Voting Village brings equipment to lawmakers to boost urgency on election security
A year from the 2020 election and with a new round of election security funding stalled in Congress, the DEF CON Voting Village organizers have again taken to Capitol Hill to raise awareness about software vulnerabilities in voting equipment. This time, they brought the equipment with them to drive home their point.
“If we’re going to meaningfully introduce funding or introduce new technologies for 2020, time is rapidly running out to be able to do that,” Matt Blaze, a professor at Georgetown University and co-organizer of the Voting Village, told CyberScoop. “We need to act pretty fast.”
A handful of House Democrats and their staffers sauntered up to equipment on display, including a ballot-marking device and an electronic voting machine, to ask the researchers about the software bugs they found.
“This is really helpful in understanding that these aren’t just abstract problems, that these are real things,” Blaze, an expert in cryptology, told CyberScoop.
This is the second time in a month that the Voting Village has hosted an event on Capitol Hill. Last month, Blaze and Harri Hursti, another village organizer, unveiled the village’s annual report on flaws in voting gear that could be exploited by hackers.
On Tuesday, Rep. Cedric Richmond, D-La., approached a ballot-marking device made by Election Systems & Software, the country’s biggest voting equipment vendor. A young man was using a screwdriver to open the machine up and examine it.
“It goes to show why we need to be serious about election security, why we should invest in election security,” Richmond said of the briefing from Voting Village organizers. He chairs the House Homeland Security Committee’s cybersecurity-focused panel.
State officials are still spending the $380 million Congress gave them last year to better secure their voting infrastructure. But election security advocates say much more money is needed to implement key upgrades for equipment. New York University’s Brennan Center for Justice puts the price tag for replacing old voting machines, upgrading voter registration systems, and other security measures at $2.2 billion.
Although Senate Majority Leader Mitch McConnell, R-Kentucky, last month expressed support for an additional $250 million in funding for states, that bill hasn’t moved in the Senate.
Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee, lamented that the Senate election security funding bill was “languishing.” There needs to be federal incentives for election officials to buy new and more secure election equipment, Thompson said at the Voting Village briefing.
The nation’s voting vendors say they take the security of their equipment seriously, and they are setting up a vulnerability disclosure program with security researchers to fix software bugs.
While Blaze welcomed that progress, he said the vendors still had a long way to go. He wants the Voting Village to expand beyond voting machines to include the election management systems (EMS) that are used to configure the machines. But on that front, he said, the vendors are putting up stiff resistance. Whereas the village can buy voting machines on eBay, EMS are harder to acquire.
“Unfortunately, the vendors have been very aggressive in trying to prevent us from getting our hands on these systems,” Blaze told CyberScoop, referring to the three biggest vendors — ES&S, Dominion Voting Systems, and Hart InterCivic.
Kay Stimson, vice president of government affairs at Dominion Voting Systems, said EMS has been a topic of discussion for collaboration with the Voting Village.
“The bottom line is we need to put the ‘village’ in the Voting Village,” Stimson told CyberScoop. “Effective industry-researcher collaboration is standard practice for most of the other villages at DEF CON. It’s something that must be addressed for 2020.”
A spokesperson for ES&S did not address Blaze’s charge related to EMS software, but instead said generally that ES&S submits its equipment to independent security testing.
A spokesperson for Hart InterCivic did not respond to a request for comment on Blaze’s comments by press time.