How DEFCON Turned an Event Into a Major Initiative
Organizers of the long-running DEFCON hacking conference have teamed with a variety of groups, including the National Governors Association, on an initiative to boost electoral security. The new coalition comes on the heels of a new report highlighting how insecure many voting machines really are.
The DEFCON hacking conference, which has existed in one form or another for nearly a quarter century, is getting into the election security business—with the help of a number of associations and nonprofits.
A September report [PDF] outlines the results of the first-ever “Voting Machine Hacking Village,” held at the DEFCON conference in Las Vegas last summer. The exercise revealed significant vulnerabilities in digital voting machines and in the ways they’re used to tally votes. And this week it led to the announcement of a coalition on election security that includes the National Governors Association, the Atlantic Council, the Center for Internet Security, and a variety of academic groups, among others.
In the Voting Village experiment, DEFCON attendees were given uncontrolled access to 25 different models of voting machines, some of which have been in use since the 1990s. According to the report, it didn’t take long to break them.
“The results were sobering. By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner,” the report, written by former NATO Ambassador Douglas E. Lute, states. “Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems.”
The machines had a variety of problems. One model used simple, universal default passwords that could not be changed—a weakness known since 2003, though the voting machine remained in use until 2014. Others contained detailed voter data, despite having been decommissioned. The machines featured vulnerable software designs and parts from all over the world, suggesting potential supply-chain risks.
The report recommends that certain kinds of voting systems, such as those that are fully paperless, be removed from use due to security risks.
The report notes that numerous nonhackers were encouraged to attend the event, including government officials; nonprofit leaders; and legislators from the national, state, and local levels. Among the visitors to the Voter Village were officials from the National Institute for Standards and Technology, the U.S. Department of Homeland Security, the National Governors Association, the U.S. Senate Committee on Homeland Security and Governmental Affairs, and the U.S. Congressional Cybersecurity Caucus.
In comments reported by The Hill, DEFCON founder Jeff Moss, a fellow at the Atlantic Council, said the Voting Village and new report continue the organization’s long tradition of questioning the way technology is used in elections.
“At DEFCON we had our first speaker talk about electronic voting machines 10, 12 years ago,” Moss said. “The difference is that this time it counts, people are now paying attention.”
A voting machine exploited at the DEFCON event in Las Vegas last July. The devices were mostly bought via eBay. (via the Voting Village Twitter page)