We recently reported on the DEF CON 18 hack fest, at which 11-year-olds hacked replica elections systems but elections officials didn't believe it.
Now comes word from U.S. voting machine maker ES&S (Election Systems & Software) about why the company did not want anything to do with the DEF CON hacking exercise.
In a letter to U.S. Senators, ES&S says these types of events make hacking elections easier:
"We completely understand that today’s environment presents risks to our democracy that are unprecedented. All informed observers and participants in protecting America agree that our nation’s critical infrastructure is under attack by nation-states, cybercriminals, and professional and amateur hackers.
That’s why forums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage. We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.
We strongly urge you to, in your capacity as members of the Select Committee, reach out to your contacts in the Intelligence Committee and make your own assessment regarding the presence of foreign adversaries in these anonymous forums. We note that most defense firms and other critical infrastructure suppliers also do not display national security technology in unsecured environments. This prudent approach doesn’t mean there is a lack of cybersecurity testing—to the contrary. Security is at the forefront of everything we do."
The company wrote these comments to respond to a letter from four U.S. Senators who asked if the company believed in independent testing of elections systems and expressed concern about elections cybersecurity.
ES&S wrote to Senators that its technology undergoes numerous independent tests, and it finds great value from and highly respects white hat hackers.
However, it also says it's not going to simply hand over its technology for testing by anyone who wants to try to hack it:
"We will not, however, provide or submit any hardware, software, source code or other intellectual property to unvetted, anonymous security researchers, nor would we make public any assessments of vulnerability findings, because providing or making available secure information to individuals or groups whose interests may counter the United States’ interests would be irresponsible and may in fact, jeopardize the integrity of elections."
With the midterm elections fast approaching, we can bet there will be more urgent discussion and debate around elections cybersecurity.
