal framework of what you should be doing when you come to a security vulnerability,” Rice said. “That has created a pretty significant chilling effect.” Hackers and independent security researchers fear prosecution if they report vulnerabilities.
Nate Cardozo, a lawyer at the Electronic Frontier Foundation who works on the organization’s Coders’ Rights Project, described two disparate approaches to cybersecurity. One is the open-source approach that’s been embraced by the academic and computer science communities, where source code is publicly available for vetting in the way an academic paper is subject to peer review. The other is “security through obscurity,” which Cardozo described as, “We defend our product by keeping the source code proprietary.” Security through obscurity is looked down on by most in the tech community, Cardozo said, but it’s the approach favored by many in the elections community. That’s why those who find vulnerabilities in state election systems or in the systems of vendors used by states — the private companies that manufacture voting machines and election software — might be less likely to report them.
Neil Jenkins, a former Department of Homeland Security official and the current chief analytic officer of the Cyber Threat Alliance, agreed that election security is lacking when it comes to handling independent reports of security vulnerabilities. The norms are different, Jenkins said, in part because there’s a more adversarial relationship between election security researchers and private vendors of election software and equipment. “There’s not a lot of trust between people who have done research on elections systems vulnerabilities and vendors,” he said.
A recent example of this lack of trust comes from Georgia. In 2017, security researcher Logan Lamb found that voter information from the Georgia secretary of state’s office was available online after he ran a script on the website for Kennesaw State University’s Center for Election Systems, which was responsible for testing some of the state’s voting machines. Lamb reported the problem to the center and was told by the executive director that if he talked about the vulnerability, “the people downtown, the politicians … would crush” him, according to an interview Lamb gave to Politico Magazine. Later, after the vulnerability became public, Lamb was investigated by the FBI.
The potential for legal trouble could be seen as daunting to many who want to report security breaches. Cardozo said that because of the legal gray area, the Electronic Frontier Foundation has created practical guidelines for hackers and security researchers hoping to responsibly report a vulnerability to entities that might not be used to receiving them.
“We view our role as advising the researcher on their relative risk — not just their legal risk but the risk that they’ll get sued, even if it’s a frivolous suit,” Cardozo said. The foundation also advises security researchers on the basics of how to approach a company with a vulnerability, right down to proofreading emails to ensure that they don’t sound threatening to the company.
While many like Cardozo think the Computer Fraud and Abuse Act ought to be updated — a bill named after coder Aaron Swartz aims to do just this — the short-term problem of fixing existing flaws in election systems still exists. Jenkins is optimistic that the Department of Homeland Security could do something to ensure that states are made aware of flaws sooner.
“This is something that DHS could probably help with at pretty low cost to DHS,” he said, noting there’s an already-existent coordinating council meant to facilitate information sharing about election infrastructure that could be used to promote a more open culture. A DHS official told FiveThirtyEight that in its work with state and local election officials, the coordinating council is “growing and maturing the risk management culture in this sector, which includes discussions on vulnerability disclosure.” The elections community, the spokesperson said, would be open to bug bounties and vulnerability reporting.
But Rice of HackerOne remains more circumspect given the lack of trust between security researchers and the elections community — and the continued legal gray area that hackers and researchers operate in. He praised the National Cybersecurity and Communications Integration Center, a DHS-run program tasked with responding to incidents that affect critical infrastructure like voting systems, but said it’s not enough. The DHS official said that no election infrastructure vulnerabilities had been reported to NCCIC in fiscal year 2017. There were more than 800 vulnerabilities reported in critical infrastructure industrial control systems — nuclear reactors, electrical grids, dams and the like.
“[NCCIC] is a great piece of the puzzle in that it allows communication to be established, but it doesn’t go all the way in that researchers who participate in that process can’t be confident that the contractors and vendors who are actually building the voting systems don’t prosecute them,” Rice said.
Until that changes, well-meaning hackers are sure to be more hesitant to come forward with fixes, leaving election systems at the mercy of more malevolent cyber actors.
Read more: “The Moscow Midterms”
CORRECTION (July 12, 2018, 4:23 p.m.): An earlier version of this article misspelled the name of coder Aaron Swartz.