What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon
Voting-equipment vendors are preparing to formally ask security researchers for ideas on building a coordinated vulnerability disclosure (CVD) program, the next step in the industry’s gradual move to work more closely with ethical hackers.
The Elections Industry-Special Interest Group, which includes the country’s three largest voting-systems vendors, will this week release the request for information (RFI), Chris Wlaschin, vice president of systems security at one of those vendors, Election Systems & Software, told CyberScoop.
“We all feel that sense of urgency to adopt this sooner than later,” Wlaschin said.
Since January, the voting vendor group, which is part of the IT-Information Sharing and Analysis Center (IT-ISAC), a broader industry association, has held biweekly meetings to begin hashing out what a CVD program to find and fix software bugs might look like. Other industries have adopted such programs, which can raise the bar for security in an industry and establish trust with independent security experts. Some security researchers have criticized the elections-infrastructure sector for being slow to embrace ethical hacking.
Wlaschin said the Special Interest Group has been searching for a program that will account for the idiosyncrasies of the elections-infrastructure industry, including the far-flung nature of voting equipment across thousands of jurisdictions.
The SIG has heard presentations from companies that specialize in vulnerability disclosure and bug bounty programs, including Bugcrowd, HackerOne, and Synack, according to Wlaschin. The goal of the meeting was “to understand the capabilities and limitations of a vulnerability disclosure program,” he added. “Part of that is getting comfortable with this relationship with security researchers.”
“We think that the shortest path to success is a programmatic approach that applies to all voting vendors that is overseen by the EAC [Election Assistance Commission],” he said. The EAC is an independent federal agency that serves as a resource for states, which are in charge of administering and securing their own voting systems.
After the RFI, which vendors and the IT-ISAC are expected to announce Friday at a conference hosted by the Department of Homeland Security, the plan is to release a request for proposals to get the CVD program off the ground. Last month, SIG released a white paper announcing their interest in CVD and bug bounty programs.
The push for a CVD program is an attempt by the vendors to chart a new relationship with security researchers after disagreements surrounding the testing of equipment at the DEF CON hacking conference. The conference’s Voting Village in August saw more equipment than ever, but still no official participation from the big voting-gear vendors. After last year’s DEF CON, conference founder Jeff Moss said there was a “civil war’ going on at the vendors between employees who want to proactively address security vulnerabilities and those who stubbornly oppose doing that.
The IT-ISAC’s established connections with technology organizations and security researchers will help propel a CVD program, Wlaschin said. “I think that’s the path to get the quality response they’re looking for.”
Separately, ES&S is finalizing an agreement to turn over its latest software to cybersecurity company Rapid7 for a code review, he added.
